On 2014-06-17 11:09, David Henningsson wrote:
>
>
> On 2014-06-01 20:55, Alexander E. Patrakov wrote:
>> 30.05.2014 17:59, David Henningsson wrote:
>>> + else if (cmh->cmsg_type == SCM_RIGHTS) {
>>> + int nfd = (cmh->cmsg_len - CMSG_LEN(0)) / sizeof(int);
>>> + if (nfd > MAX_ANCIL_FDS) {
>>> + pa_log("Trying to receive too many file
>>> descriptors!");
>>> + continue;
>>> + }
>>> + memcpy(ancil->fds, CMSG_DATA(cmh), nfd * sizeof(int));
>>> + ancil->nfd = nfd;
>>> }
>>
>> Don't we need to close these injected file descriptors if we don't like
>> them?
>
> Good point, I think so too. Will fix, thanks.
Fixing that was simple, but it does not stop malicious clients from
sending one fd at a time. Maybe that is also possible even without the
srbchannel patches, to overload the PulseAudio process with file
descriptors?
--
David Henningsson, Canonical Ltd.
https://launchpad.net/~diwic
