From patchwork Mon Aug 6 21:18:06 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 954239 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=2001:4830:134:3::11; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=vivier.eu Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41krBp5zWTz9s4v for ; Tue, 7 Aug 2018 07:19:46 +1000 (AEST) Received: from localhost ([::1]:36348 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fmmum-0002ru-Hh for incoming@patchwork.ozlabs.org; Mon, 06 Aug 2018 17:19:44 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46009) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fmmuS-0002rl-VL for qemu-devel@nongnu.org; Mon, 06 Aug 2018 17:19:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fmmuO-0000g6-6s for qemu-devel@nongnu.org; Mon, 06 Aug 2018 17:19:24 -0400 Received: from mout.kundenserver.de ([212.227.126.131]:48025) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fmmuN-0000eP-Sc for qemu-devel@nongnu.org; Mon, 06 Aug 2018 17:19:20 -0400 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue001 [212.227.15.167]) with ESMTPSA (Nemesis) id 0Lv5z0-1fw24i1ct0-010PfZ; Mon, 06 Aug 2018 23:18:38 +0200 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Mon, 6 Aug 2018 23:18:06 +0200 Message-Id: <20180806211806.29845-1-laurent@vivier.eu> X-Mailer: git-send-email 2.17.1 X-Provags-ID: V03:K1:H/unQ6xAUz6lWhcNAEEDyVTF0nJR6D08vYW+8tUf22cZ23oJK3Q 9jrkBCC2NdqPlo/yqw9CgqMeWyunONXseNpjF1VGrpOlb82KlwoJg/lH9vMYQNsJeYXY4M8 JxJv6Ob8WtTHzhClkkIm25O0bzo1nFXlTpXbxyLnGgM7t1V6sIU9BmcmdMLsRVY5KxwRiCt 7Y4bgLYttdy0V9nXsg6jA== X-UI-Out-Filterresults: notjunk:1; V01:K0:9WPCAyOyM8w=:zazImx4LbQ6XdqG6G1ozGH G97UA26tdCiy5LUszIS4HLts3tO9r7bde+x4z9xOkNrA3/PoW0slgMqjUQo1qtQ3CkCOgykhF RHtvO85GL7AYfCOI5lMMwLMJO6YKk0A4qvXg1h72TJBZNQ3RnVkAtcNboZ7s7LinZwTGLcqD/ R+cnTJ9viu0vx8Jg0jWHyff2d8jnuIsHW9Iw8lOlj3y6jcO2up/utmaWVGem3VjC/n1DOtgMz 4EQOyn4Q1R66oEQedeTQVLsKePNqhbrjZatuhaoHIF1Iolzz5pClOkJUAs0P6p5w9C/kk4znf mEyu4/YFMOuSf4OEuMRaVXzCfWBV1UTO2pOe5ppmGFWpfI23Zdz5hv08kltFTrtLHhPN7jwZc pmdYg0nj+2S0MvmBwbdRIeMA8L1Qa+Kk1HVQMLtnX7bl03jHUKregxzl0hGHjBG+RkBMKR4J6 e3kBqeA+pyyZKSZ6KbrGcw2M5ELOrWBPNGfwIjLq6MOt/xFWwc+9u8v5Mmyxqy6exIbm0VQvm tWLd0U4G+aGJPBX9kMOXF7z+Urel0bqdGuxbbGJKDHbpQ5DKxMnrxaywoZs1cTM0WUv1/f0XJ BXk0ojBPYAk4F+qtfi1sEnE/7EOI1o/r0pEs5HooIe00olLL0gf1nqHfl4aUT9ijbQx3P6PJT RxxpK/TTmFRGs6DCiIKxWSdB5EWnybg1MVYFTtYtSLcT8bci6YXfOXV9M4hdoKSsT4PA= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 212.227.126.131 Subject: [Qemu-devel] [PATCH] linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Riku Voipio , Laurent Vivier , John Paul Adrian Glaubitz Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the real length even if it was longer than the passed buffer. So when we translate the buffer we must check we don't go beyond the end of the buffer. Bug: https://github.com/vivier/qemu-m68k/issues/33 Reported-by: John Paul Adrian Glaubitz Signed-off-by: Laurent Vivier Reviewed-by: Peter Maydell --- linux-user/syscall.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index dfc851cc35..399da09f38 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -3892,7 +3892,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp, len = ret; if (fd_trans_host_to_target_data(fd)) { ret = fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_base, - len); + MIN(msg.msg_iov->iov_len, len)); } else { ret = host_to_target_cmsg(msgp, &msg); } @@ -4169,7 +4169,12 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, size_t len, int flags, } if (!is_error(ret)) { if (fd_trans_host_to_target_data(fd)) { - ret = fd_trans_host_to_target_data(fd)(host_msg, ret); + abi_long trans; + trans = fd_trans_host_to_target_data(fd)(host_msg, MIN(ret, len)); + if (is_error(trans)) { + ret = trans; + goto fail; + } } if (target_addr) { host_to_target_sockaddr(target_addr, addr, addrlen);