From f3fc645496091c422e79833727b2a960ac70ac2b Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Thu, 14 May 2026 16:32:58 +0200 Subject: [PATCH] connection: return error if too many fds in message Check that the number of fds in the message doesn't exceed our max or else we might overflow the fd buffer a little later. --- src/modules/module-protocol-native/connection.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/modules/module-protocol-native/connection.c b/src/modules/module-protocol-native/connection.c index 44eb798c2..b415251a7 100644 --- a/src/modules/module-protocol-native/connection.c +++ b/src/modules/module-protocol-native/connection.c @@ -538,7 +538,8 @@ static int prepare_packet(struct pw_protocol_native_connection *conn, struct buf size -= impl->hdr_size; buf->msg.fds = &buf->fds[buf->fds_offset]; - if (buf->msg.n_fds + buf->fds_offset > buf->n_fds) + if (buf->msg.n_fds > MAX_FDS || + buf->msg.n_fds + buf->fds_offset > buf->n_fds) return -EPROTO; if (size < len)