| Message ID | 20200727182220.GI794331@ZenIV.linux.org.uk |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net] fix a braino in cmsghdr_from_user_compat_to_kern() | expand |
From: Al Viro <viro@zeniv.linux.org.uk> Date: Mon, 27 Jul 2020 19:22:20 +0100 > commit 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to > copy_from_user()") missed one of the places where ucmlen should've been > replaced with cmsg.cmsg_len, now that we are fetching the entire struct > rather than doing it field-by-field. > > As the result, compat sendmsg() with several different-sized cmsg > attached started to fail with EINVAL. Trivial to fix, fortunately. > > Reported-by: Nick Bowler <nbowler@draconx.ca> > Tested-by: Nick Bowler <nbowler@draconx.ca> > Fixes: 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to copy_from_user()") > > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Applied, thanks Al.
diff --git a/net/compat.c b/net/compat.c index 5e3041a2c37d..434838bef5f8 100644 --- a/net/compat.c +++ b/net/compat.c @@ -202,7 +202,7 @@ int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk, /* Advance. */ kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp); - ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen); + ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, cmsg.cmsg_len); } /*
commit 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to copy_from_user()") missed one of the places where ucmlen should've been replaced with cmsg.cmsg_len, now that we are fetching the entire struct rather than doing it field-by-field. As the result, compat sendmsg() with several different-sized cmsg attached started to fail with EINVAL. Trivial to fix, fortunately. Reported-by: Nick Bowler <nbowler@draconx.ca> Tested-by: Nick Bowler <nbowler@draconx.ca> Fixes: 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to copy_from_user()") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> ---