From 4d2b7be54a9ddeb1b336f6d37bb8933bb846ccf1 Mon Sep 17 00:00:00 2001 From: Edward Tomasz Napierala Date: Sun, 5 Jul 2020 10:57:28 +0000 Subject: [PATCH] Fix Linux recvmsg(2) when msg_namelen returned is 0. Previously it would fail with EINVAL, breaking some of the Python regression tests. While here, cap the user-controlled message length. Note that the code doesn't seem to be copying out the new length in either (success or failure) case. This will be addressed separately. Reviewed by: kib MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D25392 --- sys/compat/linux/linux_socket.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/sys/compat/linux/linux_socket.c b/sys/compat/linux/linux_socket.c index 0484e7459b7..9cd2eb3b120 100644 --- a/sys/compat/linux/linux_socket.c +++ b/sys/compat/linux/linux_socket.c @@ -1196,11 +1196,14 @@ linux_recvmsg_common(struct thread *td, l_int s, struct l_msghdr *msghdr, if (error != 0) return (error); - if (msg->msg_name) { + if (msg->msg_name != NULL && msg->msg_namelen > 0) { + msg->msg_namelen = min(msg->msg_namelen, SOCK_MAXADDRLEN); sa = malloc(msg->msg_namelen, M_SONAME, M_WAITOK); msg->msg_name = sa; - } else + } else { sa = NULL; + msg->msg_name = NULL; + } uiov = msg->msg_iov; msg->msg_iov = iov; @@ -1210,7 +1213,10 @@ linux_recvmsg_common(struct thread *td, l_int s, struct l_msghdr *msghdr, if (error != 0) goto bad; - if (msg->msg_name) { + /* + * Note that kern_recvit() updates msg->msg_namelen. + */ + if (msg->msg_name != NULL && msg->msg_namelen > 0) { msg->msg_name = PTRIN(linux_msghdr.msg_name); error = bsd_to_linux_sockaddr(sa, &lsa, msg->msg_namelen); if (error == 0)