net: validate fds passed to Socket constructor

This commit validates the file descriptor passed to the TTY
wrap's guessHandleType() function. Prior to this commit, a bad
file descriptor would trigger an abort in the binding layer.

PR-URL: https://github.com/nodejs/node/pull/21429
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>

2 files changed, 10 insertions, 1 deletions

diff --git a/lib/net.js b/lib/net.js
index 0f80b41897..2f341f53a1 100644
--- a/lib/net.js
+++ b/lib/net.js
@@ -75,7 +75,7 @@ const {
   ERR_SOCKET_BAD_PORT,
   ERR_SOCKET_CLOSED
 } = errors.codes;
-
+const { validateInt32 } = require('internal/validators');
 const kLastWriteQueueSize = Symbol('lastWriteQueueSize');
 
 // Lazy loaded to improve startup performance.
@@ -93,6 +93,7 @@ const {
 function noop() {}
 
 function createHandle(fd, is_server) {
+  validateInt32(fd, 'fd', 0);
   const type = TTYWrap.guessHandleType(fd);
   if (type === 'PIPE') {
     return new Pipe(
diff --git a/test/parallel/test-net-socket-constructor.js b/test/parallel/test-net-socket-constructor.js
index 6758e286fb..ec2e99deb8 100644
--- a/test/parallel/test-net-socket-constructor.js
+++ b/test/parallel/test-net-socket-constructor.js
@@ -4,6 +4,14 @@ const common = require('../common');
 const assert = require('assert');
 const net = require('net');
 
+common.expectsError(() => {
+  new net.Socket({ fd: -1 });
+}, { code: 'ERR_OUT_OF_RANGE' });
+
+common.expectsError(() => {
+  new net.Socket({ fd: 'foo' });
+}, { code: 'ERR_INVALID_ARG_TYPE' });
+
 function test(sock, readable, writable) {
   let socket;
   if (sock instanceof net.Socket) {