On Sat, Dec 14, 2013 at 19:06, Maxime Villard wrote: > Hi, > I was reading linux_socket.c when I came across a bug in > linux_sendmsg().
> At l.1252, if control == NULL, the function jumps to 'done' and 'level' > is checked while it hasn't been initialized. As 'control' is NULL, > copyout() tries to write to NULL->cmsg_level. Agree with the patch. Can you do one other change? Change &control->level to control + offsetof(level). (Maybe with a second variable.) I think that would make it more clear that we're not dereferencing the pointer in the kernel and would reduce the number of casts.