From: David Herrmann <dh.herrmann@googlemail.com>
Date: Thu, 11 Oct 2012 21:37:48 +0000 (+0200)
Subject: connection: fix buffer-overflow in build_cmsg()
X-Git-Tag: 0.99.0~9
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0b399b8d68b92627525c01e787d0b98b169b604c;p=platform%2Fupstream%2Fwayland.git

connection: fix buffer-overflow in build_cmsg()

Same problem as we had with close_fds(). We cannot rely on the fds_out
buffer being filled with less than MAX_FDS_OUT file descriptors.
Therefore, write at most MAX_FDS_OUT file-descriptors to the outgoing
buffer.

Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
---

diff --git a/src/connection.c b/src/connection.c
index 7c8a191..822804a 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -214,6 +214,9 @@ build_cmsg(struct wl_buffer *buffer, char *data, int *clen)
 	size_t size;
 
 	size = buffer->head - buffer->tail;
+	if (size > MAX_FDS_OUT * sizeof(int32_t))
+		size = MAX_FDS_OUT * sizeof(int32_t);
+
 	if (size > 0) {
 		cmsg = (struct cmsghdr *) data;
 		cmsg->cmsg_level = SOL_SOCKET;