On Fri, Nov 15, 2013 at 02:17:54PM +0100, Lubomir Rintel wrote: > Otherwise the tail of fds_in buffer would just shift beyond the beginning. > That confuses the actual request handler and results in a crash further on > due to corrupted tail. > > Signal the lack of file descriptor with -1, so that the request handler > can determine that no valid file descriptor was received via anciliary > data.
I think this should be an error condition similar to how a string can be too short, for example. Set errno to EINVAL, goto err. Kristian > Signed-off-by: Lubomir Rintel <lkund...@v3.sk> > --- > src/connection.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/src/connection.c b/src/connection.c > index 451b93e..48a5398 100644 > --- a/src/connection.c > +++ b/src/connection.c > @@ -605,7 +605,7 @@ wl_connection_demarshal(struct wl_connection *connection, > const struct wl_message *message) > { > uint32_t *p, *next, *end, length, id; > - int fd; > + int fd = -1; > char *s; > unsigned int i, count, num_arrays; > const char *signature; > @@ -744,8 +744,10 @@ wl_connection_demarshal(struct wl_connection *connection, > p = next; > break; > case 'h': > - wl_buffer_copy(&connection->fds_in, &fd, sizeof fd); > - connection->fds_in.tail += sizeof fd; > + if (connection->fds_in.tail != connection->fds_in.head) > { > + wl_buffer_copy(&connection->fds_in, &fd, sizeof > fd); > + connection->fds_in.tail += sizeof fd; > + } > closure->args[i].h = fd; > break; > default: > -- > 1.8.4.2 > > _______________________________________________ > wayland-devel mailing list > wayland-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/wayland-devel _______________________________________________ wayland-devel mailing list wayland-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/wayland-devel