connection: fix buffer-overflow in build_cmsg()

Same problem as we had with close_fds(). We cannot rely on the fds_out
buffer being filled with less than MAX_FDS_OUT file descriptors.
Therefore, write at most MAX_FDS_OUT file-descriptors to the outgoing
buffer.

Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>

diff --git a/src/connection.c b/src/connection.c
index 7c8a191..822804a 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -214,6 +214,9 @@ build_cmsg(struct wl_buffer *buffer, char *data, int *clen)
        size_t size;
 
        size = buffer->head - buffer->tail;
+       if (size > MAX_FDS_OUT * sizeof(int32_t))
+               size = MAX_FDS_OUT * sizeof(int32_t);
+
        if (size > 0) {
                cmsg = (struct cmsghdr *) data;
                cmsg->cmsg_level = SOL_SOCKET;