From: Djalal Harouni <tixxdz@opendz.org>
Date: Mon, 20 Oct 2014 16:13:14 +0000 (+0100)
Subject: message: account both memfds and fds against KDBUS_MSG_MAX_FDS
X-Git-Tag: upstream/0.20141102.012929utc~72
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=65b277d6c0d65801f861be12110f7c7202796280;p=platform%2Fcore%2Fsystem%2Fkdbus-bus.git

message: account both memfds and fds against KDBUS_MSG_MAX_FDS

Ensure that the number of memfds and normal fds will not exceed
KDBUS_MSG_MAX_FDS per message.

Signed-off-by: Djalal Harouni <tixxdz@opendz.org>
---

diff --git a/message.c b/message.c
index 98e92d4..c6d80a2 100644
--- a/message.c
+++ b/message.c
@@ -119,6 +119,7 @@ static int kdbus_msg_scan_items(struct kdbus_conn *conn,
 	const struct kdbus_msg *msg = &kmsg->msg;
 	const struct kdbus_item *item;
 	unsigned int items_count = 0;
+	unsigned int fds_count = 0;
 	size_t vecs_size = 0;
 	bool has_bloom = false;
 	bool has_name = false;
@@ -148,6 +149,7 @@ static int kdbus_msg_scan_items(struct kdbus_conn *conn,
 	KDBUS_ITEMS_FOREACH(item, msg->items, KDBUS_ITEMS_SIZE(msg, items)) {
 		size_t payload_size;
 
+		/* first check the items_count */
 		if (++items_count > KDBUS_MSG_MAX_ITEMS)
 			return -E2BIG;
 
@@ -173,6 +175,10 @@ static int kdbus_msg_scan_items(struct kdbus_conn *conn,
 		case KDBUS_ITEM_PAYLOAD_MEMFD: {
 			int seals, mask;
 
+			fds_count++;
+			if (fds_count > KDBUS_MSG_MAX_FDS)
+				return -EMFILE;
+
 			f = fget(item->memfd.fd);
 			if (!f)
 				return -EBADF;
@@ -217,7 +223,8 @@ static int kdbus_msg_scan_items(struct kdbus_conn *conn,
 				return -ENOTUNIQ;
 
 			n = KDBUS_ITEM_PAYLOAD_SIZE(item) / sizeof(int);
-			if (n > KDBUS_MSG_MAX_FDS)
+			fds_count += n;
+			if (fds_count > KDBUS_MSG_MAX_FDS)
 				return -EMFILE;
 
 			kmsg->fds = kcalloc(n, sizeof(struct file *),