diff options
| author | David Herrmann <dh.herrmann@googlemail.com> | 2012-10-11 23:37:48 +0200 |
|---|---|---|
| committer | Kristian Høgsberg <krh@bitplanet.net> | 2012-10-15 16:23:38 -0400 |
| commit | 0b399b8d68b92627525c01e787d0b98b169b604c (patch) | |
| tree | 93000ea78bf6da675a23c216ddd394d787356e4e /src/connection.c | |
| parent | 5bae0650baa400273720d7f5953536f99969d6ef (diff) | |
connection: fix buffer-overflow in build_cmsg()
Same problem as we had with close_fds(). We cannot rely on the fds_out
buffer being filled with less than MAX_FDS_OUT file descriptors.
Therefore, write at most MAX_FDS_OUT file-descriptors to the outgoing
buffer.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
Diffstat (limited to 'src/connection.c')
| -rw-r--r-- | src/connection.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/connection.c b/src/connection.c index 7c8a191..822804a 100644 --- a/src/connection.c +++ b/src/connection.c @@ -214,6 +214,9 @@ build_cmsg(struct wl_buffer *buffer, char *data, int *clen) size_t size; size = buffer->head - buffer->tail; + if (size > MAX_FDS_OUT * sizeof(int32_t)) + size = MAX_FDS_OUT * sizeof(int32_t); + if (size > 0) { cmsg = (struct cmsghdr *) data; cmsg->cmsg_level = SOL_SOCKET; |