Test the value of msg_controllen for platforms whose CMSG_FIRSTHDR() does not test it for us

As RFC 2292 points out, some platforms (e.g. Darwin 9.8.0) provide
CMSG_FIRSTHDR(msg) which just returns msg.msg_control without first
checking if msg.msg_controllen is non-zero. We need a workaround for
such platforms not to let _xcb_in_read() segfault.

https://bugs.freedesktop.org/show_bug.cgi?id=72253

Signed-off-by: Julien Cristau <jcristau@debian.org>

1 files changed, 7 insertions, 5 deletions

diff --git a/src/xcb_in.c b/src/xcb_in.c
index fd6c2ef..95087be 100644
--- a/src/xcb_in.c
+++ b/src/xcb_in.c
@@ -918,11 +918,13 @@ int _xcb_in_read(xcb_connection_t *c)
 #if HAVE_SENDMSG
         struct cmsghdr *hdr;
 
-        for (hdr = CMSG_FIRSTHDR(&msg); hdr; hdr = CMSG_NXTHDR(&msg, hdr)) {
-            if (hdr->cmsg_level == SOL_SOCKET && hdr->cmsg_type == SCM_RIGHTS) {
-                int nfd = (hdr->cmsg_len - CMSG_LEN(0)) / sizeof (int);
-                memcpy(&c->in.in_fd.fd[c->in.in_fd.nfd], CMSG_DATA(hdr), nfd * sizeof (int));
-                c->in.in_fd.nfd += nfd;
+        if (msg.msg_controllen >= sizeof (struct cmsghdr)) {
+            for (hdr = CMSG_FIRSTHDR(&msg); hdr; hdr = CMSG_NXTHDR(&msg, hdr)) {
+                if (hdr->cmsg_level == SOL_SOCKET && hdr->cmsg_type == SCM_RIGHTS) {
+                    int nfd = (hdr->cmsg_len - CMSG_LEN(0)) / sizeof (int);
+                    memcpy(&c->in.in_fd.fd[c->in.in_fd.nfd], CMSG_DATA(hdr), nfd * sizeof (int));
+                    c->in.in_fd.nfd += nfd;
+                }
             }
         }
 #endif