Commit 0b399b8d authored by David Herrmann's avatar David Herrmann Committed by Kristian Høgsberg
Browse files

connection: fix buffer-overflow in build_cmsg()



Same problem as we had with close_fds(). We cannot rely on the fds_out
buffer being filled with less than MAX_FDS_OUT file descriptors.
Therefore, write at most MAX_FDS_OUT file-descriptors to the outgoing
buffer.
Signed-off-by: default avatarDavid Herrmann <dh.herrmann@googlemail.com>
parent 5bae0650
......@@ -214,6 +214,9 @@ build_cmsg(struct wl_buffer *buffer, char *data, int *clen)
size_t size;
size = buffer->head - buffer->tail;
if (size > MAX_FDS_OUT * sizeof(int32_t))
size = MAX_FDS_OUT * sizeof(int32_t);
if (size > 0) {
cmsg = (struct cmsghdr *) data;
cmsg->cmsg_level = SOL_SOCKET;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment