Author: trasz Date: Sun Jul 5 10:57:28 2020 New Revision: 362941 URL: https://svnweb.freebsd.org/changeset/base/362941
Log: Fix Linux recvmsg(2) when msg_namelen returned is 0. Previously it would fail with EINVAL, breaking some of the Python regression tests. While here, cap the user-controlled message length. Note that the code doesn't seem to be copying out the new length in either (success or failure) case. This will be addressed separately. Reviewed by: kib MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D25392 Modified: head/sys/compat/linux/linux_socket.c Modified: head/sys/compat/linux/linux_socket.c ============================================================================== --- head/sys/compat/linux/linux_socket.c Sun Jul 5 06:51:39 2020 (r362940) +++ head/sys/compat/linux/linux_socket.c Sun Jul 5 10:57:28 2020 (r362941) @@ -1196,11 +1196,14 @@ linux_recvmsg_common(struct thread *td, l_int s, struc if (error != 0) return (error); - if (msg->msg_name) { + if (msg->msg_name != NULL && msg->msg_namelen > 0) { + msg->msg_namelen = min(msg->msg_namelen, SOCK_MAXADDRLEN); sa = malloc(msg->msg_namelen, M_SONAME, M_WAITOK); msg->msg_name = sa; - } else + } else { sa = NULL; + msg->msg_name = NULL; + } uiov = msg->msg_iov; msg->msg_iov = iov; @@ -1210,7 +1213,10 @@ linux_recvmsg_common(struct thread *td, l_int s, struc if (error != 0) goto bad; - if (msg->msg_name) { + /* + * Note that kern_recvit() updates msg->msg_namelen. + */ + if (msg->msg_name != NULL && msg->msg_namelen > 0) { msg->msg_name = PTRIN(linux_msghdr.msg_name); error = bsd_to_linux_sockaddr(sa, &lsa, msg->msg_namelen); if (error == 0) _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
