socket_wrapper.c: make FIONREAD handling more robust in swrap_vioctl()

We should only dereference the va args when the kernel already checked
they are valid.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c95b7cb1d7b9348472276edceff71889aa676d25)

diff --git a/src/socket_wrapper.c b/src/socket_wrapper.c
index 1b80204f8f5d1f4fbb3ddaede34d63ae69958d7a..fe67285c7bf0296df7c86007f3d0ba8801ed67eb 100644 (file)
--- a/src/socket_wrapper.c
+++ b/src/socket_wrapper.c
@@ -4726,7 +4726,7 @@ static int swrap_vioctl(int s, unsigned long int r, va_list va)
 {
        struct socket_info *si = find_socket_info(s);
        va_list ap;
-       int value;
+       int *value_ptr = NULL;
        int rc;
 
        if (!si) {
@@ -4741,11 +4741,13 @@ static int swrap_vioctl(int s, unsigned long int r, va_list va)
 
        switch (r) {
        case FIONREAD:
-               value = *((int *)va_arg(ap, int *));
+               if (rc == 0) {
+                       value_ptr = ((int *)va_arg(ap, int *));
+               }
 
                if (rc == -1 && errno != EAGAIN && errno != ENOBUFS) {
                        swrap_pcap_dump_packet(si, NULL, SWRAP_PENDING_RST, NULL, 0);
-               } else if (value == 0) { /* END OF FILE */
+               } else if (value_ptr != NULL && *value_ptr == 0) { /* END OF FILE */
                        swrap_pcap_dump_packet(si, NULL, SWRAP_PENDING_RST, NULL, 0);
                }
                break;