On Mon, Mar 08, 2021 at 01:31:39PM +0100, Greg Kurz wrote: > + g_autofree int *fd = NULL; > + size_t fdsize = 0; > + int i; > > /* Read header */ > iov.iov_base = &hdr; > iov.iov_len = VHOST_USER_HDR_SIZE; > > do { > - size = recvmsg(u->slave_fd, &msgh, 0); > - } while (size < 0 && (errno == EINTR || errno == EAGAIN)); > + size = qio_channel_readv_full(ioc, &iov, 1, &fd, &fdsize, NULL); > + } while (size == QIO_CHANNEL_ERR_BLOCK);
Is it possible to leak file descriptors and fd[] memory if we receive a short message and then loop around? qio_channel_readv_full() will overwrite &fd and that's how the leak occurs. On the other hand, it looks like ioc is in blocking mode. I'm not sure QIO_CHANNEL_ERR_BLOCK can occur? > @@ -1500,8 +1479,8 @@ static void slave_read(void *opaque) > > /* Read payload */ > do { > - size = read(u->slave_fd, &payload, hdr.size); > - } while (size < 0 && (errno == EINTR || errno == EAGAIN)); > + size = qio_channel_read(ioc, (char *) &payload, hdr.size, NULL); > + } while (size == QIO_CHANNEL_ERR_BLOCK); Same question here.
signature.asc
Description: PGP signature