GitLab will be down for maintenance this Sunday 13th June, from approx 7-11am UTC. This is for a PostgreSQL migration. See the tracker issue for more informations.

Commit 9bd41ed6 authored by David Herrmann's avatar David Herrmann Committed by Kristian Høgsberg
Browse files

connection: fix buffer-overflow in close_fds()

If we push two messages via wl_connection_write() and both messages
contain more than MAX_FDS_OUT file-descriptors combined, then
wl_connection_flush() will write only MAX_FDS_OUT of them, but close all
pending ones, too.

Furthermore, close_fds() will copy more FDs out of the buffer than it can
hold and cause a buffer overflow. Therefore, we simply pass a maximum
limit to close_fds().

During shutdown, we simply close all available FDs.
Signed-off-by: default avatarDavid Herrmann <>
parent cda89f3a
......@@ -168,9 +168,9 @@ wl_connection_create(int fd)
static void
close_fds(struct wl_buffer *buffer)
close_fds(struct wl_buffer *buffer, int max)
int fds[MAX_FDS_OUT], i, count;
int32_t fds[sizeof(buffer->data) / sizeof(int32_t)], i, count;
size_t size;
size = buffer->head - buffer->tail;
......@@ -179,6 +179,8 @@ close_fds(struct wl_buffer *buffer)
wl_buffer_copy(buffer, fds, size);
count = size / sizeof fds[0];
if (max > 0 && max < count)
count = max;
for (i = 0; i < count; i++)
buffer->tail += size;
......@@ -187,7 +189,7 @@ close_fds(struct wl_buffer *buffer)
wl_connection_destroy(struct wl_connection *connection)
close_fds(&connection->fds_out, -1);
......@@ -273,7 +275,7 @@ wl_connection_flush(struct wl_connection *connection)
if (len == -1)
return -1;
close_fds(&connection->fds_out, MAX_FDS_OUT);
connection->out.tail += len;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment