Avoid request counter truncation in replies map after 2**32 requests

The c->in request counters are uint64_t, and can realistically go over 2**32 over a lifetime of a client. The c->in->replies map however uses unsigned int keys and the passed request numbers are silently truncated. I haven't analyzed in depth what happens what it wraps around but it's probably nothing good. The only user of the xcb_list.c map code is c->in->replies, so just change it to use uint64_t keys. Reviewed-by: Uli Schlachter <psychon@znc.in> Signed-off-by: Ran Benita <ran@unusedvar.com>
2020-11-17 23:18:53 +02:00 · 2020-11-17 23:18:53 +02:00 · dc28118747
parent 26396bf156
commit dc28118747
2 changed files with 5 additions and 5 deletions
--- a/src/xcb_list.c
+++ b/src/xcb_list.c
@ -36,7 +36,7 @@

 typedef struct node {
    struct node *next;
-    unsigned int key;
+    uint64_t key;
    void *data;
 } node;

@ -73,7 +73,7 @@ void _xcb_map_delete(_xcb_map *list, xcb_list_free_func_t do_free)
    free(list);
 }

-int _xcb_map_put(_xcb_map *list, unsigned int key, void *data)
+int _xcb_map_put(_xcb_map *list, uint64_t key, void *data)
 {
    node *cur = malloc(sizeof(node));
    if(!cur)
@ -86,7 +86,7 @@ int _xcb_map_put(_xcb_map *list, unsigned int key, void *data)
    return 1;
 }

-void *_xcb_map_remove(_xcb_map *list, unsigned int key)
+void *_xcb_map_remove(_xcb_map *list, uint64_t key)
 {
    node **cur;
    for(cur = &list->head; *cur; cur = &(*cur)->next)
--- a/src/xcbint.h
+++ b/src/xcbint.h
@ -83,8 +83,8 @@ typedef struct _xcb_map _xcb_map;

 _xcb_map *_xcb_map_new(void);
 void _xcb_map_delete(_xcb_map *q, xcb_list_free_func_t do_free);
-int _xcb_map_put(_xcb_map *q, unsigned int key, void *data);
-void *_xcb_map_remove(_xcb_map *q, unsigned int key);
+int _xcb_map_put(_xcb_map *q, uint64_t key, void *data);
+void *_xcb_map_remove(_xcb_map *q, uint64_t key);


 /* xcb_out.c */