On Fri, Nov 15, 2013 at 02:17:54PM +0100, Lubomir Rintel wrote:
> Otherwise the tail of fds_in buffer would just shift beyond the beginning.
> That confuses the actual request handler and results in a crash further on
> due to corrupted tail.
>
> Signal the lack of file descriptor with -1, so that the request handler
> can determine that no valid file descriptor was received via anciliary
> data.
I think this should be an error condition similar to how a string can
be too short, for example. Set errno to EINVAL, goto err.
Kristian
> Signed-off-by: Lubomir Rintel <lkund...@v3.sk>
> ---
> src/connection.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/src/connection.c b/src/connection.c
> index 451b93e..48a5398 100644
> --- a/src/connection.c
> +++ b/src/connection.c
> @@ -605,7 +605,7 @@ wl_connection_demarshal(struct wl_connection *connection,
> const struct wl_message *message)
> {
> uint32_t *p, *next, *end, length, id;
> - int fd;
> + int fd = -1;
> char *s;
> unsigned int i, count, num_arrays;
> const char *signature;
> @@ -744,8 +744,10 @@ wl_connection_demarshal(struct wl_connection *connection,
> p = next;
> break;
> case 'h':
> - wl_buffer_copy(&connection->fds_in, &fd, sizeof fd);
> - connection->fds_in.tail += sizeof fd;
> + if (connection->fds_in.tail != connection->fds_in.head)
> {
> + wl_buffer_copy(&connection->fds_in, &fd, sizeof
> fd);
> + connection->fds_in.tail += sizeof fd;
> + }
> closure->args[i].h = fd;
> break;
> default:
> --
> 1.8.4.2
>
> _______________________________________________
> wayland-devel mailing list
> wayland-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/wayland-devel
_______________________________________________
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel
