Fix unsigned integer underflow in fd-trans.c
In any of these `*_for_each_*` functions, the last entry in the buffer (so the
"remaining length in the buffer" `len` is equal to the length of the
entry `nlmsg_len`/`nla_len`/etc) has size that is not a multiple of the
alignment, the aligned lengths `*_ALIGN(*_len)` will be greater than `len`.
Since `len` is unsigned (`size_t`), it underflows and the loop will read
pass the buffer.
This may manifest as random EINVAL or EOPNOTSUPP error on IO or network
system calls.
Signed-off-by: Shu-Chun Weng <[email protected]>
Reviewed-by: Laurent Vivier <[email protected]>
Message-Id: <
20191018001920[email protected]>
Signed-off-by: Laurent Vivier <[email protected]>
projects / qemu.git / commit