[PATCH 1/3] connection: Only read file descriptor if it was actually received

[Kristian Høgsberg]

On Fri, Nov 15, 2013 at 02:17:54PM +0100, Lubomir Rintel wrote:
> Otherwise the tail of fds_in buffer would just shift beyond the beginning.
> That confuses the actual request handler and results in a crash further on
> due to corrupted tail.
> 
> Signal the lack of file descriptor with -1, so that the request handler
> can determine that no valid file descriptor was received via anciliary
> data.

I think this should be an error condition similar to how a string can
be too short, for example.  Set errno to EINVAL, goto err.

Kristian

> Signed-off-by: Lubomir Rintel <lkundrak at v3.sk>
> ---
>  src/connection.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/src/connection.c b/src/connection.c
> index 451b93e..48a5398 100644
> --- a/src/connection.c
> +++ b/src/connection.c
> @@ -605,7 +605,7 @@ wl_connection_demarshal(struct wl_connection *connection,
>  			const struct wl_message *message)
>  {
>  	uint32_t *p, *next, *end, length, id;
> -	int fd;
> +	int fd = -1;
>  	char *s;
>  	unsigned int i, count, num_arrays;
>  	const char *signature;
> @@ -744,8 +744,10 @@ wl_connection_demarshal(struct wl_connection *connection,
>  			p = next;
>  			break;
>  		case 'h':
> -			wl_buffer_copy(&connection->fds_in, &fd, sizeof fd);
> -			connection->fds_in.tail += sizeof fd;
> +			if (connection->fds_in.tail != connection->fds_in.head) {
> +				wl_buffer_copy(&connection->fds_in, &fd, sizeof fd);
> +				connection->fds_in.tail += sizeof fd;
> +			}
>  			closure->args[i].h = fd;
>  			break;
>  		default:
> -- 
> 1.8.4.2
> 
> _______________________________________________
> wayland-devel mailing list
> wayland-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/wayland-devel