On Tue, 16 Jun 2026 09:22:52 -0700
Breno Leitao <[email protected]> wrote:
> On Fri, Jun 12, 2026 at 07:10:15PM -0700, Stanislav Fomichev wrote:
> > On 06/12, Breno Leitao wrote:
>
> > > int udp_lib_getsockopt(struct sock *sk, int level, int optname,
> > > - char __user *optval, int __user *optlen)
> > > + sockopt_t *opt)
> > > {
> > > struct udp_sock *up = udp_sk(sk);
> > > int val, len;
> > >
> > > - if (get_user(len, optlen))
> > > - return -EFAULT;
> >
> > [..]
> >
> > > - if (len < 0)
> > > - return -EINVAL;
> >
> > I see this part now in sockopt_init_user, but you mention that it's a
> > transitional helper. When we drop it, will we loose this <0 check?
> > Maybe keep `if ((int)opt->optlen < 0))` here for backwards
> > compatibility?
>
> Good idea. I will do it and respin (once net-next reopens).
The best place for the negative length check is in the syscall wrapper code.
Pass an unsigned length through to all the protocol code.
No need to require every function to do the test.
Note that the length check was actually broken in many protocols
going way back well before git.
There has pretty much always been an unsigned min() check that converted
negative values to small(ish) positive ones before the check for it being
negative.
(That predates min() being a #define.)
The recent change to actually error optlen < 0 might actually have broken
some applications that passed uninitialised stack that was always negative!
-- David
>
> Thanks for the review,
> --breno
>
