mirror of
https://gitlab.freedesktop.org/pipewire/pipewire
synced 2024-09-20 00:11:31 +00:00
connection: make sure we don't overrun the fd array
Do some checks on the fd array and error out when we would overrun.
This commit is contained in:
parent
adee3d79b9
commit
22b5b6b120
|
@ -42,7 +42,7 @@
|
|||
#include "connection.h"
|
||||
|
||||
#define MAX_BUFFER_SIZE (1024 * 32)
|
||||
#define MAX_FDS 1024
|
||||
#define MAX_FDS 1024u
|
||||
#define MAX_FDS_MSG 28
|
||||
|
||||
#define HDR_SIZE_V0 8
|
||||
|
@ -209,6 +209,8 @@ static int refill_buffer(struct pw_protocol_native_connection *conn, struct buff
|
|||
|
||||
n_fds =
|
||||
(cmsg->cmsg_len - ((char *) CMSG_DATA(cmsg) - (char *) cmsg)) / sizeof(int);
|
||||
if (n_fds + buf->n_fds > MAX_FDS)
|
||||
return -EPROTO;
|
||||
memcpy(&buf->fds[buf->n_fds], CMSG_DATA(cmsg), n_fds * sizeof(int));
|
||||
buf->n_fds += n_fds;
|
||||
}
|
||||
|
@ -479,6 +481,9 @@ static int prepare_packet(struct pw_protocol_native_connection *conn, struct buf
|
|||
size -= impl->hdr_size;
|
||||
buf->msg.fds = &buf->fds[buf->fds_offset];
|
||||
|
||||
if (buf->msg.n_fds + buf->fds_offset > MAX_FDS)
|
||||
return -EPROTO;
|
||||
|
||||
if (size < len)
|
||||
return len;
|
||||
|
||||
|
|
Loading…
Reference in a new issue