[RFC wayland 09/12] connection: return error on buffer-overflow during read

[David Herrmann]

wl_connection_read() assumes that the caller dispatched all messages
before calling it. wl_buffer_put_iov() does only provide enough room so we
fill the buffer. So the only case when the buffer overflows, is when a
previous read filled up the buffer but we couldn't parse a single message
from it. In this case, the client sent a message bigger than our buffer
and we should return an error and close the connection.

Signed-off-by: David Herrmann <dh.herrmann at googlemail.com>
---
 src/connection.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/connection.c b/src/connection.c
index e9d7c72..f478832 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -336,6 +336,11 @@ wl_connection_read(struct wl_connection *connection)
 		return -1;
 
 	connection->in.head += len;
+	len = wl_buffer_size(&connection->in);
+	if (len > (ssize_t)sizeof(connection->in.data)) {
+		errno = EOVERFLOW;
+		return -1;
+	}
 
 	return connection->in.head - connection->in.tail;
 }
-- 
1.7.12.2