_dbus_read_socket_with_unix_fds: make n_fds unsigned

This makes it consistent with _dbus_message_loader_get_unix_fds().

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=93069
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>

diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
index 3abef52..a963412 100644 (file)
--- a/dbus/dbus-sysdeps-unix.c
+++ b/dbus/dbus-sysdeps-unix.c
@@ -281,7 +281,7 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
                                  DBusString       *buffer,
                                  int               count,
                                  int              *fds,
-                                 int              *n_fds) {
+                                 unsigned int     *n_fds) {
 #ifndef HAVE_UNIX_FD_PASSING
   int r;
 
@@ -298,7 +298,7 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
   struct iovec iov;
 
   _dbus_assert (count >= 0);
-  _dbus_assert (*n_fds >= 0);
+  _dbus_assert (*n_fds <= DBUS_MAXIMUM_MESSAGE_UNIX_FDS);
 
   start = _dbus_string_get_length (buffer);
 
@@ -378,10 +378,9 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
             size_t payload_len_fds = payload_len_bytes / sizeof (int);
             size_t fds_to_use;
 
-            /* Every non-negative int fits in a size_t without truncation,
-             * and we already know that *n_fds is non-negative, so
+            /* Every unsigned int fits in a size_t without truncation, so
              * casting (size_t) *n_fds is OK */
-            _DBUS_STATIC_ASSERT (sizeof (size_t) >= sizeof (int));
+            _DBUS_STATIC_ASSERT (sizeof (size_t) >= sizeof (unsigned int));
 
             if (_DBUS_LIKELY (payload_len_fds <= (size_t) *n_fds))
               {
@@ -407,9 +406,10 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
 
             memcpy (fds, payload, fds_to_use * sizeof (int));
             found = TRUE;
-            /* This cannot overflow because we have chosen fds_to_use
+            /* This narrowing cast from size_t to unsigned int cannot
+             * overflow because we have chosen fds_to_use
              * to be <= *n_fds */
-            *n_fds = (int) fds_to_use;
+            *n_fds = (unsigned int) fds_to_use;
 
             /* Linux doesn't tell us whether MSG_CMSG_CLOEXEC actually
                worked, hence we need to go through this list and set

diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
index 2699b0a..c832b3f 100644 (file)
--- a/dbus/dbus-sysdeps.h
+++ b/dbus/dbus-sysdeps.h
@@ -199,7 +199,7 @@ int _dbus_read_socket_with_unix_fds      (DBusSocket        fd,
                                           DBusString       *buffer,
                                           int               count,
                                           int              *fds,
-                                          int              *n_fds);
+                                          unsigned int     *n_fds);
 DBUS_PRIVATE_EXPORT
 int _dbus_write_socket_with_unix_fds     (DBusSocket        fd,
                                           const DBusString *buffer,

diff --git a/dbus/dbus-transport-socket.c b/dbus/dbus-transport-socket.c
index 35c3cbf..dce5c7d 100644 (file)
--- a/dbus/dbus-transport-socket.c
+++ b/dbus/dbus-transport-socket.c
@@ -823,7 +823,8 @@ do_reading (DBusTransport *transport)
 #ifdef HAVE_UNIX_FD_PASSING
       if (DBUS_TRANSPORT_CAN_SEND_UNIX_FD(transport))
         {
-          int *fds, n_fds;
+          int *fds;
+          unsigned int n_fds;
 
           if (!_dbus_message_loader_get_unix_fds(transport->loader, &fds, &n_fds))
             {