28 Feb
2017
28 Feb
'17
6:36 p.m.
On 28.02.2017 14:14, Jacek Caban wrote:
- LIST_FOR_EACH_ENTRY( message, &pipe_end->message_queue, struct pipe_message, entry )
avail += message->iosb->in_size - message->read_pos;- reply_size = min( reply_size, avail );
- if (avail)
- {
message = LIST_ENTRY( list_head(&pipe_end->message_queue), struct pipe_message, entry );reply_size = min( reply_size, message->iosb->in_size );- }
Isn't there a problem with this size check? Lets assume we have two messages with 10 byte, for the first one the read_pos = 5. Then avail == 15, and reply_size is clamped to 10 - but it will attempt to copy 10 bytes starting position 5?
- if (!(buffer = set_reply_data_size(FIELD_OFFSET( FILE_PIPE_PEEK_BUFFER, Data[reply_size] )))) return;
- buffer->NamedPipeState = 0; /* FIXME */
- buffer->ReadDataAvailable = avail;
- buffer->NumberOfMessages = 0; /* FIXME */
- buffer->MessageLength = 0; /* FIXME */
- if (avail) memcpy( buffer->Data, (const char *)message->iosb->in_data + message->read_pos, reply_size );
+}