From 7a9aa9539c0a07bcb098bcd4e373ad4306426337 Mon Sep 17 00:00:00 2001 From: Bowen Wang Date: Thu, 12 Oct 2023 14:50:17 +0800 Subject: [PATCH] local_sendmsg: fix peer->lc_cfps[] array out-of-range write When peer->lc_cfpcount == LOCAL_NCONTROLFDS, Line 122: peer->lc_cfps[peer->lc_cfpcount++] = filep2; access out-of-range Signed-off-by: Bowen Wang --- net/local/local_sendmsg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/local/local_sendmsg.c b/net/local/local_sendmsg.c index 6068f5ceaf..deade9f75b 100644 --- a/net/local/local_sendmsg.c +++ b/net/local/local_sendmsg.c @@ -91,7 +91,7 @@ static int local_sendctl(FAR struct local_conn_s *conn, fds = (int *)CMSG_DATA(cmsg); count = (cmsg->cmsg_len - sizeof(struct cmsghdr)) / sizeof(int); - if (count + peer->lc_cfpcount > LOCAL_NCONTROLFDS) + if (count + peer->lc_cfpcount >= LOCAL_NCONTROLFDS) { ret = -EMFILE; goto fail;