In do_setsockopt(), the code path for the options which take a struct
ip_mreq_source (IP_BLOCK_SOURCE, IP_UNBLOCK_SOURCE,
IP_ADD_SOURCE_MEMBERSHIP and IP_DROP_SOURCE_MEMBERSHIP) fails to
check the return value from lock_user(). Handle this in the usual
way by returning -TARGET_EFAULT.
(In practice this was probably harmless because we'd pass a NULL
pointer to setsockopt() and the kernel would then return EFAULT.)
Fixes: Coverity CID 1459987
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
---
Compile-tested only; I don't have a test case to hand that
uses these socket options.
linux-user/syscall.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index ccd3892b2df..d2b062ea5a9 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2121,6 +2121,9 @@ static abi_long do_setsockopt(int sockfd, int level, int
optname,
return -TARGET_EINVAL;
ip_mreq_source = lock_user(VERIFY_READ, optval_addr, optlen, 1);
+ if (!ip_mreq_source) {
+ return -TARGET_EFAULT;
+ }
ret = get_errno(setsockopt(sockfd, level, optname, ip_mreq_source,
optlen));
unlock_user (ip_mreq_source, optval_addr, 0);
break;
--
2.20.1
