Date: Wed, 29 Jun 2016 06:04:45 +0000 (UTC) From: Dmitry Chagin <dchagin@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r302259 - stable/10/sys/compat/linux Message-ID: <201606290604.u5T64jKY058072@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dchagin Date: Wed Jun 29 06:04:45 2016 New Revision: 302259 URL: https://svnweb.freebsd.org/changeset/base/302259 Log: MFC r302213: Fix a bug introduced in r283433. [1] Remove unneeded sockaddr conversion before kern_recvit() call as the from argument is used to record result (the source address of the received message) only. [2] In Linux the type of msg_namelen member of struct msghdr is signed but native msg_namelen has a unsigned type (socklen_t). So use the proper storage to fetch fromlen from userspace and than check the user supplied value and return EINVAL if it is less than 0 as a Linux do. Reported by: Thomas Mueller <tmueller at sysgo dot com> [1] Tested by: Thomas Mueller <tmueller at sysgo dot com> [both] Reviewed by: kib@ Modified: stable/10/sys/compat/linux/linux_socket.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/compat/linux/linux_socket.c ============================================================================== --- stable/10/sys/compat/linux/linux_socket.c Wed Jun 29 05:21:25 2016 (r302258) +++ stable/10/sys/compat/linux/linux_socket.c Wed Jun 29 06:04:45 2016 (r302259) @@ -1040,18 +1040,16 @@ linux_recvfrom(struct thread *td, struct { struct msghdr msg; struct iovec aiov; - int error; + int error, fromlen; if (PTRIN(args->fromlen) != NULL) { - error = copyin(PTRIN(args->fromlen), &msg.msg_namelen, - sizeof(msg.msg_namelen)); - if (error != 0) - return (error); - - error = linux_to_bsd_sockaddr((struct sockaddr *)PTRIN(args->from), - msg.msg_namelen); + error = copyin(PTRIN(args->fromlen), &fromlen, + sizeof(fromlen)); if (error != 0) return (error); + if (fromlen < 0) + return (EINVAL); + msg.msg_namelen = fromlen; } else msg.msg_namelen = 0;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606290604.u5T64jKY058072>