[RFC wayland 07/12] connection: fix buffer-overflow in build_cmsg()
David Herrmann
dh.herrmann at googlemail.com
Thu Oct 11 14:37:48 PDT 2012
Same problem as we had with close_fds(). We cannot rely on the fds_out
buffer being filled with less than MAX_FDS_OUT file descriptors.
Therefore, write at most MAX_FDS_OUT file-descriptors to the outgoing
buffer.
Signed-off-by: David Herrmann <dh.herrmann at googlemail.com>
---
src/connection.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/connection.c b/src/connection.c
index 8264470..ef46b82 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -214,6 +214,9 @@ build_cmsg(struct wl_buffer *buffer, char *data, int *clen)
size_t size;
size = buffer->head - buffer->tail;
+ if (size > MAX_FDS_OUT * sizeof(int32_t))
+ size = MAX_FDS_OUT * sizeof(int32_t);
+
if (size > 0) {
cmsg = (struct cmsghdr *) data;
cmsg->cmsg_level = SOL_SOCKET;
--
1.7.12.2
More information about the wayland-devel
mailing list