svn commit: r362941 - head/sys/compat/linux
Edward Tomasz Napierala
trasz at FreeBSD.org
Sun Jul 5 10:57:29 UTC 2020
Author: trasz
Date: Sun Jul 5 10:57:28 2020
New Revision: 362941
URL: https://svnweb.freebsd.org/changeset/base/362941
Log:
Fix Linux recvmsg(2) when msg_namelen returned is 0. Previously
it would fail with EINVAL, breaking some of the Python regression
tests.
While here, cap the user-controlled message length.
Note that the code doesn't seem to be copying out the new length
in either (success or failure) case. This will be addressed separately.
Reviewed by: kib
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D25392
Modified:
head/sys/compat/linux/linux_socket.c
Modified: head/sys/compat/linux/linux_socket.c
==============================================================================
--- head/sys/compat/linux/linux_socket.c Sun Jul 5 06:51:39 2020 (r362940)
+++ head/sys/compat/linux/linux_socket.c Sun Jul 5 10:57:28 2020 (r362941)
@@ -1196,11 +1196,14 @@ linux_recvmsg_common(struct thread *td, l_int s, struc
if (error != 0)
return (error);
- if (msg->msg_name) {
+ if (msg->msg_name != NULL && msg->msg_namelen > 0) {
+ msg->msg_namelen = min(msg->msg_namelen, SOCK_MAXADDRLEN);
sa = malloc(msg->msg_namelen, M_SONAME, M_WAITOK);
msg->msg_name = sa;
- } else
+ } else {
sa = NULL;
+ msg->msg_name = NULL;
+ }
uiov = msg->msg_iov;
msg->msg_iov = iov;
@@ -1210,7 +1213,10 @@ linux_recvmsg_common(struct thread *td, l_int s, struc
if (error != 0)
goto bad;
- if (msg->msg_name) {
+ /*
+ * Note that kern_recvit() updates msg->msg_namelen.
+ */
+ if (msg->msg_name != NULL && msg->msg_namelen > 0) {
msg->msg_name = PTRIN(linux_msghdr.msg_name);
error = bsd_to_linux_sockaddr(sa, &lsa, msg->msg_namelen);
if (error == 0)
More information about the svn-src-all
mailing list