system/pipewire
system/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire synced 2024-09-20 00:11:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

connection: make sure we don't overrun the fd array

Browse source 
Do some checks on the fd array and error out when we would overrun.
This commit is contained in:
Wim Taymans 2021-06-18 15:21:07 +02:00
parent adee3d79b9
commit 22b5b6b120
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/modules/module-protocol-native/connection.c
View file

@ -42,7 +42,7 @@
#include "connection.h"
#define MAX_BUFFER_SIZE (1024 * 32)
#define MAX_FDS 1024
#define MAX_FDS 1024u
#define MAX_FDS_MSG 28
#define HDR_SIZE_V0 8
@ -209,6 +209,8 @@ static int refill_buffer(struct pw_protocol_native_connection *conn, struct buff
n_fds =
(cmsg->cmsg_len - ((char *) CMSG_DATA(cmsg) - (char *) cmsg)) / sizeof(int);
if (n_fds + buf->n_fds > MAX_FDS)
return -EPROTO;
memcpy(&buf->fds[buf->n_fds], CMSG_DATA(cmsg), n_fds * sizeof(int));
buf->n_fds += n_fds;
}
@ -479,6 +481,9 @@ static int prepare_packet(struct pw_protocol_native_connection *conn, struct buf
size -= impl->hdr_size;
buf->msg.fds = &buf->fds[buf->fds_offset];
if (buf->msg.n_fds + buf->fds_offset > MAX_FDS)
return -EPROTO;
if (size < len)
return len;