diff options
| author | Stefan Metzmacher <metze@samba.org> | 2021-02-05 19:36:26 +0100 |
|---|---|---|
| committer | Andreas Schneider <asn@samba.org> | 2021-02-08 19:29:57 +0100 |
| commit | 3c7ef4751527bd8c93d5431d9f1e36c4fe648f3d (patch) | |
| tree | 8275ec77e5bcf69bdfd2e6c5f82fd05de91e9029 | |
| parent | 13a6aca342120383776251247c72170c142bf017 (diff) | |
| download | socket_wrapper-3c7ef4751527bd8c93d5431d9f1e36c4fe648f3d.tar.gz socket_wrapper-3c7ef4751527bd8c93d5431d9f1e36c4fe648f3d.tar.xz socket_wrapper-3c7ef4751527bd8c93d5431d9f1e36c4fe648f3d.zip | |
swrap: fix invalid read in swrap_sendmsg_unix_scm_rights()
Here the fds_out array is larger than the fds_in array, so we can
only copy the fds_in array using size_fds_in, leaving the last slot
of fds_out untouched, which is filled by fds_out[num_fds_in] = pipefd[0]
later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
| -rw-r--r-- | src/socket_wrapper.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/socket_wrapper.c b/src/socket_wrapper.c index 43a5892..e8c2d6c 100644 --- a/src/socket_wrapper.c +++ b/src/socket_wrapper.c @@ -5450,7 +5450,7 @@ static int swrap_sendmsg_unix_scm_rights(const struct cmsghdr *cmsg, *new_cmsg = *cmsg; __fds_out.p = CMSG_DATA(new_cmsg); fds_out = __fds_out.fds; - memcpy(fds_out, fds_in, size_fds_out); + memcpy(fds_out, fds_in, size_fds_in); new_cmsg->cmsg_len = cmsg->cmsg_len; for (i = 0; i < num_fds_in; i++) { |