From 3c7ef4751527bd8c93d5431d9f1e36c4fe648f3d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 5 Feb 2021 19:36:26 +0100
Subject: [PATCH] swrap: fix invalid read in swrap_sendmsg_unix_scm_rights()

Here the fds_out array is larger than the fds_in array, so we can
only copy the fds_in array using size_fds_in, leaving the last slot
of fds_out untouched, which is filled by fds_out[num_fds_in] = pipefd[0]
later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 src/socket_wrapper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/socket_wrapper.c b/src/socket_wrapper.c
index 43a5892..e8c2d6c 100644
--- a/src/socket_wrapper.c
+++ b/src/socket_wrapper.c
@@ -5450,7 +5450,7 @@ static int swrap_sendmsg_unix_scm_rights(const struct cmsghdr *cmsg,
 	*new_cmsg = *cmsg;
 	__fds_out.p = CMSG_DATA(new_cmsg);
 	fds_out = __fds_out.fds;
-	memcpy(fds_out, fds_in, size_fds_out);
+	memcpy(fds_out, fds_in, size_fds_in);
 	new_cmsg->cmsg_len = cmsg->cmsg_len;
 
 	for (i = 0; i < num_fds_in; i++) {
-- 
2.34.1