[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-users] [SECURITY] Buffer overrun vulnerability in Chicken's sch
[Chicken-users] [SECURITY] Buffer overrun vulnerability in Chicken's scheduler
Mon, 11 Jun 2012 12:33:28 +0200
Hello Chicken users,
Recently a buffer overrun error was discovered in Chicken's thread
scheduler. This buffer overrun is triggered on UNIX-like OSes when a
file descriptor with an integer value higher than FD_SETSIZE gets
opened due to the way the POSIX select() function is currently being
Every Chicken program which accepts a potentially unlimited number of
incoming network connections or otherwise opens an unlimited number of
file descriptors is potentially vulnerable to an application crash.
Currently a patch is being developed. In the meanwhile an effective
workaround is to limit the maximum number of open descriptors using
the Unix "ulimit -n" command.
Please verify the maximum number of descriptors supported safely by
Chicken by compiling following one-line program using csc and then
running the resulting binary:
(print (foreign-value "FD_SETSIZE" int))
Simply ensure that the programs you want to protect run under a maximum
number of open files ulimit that matches this number (or lower).
lease note that this bug also affects people using the
"high-load-scheduler" egg, which provides an alternative scheduler
On Windows, there is no buffer overrun danger, but there is a potential
problem of threads never waking up; there is currently no known
workaround for this.
The Chicken team
- [Chicken-users] [SECURITY] Buffer overrun vulnerability in Chicken's scheduler,
Peter Bex <=