git: 471fdd91d915 - main - linux: Fix sockopt copyout
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 08 Jun 2026 21:28:56 UTC
The branch main has been updated by chuck:
URL: https://cgit.FreeBSD.org/src/commit/?id=471fdd91d9156aeab026dc420fb97d97be872d65
commit 471fdd91d9156aeab026dc420fb97d97be872d65
Author: Chuck Tuffli <chuck@FreeBSD.org>
AuthorDate: 2026-06-08 21:19:34 +0000
Commit: Chuck Tuffli <chuck@FreeBSD.org>
CommitDate: 2026-06-08 21:20:14 +0000
linux: Fix sockopt copyout
The Linux getsockopt did not check the size of the provided buffer when
copying out the value, leading to buffer overflows (e.g., for TCP_INFO).
Fix is to use the smaller of the option value size and the provided
buffer.
MFC after: 1 month
Relnotes: yes
Reviewed by: kib, markj
Differential Revision: https://reviews.freebsd.org/D55881
---
sys/compat/linux/linux_socket.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/sys/compat/linux/linux_socket.c b/sys/compat/linux/linux_socket.c
index 29b55ef60357..12ba6a3adfce 100644
--- a/sys/compat/linux/linux_socket.c
+++ b/sys/compat/linux/linux_socket.c
@@ -2316,10 +2316,21 @@ linux_sockopt_copyout(struct thread *td, void *val, socklen_t len,
struct linux_getsockopt_args *args)
{
int error;
+ l_int loptlen;
+ socklen_t optlen;
- error = copyout(val, PTRIN(args->optval), len);
- if (error == 0)
- error = copyout(&len, PTRIN(args->optlen), sizeof(len));
+ error = copyin(PTRIN(args->optlen), &loptlen, sizeof(loptlen));
+ if (error != 0)
+ return (error);
+ if (loptlen < 0)
+ return (EINVAL);
+
+ optlen = (socklen_t)loptlen;
+ error = copyout(val, PTRIN(args->optval), min(len, optlen));
+ if (error == 0) {
+ loptlen = (l_int)len;
+ error = copyout(&loptlen, PTRIN(args->optlen), sizeof(loptlen));
+ }
return (error);
}