From c95b7cb1d7b9348472276edceff71889aa676d25 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 8 Jun 2020 14:18:44 +0200
Subject: socket_wrapper.c: make FIONREAD handling more robust in
 swrap_vioctl()

We should only dereference the va args when the kernel already checked
they are valid.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 src/socket_wrapper.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/socket_wrapper.c b/src/socket_wrapper.c
index 4fb7b23..e7a7a8a 100644
--- a/src/socket_wrapper.c
+++ b/src/socket_wrapper.c
@@ -4635,7 +4635,7 @@ static int swrap_vioctl(int s, unsigned long int r, va_list va)
 {
 	struct socket_info *si = find_socket_info(s);
 	va_list ap;
-	int value;
+	int *value_ptr = NULL;
 	int rc;
 
 	if (!si) {
@@ -4650,11 +4650,13 @@ static int swrap_vioctl(int s, unsigned long int r, va_list va)
 
 	switch (r) {
 	case FIONREAD:
-		value = *((int *)va_arg(ap, int *));
+		if (rc == 0) {
+			value_ptr = ((int *)va_arg(ap, int *));
+		}
 
 		if (rc == -1 && errno != EAGAIN && errno != ENOBUFS) {
 			swrap_pcap_dump_packet(si, NULL, SWRAP_PENDING_RST, NULL, 0);
-		} else if (value == 0) { /* END OF FILE */
+		} else if (value_ptr != NULL && *value_ptr == 0) { /* END OF FILE */
 			swrap_pcap_dump_packet(si, NULL, SWRAP_PENDING_RST, NULL, 0);
 		}
 		break;
-- 
cgit