After following 2 kernel commits: commit 1661bf364ae9c506bc8795fef70d1532931be1e8 Author: Dan Carpenter <[email protected]> Date: Thu Oct 3 00:27:20 2013 +0300 net: heap overflow in __audit_sockaddr()
commit db31c55a6fb245fdbb752a2ca4aefec89afabb06 Author: Dan Carpenter <[email protected]> Date: Wed Nov 27 15:40:21 2013 +0300 net: clamp ->msg_namelen instead of returning an error msg_namelen is treated as an unsigned value because of this condition, which compares signed and unsigned arguments: net/socket.c copy_msghdr_from_user() if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) User-space (accordding to POSIX spec) defines it as "unsigned opaque integral type of length of at least 32 bits". Passing -1 now has the effect as passing very large number and syscall completes successfully. Change the test to use invalid, but positive value for "invalid to buffer length" testcase. Signed-off-by: Jan Stancek <[email protected]> Reported-by: Fengguang Wu <[email protected]> Tested-by: Wanlong Gao <[email protected]> --- testcases/kernel/syscalls/sendmsg/sendmsg01.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/testcases/kernel/syscalls/sendmsg/sendmsg01.c b/testcases/kernel/syscalls/sendmsg/sendmsg01.c index 5c79a45..81d5770 100644 --- a/testcases/kernel/syscalls/sendmsg/sendmsg01.c +++ b/testcases/kernel/syscalls/sendmsg/sendmsg01.c @@ -211,7 +211,7 @@ struct test_case_t tdat[] = { .msg = &msgdat, .flags = 0, .to = (struct sockaddr *)&sin1, - .tolen = -1, + .tolen = 1, .retval = -1, .experrno = EINVAL, .setup = setup1, -- 1.7.1 ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Ltp-list mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ltp-list
