upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix Linux recvmsg(2) when msg_namelen returned is 0. Previously

Browse source 
it would fail with EINVAL, breaking some of the Python regression
tests.

While here, cap the user-controlled message length.

Note that the code doesn't seem to be copying out the new length
in either (success or failure) case. This will be addressed separately.

Reviewed by:	kib
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25392
This commit is contained in:
Edward Tomasz Napierala 2020-07-05 10:57:28 +00:00
parent 3bbb68f0e3
commit 4d2b7be54a
1 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
sys/compat/linux/linux_socket.c
View file

@ -1196,11 +1196,14 @@ linux_recvmsg_common(struct thread *td, l_int s, struct l_msghdr *msghdr,
if (error != 0)
return (error);
if (msg->msg_name) {
if (msg->msg_name != NULL && msg->msg_namelen > 0) {
msg->msg_namelen = min(msg->msg_namelen, SOCK_MAXADDRLEN);
sa = malloc(msg->msg_namelen, M_SONAME, M_WAITOK);
msg->msg_name = sa;
} else
} else {
sa = NULL;
msg->msg_name = NULL;
}
uiov = msg->msg_iov;
msg->msg_iov = iov;
@ -1210,7 +1213,10 @@ linux_recvmsg_common(struct thread *td, l_int s, struct l_msghdr *msghdr,
if (error != 0)
goto bad;
if (msg->msg_name) {
/*
* Note that kern_recvit() updates msg->msg_namelen.
*/
if (msg->msg_name != NULL && msg->msg_namelen > 0) {
msg->msg_name = PTRIN(linux_msghdr.msg_name);
error = bsd_to_linux_sockaddr(sa, &lsa, msg->msg_namelen);
if (error == 0)