Buffer overflow in iobuf_append_fd()
The function iobuf_append_fd
in util-io.c (https://gitlab.freedesktop.org/libinput/libei/-/blob/36f1641125caa8996490b6f0a38bdf53fb90fbd4/src/util-io.c#L284) contains a buffer overflow since it uses sizeof(buf->fds) - 1
to iterate over the fds array, instead of ARRAY_LENGTH(buf->fds) - 1
sizeof(buf->fds)
will (in-general) be 128 (since fds
is an array of 32 4-byte integers) - so idx
will range up to 127 - yet fds
is only valid to be indexed up to 31.
This can be fixed by simply changing sizeof(buf->fds) - 1
to ARRAY_LENGTH(buf->fds) - 1
.
I have only just started looking at the libei code so I am not sure this can easily be exploited (I assume it would require a caller to send a message with more than 32 fds over the protocol) so I am not certain this has any security impact, but it should probably be fixed regardless. If there is a security impact, it would be good to get a CVE assigned so that it can be fixed across the various distros that ship libei. If you need help assigning a CVE please let me know and I can assist.