Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 08 Jun 2026 21:28:56 +0000
From:      Chuck Tuffli <chuck@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 471fdd91d915 - main - linux: Fix sockopt copyout
Message-ID:  <6a273418.19fdd.55d3f832@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by chuck:

URL: https://cgit.FreeBSD.org/src/commit/?id=471fdd91d9156aeab026dc420fb97d97be872d65

commit 471fdd91d9156aeab026dc420fb97d97be872d65
Author:     Chuck Tuffli <chuck@FreeBSD.org>
AuthorDate: 2026-06-08 21:19:34 +0000
Commit:     Chuck Tuffli <chuck@FreeBSD.org>
CommitDate: 2026-06-08 21:20:14 +0000

    linux: Fix sockopt copyout
    
    The Linux getsockopt did not check the size of the provided buffer when
    copying out the value, leading to buffer overflows (e.g., for TCP_INFO).
    
    Fix is to use the smaller of the option value size and the provided
    buffer.
    
    MFC after:      1 month
    Relnotes:       yes
    Reviewed by:    kib, markj
    Differential Revision:  https://reviews.freebsd.org/D55881
---
 sys/compat/linux/linux_socket.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/sys/compat/linux/linux_socket.c b/sys/compat/linux/linux_socket.c
index 29b55ef60357..12ba6a3adfce 100644
--- a/sys/compat/linux/linux_socket.c
+++ b/sys/compat/linux/linux_socket.c
@@ -2316,10 +2316,21 @@ linux_sockopt_copyout(struct thread *td, void *val, socklen_t len,
     struct linux_getsockopt_args *args)
 {
 	int error;
+	l_int loptlen;
+	socklen_t optlen;
 
-	error = copyout(val, PTRIN(args->optval), len);
-	if (error == 0)
-		error = copyout(&len, PTRIN(args->optlen), sizeof(len));
+	error = copyin(PTRIN(args->optlen), &loptlen, sizeof(loptlen));
+	if (error != 0)
+		return (error);
+	if (loptlen < 0)
+		return (EINVAL);
+
+	optlen = (socklen_t)loptlen;
+	error = copyout(val, PTRIN(args->optval), min(len, optlen));
+	if (error == 0) {
+		loptlen = (l_int)len;
+		error = copyout(&loptlen, PTRIN(args->optlen), sizeof(loptlen));
+	}
 	return (error);
 }
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a273418.19fdd.55d3f832>