From 7b3c618ad0cd0154993b5b5dbd34e0010960585a Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Mon, 21 Dec 2015 11:58:51 +0000 Subject: io: fix stack allocation when sending of file descriptors When sending file descriptors over a socket, we have to allocate a data buffer to hold the FDs in the scmsghdr. Unfortunately we allocated the buffer on the stack inside an if () {} block, but called sendmsg() outside the block. So the stack bytes holding the FDs were liable to be overwritten with other data. By luck this was not a problem when sending 1 FD, but if sending 2 or more then it would fail. The fix is to simply move the variables outside the nested 'if' block. To keep valgrind quiet we also zero-initialize the 'control' buffer. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrange --- io/channel-socket.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'io/channel-socket.c') diff --git a/io/channel-socket.c b/io/channel-socket.c index eed2ff5bcf..10a5b3136e 100644 --- a/io/channel-socket.c +++ b/io/channel-socket.c @@ -493,15 +493,14 @@ static ssize_t qio_channel_socket_writev(QIOChannel *ioc, QIOChannelSocket *sioc = QIO_CHANNEL_SOCKET(ioc); ssize_t ret; struct msghdr msg = { NULL, }; + char control[CMSG_SPACE(sizeof(int) * SOCKET_MAX_FDS)] = { 0 }; + size_t fdsize = sizeof(int) * nfds; + struct cmsghdr *cmsg; msg.msg_iov = (struct iovec *)iov; msg.msg_iovlen = niov; if (nfds) { - char control[CMSG_SPACE(sizeof(int) * SOCKET_MAX_FDS)]; - size_t fdsize = sizeof(int) * nfds; - struct cmsghdr *cmsg; - if (nfds > SOCKET_MAX_FDS) { error_setg_errno(errp, -EINVAL, "Only %d FDs can be sent, got %zu", -- cgit v1.2.3