wl_connection_read() assumes that the caller dispatched all messages before calling it. wl_buffer_put_iov() does only provide enough room so we fill the buffer. So the only case when the buffer overflows, is when a previous read filled up the buffer but we couldn't parse a single message from it. In this case, the client sent a message bigger than our buffer and we should return an error and close the connection.
Signed-off-by: David Herrmann <[email protected]> --- src/connection.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/connection.c b/src/connection.c index e9d7c72..f478832 100644 --- a/src/connection.c +++ b/src/connection.c @@ -336,6 +336,11 @@ wl_connection_read(struct wl_connection *connection) return -1; connection->in.head += len; + len = wl_buffer_size(&connection->in); + if (len > (ssize_t)sizeof(connection->in.data)) { + errno = EOVERFLOW; + return -1; + } return connection->in.head - connection->in.tail; } -- 1.7.12.2 _______________________________________________ wayland-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/wayland-devel
