swrap: fix invalid read in swrap_sendmsg_unix_scm_rights()

Here the fds_out array is larger than the fds_in array, so we can
only copy the fds_in array using size_fds_in, leaving the last slot
of fds_out untouched, which is filled by fds_out[num_fds_in] = pipefd[0]
later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/src/socket_wrapper.c b/src/socket_wrapper.c
index 43a58921b55dd2b379a8bb786de4c145c0dcf58b..e8c2d6c3ce40e2c98ae0a7ffca687f69ab5ae71d 100644 (file)
--- a/src/socket_wrapper.c
+++ b/src/socket_wrapper.c
@@ -5450,7 +5450,7 @@ static int swrap_sendmsg_unix_scm_rights(const struct cmsghdr *cmsg,
        *new_cmsg = *cmsg;
        __fds_out.p = CMSG_DATA(new_cmsg);
        fds_out = __fds_out.fds;
-       memcpy(fds_out, fds_in, size_fds_out);
+       memcpy(fds_out, fds_in, size_fds_in);
        new_cmsg->cmsg_len = cmsg->cmsg_len;
 
        for (i = 0; i < num_fds_in; i++) {