Message ID | 1418404584-16428-2-git-send-email-apw@canonical.com |
---|---|
State | New |
Headers | show |
On Fri, Dec 12, 2014 at 05:16:24PM +0000, Andy Whitcroft wrote: > From: Ani Sinha <ani@arista.com> > > Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when > msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage > value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will > break old binaries and any code for which there is no access to source code. > To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland. > > Signed-off-by: Ani Sinha <ani@arista.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > (cherry picked from commit 6a2a2b3ae0759843b22c929881cc184b00cc63ff) > BugLink: http://bugs.launchpad.net/bugs/1335478 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > net/socket.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/socket.c b/net/socket.c > index abf56b2..6d48a43 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -1988,6 +1988,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, > if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) > return -EFAULT; > > + if (kmsg->msg_name == NULL) > + kmsg->msg_namelen = 0; > + > if (kmsg->msg_namelen < 0) > return -EINVAL; > > -- > 1.9.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 12/12/2014 11:16 AM, Andy Whitcroft wrote: > From: Ani Sinha <ani@arista.com> > > Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when > msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage > value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will > break old binaries and any code for which there is no access to source code. > To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland. > > Signed-off-by: Ani Sinha <ani@arista.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > (cherry picked from commit 6a2a2b3ae0759843b22c929881cc184b00cc63ff) > BugLink: http://bugs.launchpad.net/bugs/1335478 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > net/socket.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/socket.c b/net/socket.c > index abf56b2..6d48a43 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -1988,6 +1988,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, > if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) > return -EFAULT; > > + if (kmsg->msg_name == NULL) > + kmsg->msg_namelen = 0; > + > if (kmsg->msg_namelen < 0) > return -EINVAL; > >
diff --git a/net/socket.c b/net/socket.c index abf56b2..6d48a43 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1988,6 +1988,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) return -EFAULT; + if (kmsg->msg_name == NULL) + kmsg->msg_namelen = 0; + if (kmsg->msg_namelen < 0) return -EINVAL;