From 04720307e91c45a772858fd3fcb0203a0b68ac17 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Kristian=20H=C3=B8gsberg?= Date: Mon, 15 Oct 2012 17:19:38 -0400 Subject: [PATCH] connection: return error on buffer-overflow during read wl_connection_read() assumes that the caller dispatched all messages before calling it. wl_buffer_put_iov() does only provide enough room so we fill the buffer. So the only case when the buffer overflows, is when a previous read filled up the buffer but we couldn't parse a single message from it. In this case, the client sent a message bigger than our buffer and we should return an error and close the connection. krh: Edited from Davids original patch to just check that the buffer isn't full before we try reading into it. Signed-off-by: David Herrmann --- src/connection.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/connection.c b/src/connection.c index b00491e..fdc9309 100644 --- a/src/connection.c +++ b/src/connection.c @@ -314,6 +314,11 @@ wl_connection_read(struct wl_connection *connection) char cmsg[CLEN]; int len, count, ret; + if (wl_buffer_size(&connection->in) >= sizeof(connection->in.data)) { + errno = EOVERFLOW; + return -1; + } + wl_buffer_put_iov(&connection->in, iov, &count); msg.msg_name = NULL; -- 2.7.4