24.06.2014 14:06, David Henningsson wrote:
>
>
> On 2014-06-17 11:09, David Henningsson wrote:
>>
>>
>> On 2014-06-01 20:55, Alexander E. Patrakov wrote:
>>> 30.05.2014 17:59, David Henningsson wrote:
>>>> + else if (cmh->cmsg_type == SCM_RIGHTS) {
>>>> + int nfd = (cmh->cmsg_len - CMSG_LEN(0)) / sizeof(int);
>>>> + if (nfd > MAX_ANCIL_FDS) {
>>>> + pa_log("Trying to receive too many file
>>>> descriptors!");
>>>> + continue;
>>>> + }
>>>> + memcpy(ancil->fds, CMSG_DATA(cmh), nfd * sizeof(int));
>>>> + ancil->nfd = nfd;
>>>> }
>>>
>>> Don't we need to close these injected file descriptors if we don't like
>>> them?
>>
>> Good point, I think so too. Will fix, thanks.
>
> Fixing that was simple, but it does not stop malicious clients from
> sending one fd at a time. Maybe that is also possible even without the
> srbchannel patches, to overload the PulseAudio process with file
> descriptors?
Good question, I think it is indeed possible. In any case, PulseAudio
should close unexpected file descriptors, but this can be done in a
separate patch.
A good write-up on fd-passing is here:
http://keithp.com/blogs/fd-passing/ - note that Keith decided to stash
any received fds in an array and apparently to close them later.
A related problem is "what to do if the passed fd is of some wrong
type". AFAIK it is not currently solvable at all, see the discussion here:
https://plus.google.com/+DavidHerrmann/posts/h8CXYqwXruw
--
Alexander E. Patrakov
