On Mon, Mar 08, 2021 at 01:31:39PM +0100, Greg Kurz wrote:
> +    g_autofree int *fd = NULL;
> +    size_t fdsize = 0;
> +    int i;
>  
>      /* Read header */
>      iov.iov_base = &hdr;
>      iov.iov_len = VHOST_USER_HDR_SIZE;
>  
>      do {
> -        size = recvmsg(u->slave_fd, &msgh, 0);
> -    } while (size < 0 && (errno == EINTR || errno == EAGAIN));
> +        size = qio_channel_readv_full(ioc, &iov, 1, &fd, &fdsize, NULL);
> +    } while (size == QIO_CHANNEL_ERR_BLOCK);

Is it possible to leak file descriptors and fd[] memory if we receive a
short message and then loop around? qio_channel_readv_full() will
overwrite &fd and that's how the leak occurs.

On the other hand, it looks like ioc is in blocking mode. I'm not sure
QIO_CHANNEL_ERR_BLOCK can occur?

> @@ -1500,8 +1479,8 @@ static void slave_read(void *opaque)
>  
>      /* Read payload */
>      do {
> -        size = read(u->slave_fd, &payload, hdr.size);
> -    } while (size < 0 && (errno == EINTR || errno == EAGAIN));
> +        size = qio_channel_read(ioc, (char *) &payload, hdr.size, NULL);
> +    } while (size == QIO_CHANNEL_ERR_BLOCK);

Same question here.

Attachment: signature.asc
Description: PGP signature

Reply via email to