[pulseaudio-discuss] [PATCH 2/2] pstream: Fix use of uninitialized value: ancillary fd cleanup flag

Ahmed S. Darwish darwish.07 at gmail.com
Fri Jun 17 19:56:41 UTC 2016

As reported by valrgrind

  ==30002== Conditional jump or move depends on uninitialised value(s)
  ==30002==    at 0x5CB883C: pa_cmsg_ancil_data_close_fds (pstream.c:193)
  ==30002==    by 0x5CBB161: do_write (pstream.c:759)
  ==30002==    by 0x5CB8B51: do_pstream_read_write (pstream.c:233)
  ==30002==    by 0x5CB8EE8: io_callback (pstream.c:279)

The pa_cmsg_ancil_data structure has two main guards:
'creds_valid', which implies that it holds credentials
information, and 'nfd', which implies it holds file descriptors.

When code paths create a credentials ancillary data structure,
they just set the 'nfd' guard to zero. Typically, the rest of
pa_cmsg_ancil_data fields related to fds are _all_ left

pa_cmsg_ancil_data_close_flds() has broken the above contract:
it accesses the new 'close_fds_on_cleanup' flag, which is related
to file descriptors, without checking the 'nfd == 0' guard first.
Fix this inconsistency.

Reported-by: Alexander E. Patrakov <patrakov at gmail.com>
Signed-off-by: Ahmed S. Darwish <darwish.07 at gmail.com>
 src/pulsecore/pstream.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pulsecore/pstream.c b/src/pulsecore/pstream.c
index 1ea3c5b..bbff2f6 100644
--- a/src/pulsecore/pstream.c
+++ b/src/pulsecore/pstream.c
@@ -190,7 +190,7 @@ struct pa_pstream {
  * it guarantees necessary cleanups after fds close.. This method is
  * also multiple-invocations safe. */
 void pa_cmsg_ancil_data_close_fds(struct pa_cmsg_ancil_data *ancil) {
-    if (ancil && ancil->close_fds_on_cleanup) {
+    if (ancil && ancil->nfd > 0 && ancil->close_fds_on_cleanup) {
         int i;
         pa_assert(ancil->nfd <= MAX_ANCIL_DATA_FDS);

More information about the pulseaudio-discuss mailing list