From c9ecbf9fab1a2de54d114dbff844ab0a4c21bf61 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Tue, 7 Apr 2026 18:20:26 +0200 Subject: [PATCH] protocol-native: check msg fds against available fds Check that the number of fds for the message does not exceed the number of received fds with SCM_RIGHTS. The check was simply doing an array bounds check. This could still lead to out-of-sync fds or usage of uninitialized/invalid fds when the message header claims more fds than there were passed with SCM_RIGHTS. Found by Claude Code. --- src/modules/module-protocol-native/connection.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/module-protocol-native/connection.c b/src/modules/module-protocol-native/connection.c index b376a0f69..15c739428 100644 --- a/src/modules/module-protocol-native/connection.c +++ b/src/modules/module-protocol-native/connection.c @@ -536,7 +536,7 @@ static int prepare_packet(struct pw_protocol_native_connection *conn, struct buf size -= impl->hdr_size; buf->msg.fds = &buf->fds[buf->fds_offset]; - if (buf->msg.n_fds + buf->fds_offset > MAX_FDS) + if (buf->msg.n_fds + buf->fds_offset > buf->n_fds) return -EPROTO; if (size < len)