diff options
| author | Kristian Høgsberg <krh@bitplanet.net> | 2012-10-15 17:19:38 -0400 |
|---|---|---|
| committer | Kristian Høgsberg <krh@bitplanet.net> | 2012-10-15 17:21:06 -0400 |
| commit | 04720307e91c45a772858fd3fcb0203a0b68ac17 (patch) | |
| tree | 595d7ae1c90d6e1b9906a2e23563c9b9b4f10661 /src/connection.c | |
| parent | connection: Use uin32_t for circular buffer indexes (diff) | |
| download | wayland-04720307e91c45a772858fd3fcb0203a0b68ac17.tar wayland-04720307e91c45a772858fd3fcb0203a0b68ac17.tar.gz wayland-04720307e91c45a772858fd3fcb0203a0b68ac17.tar.bz2 wayland-04720307e91c45a772858fd3fcb0203a0b68ac17.tar.lz wayland-04720307e91c45a772858fd3fcb0203a0b68ac17.tar.xz wayland-04720307e91c45a772858fd3fcb0203a0b68ac17.tar.zst wayland-04720307e91c45a772858fd3fcb0203a0b68ac17.zip | |
connection: return error on buffer-overflow during read
wl_connection_read() assumes that the caller dispatched all messages
before calling it. wl_buffer_put_iov() does only provide enough room so we
fill the buffer. So the only case when the buffer overflows, is when a
previous read filled up the buffer but we couldn't parse a single message
from it. In this case, the client sent a message bigger than our buffer
and we should return an error and close the connection.
krh: Edited from Davids original patch to just check that the buffer
isn't full before we try reading into it.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
Diffstat (limited to 'src/connection.c')
| -rw-r--r-- | src/connection.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/connection.c b/src/connection.c index b00491e..fdc9309 100644 --- a/src/connection.c +++ b/src/connection.c @@ -314,6 +314,11 @@ wl_connection_read(struct wl_connection *connection) char cmsg[CLEN]; int len, count, ret; + if (wl_buffer_size(&connection->in) >= sizeof(connection->in.data)) { + errno = EOVERFLOW; + return -1; + } + wl_buffer_put_iov(&connection->in, iov, &count); msg.msg_name = NULL; |