From patchwork Sun Aug 19 22:17:05 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Laurent Vivier <laurent@vivier.eu>
X-Patchwork-Id: 959462
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=nongnu.org
	(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;
	envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=vivier.eu
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41tryf44ZKz9s4c
	for <incoming@patchwork.ozlabs.org>;
	Mon, 20 Aug 2018 08:22:02 +1000 (AEST)
Received: from localhost ([::1]:44284 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1frW5A-00055M-7Z
	for incoming@patchwork.ozlabs.org; Sun, 19 Aug 2018 18:22:00 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38911)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <laurent@vivier.eu>) id 1frW1Q-0001zH-1k
	for qemu-devel@nongnu.org; Sun, 19 Aug 2018 18:18:11 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <laurent@vivier.eu>) id 1frW1O-0003Cd-DI
	for qemu-devel@nongnu.org; Sun, 19 Aug 2018 18:18:08 -0400
Received: from mout.kundenserver.de ([217.72.192.74]:41177)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <laurent@vivier.eu>) id 1frW1O-0003B5-5H
	for qemu-devel@nongnu.org; Sun, 19 Aug 2018 18:18:06 -0400
Received: from localhost.localdomain ([78.238.229.36]) by
	mrelayeu.kundenserver.de (mreue105 [212.227.15.183]) with ESMTPSA
	(Nemesis)
	id 0MMWPG-1fmZWi0iUg-008Jbn; Mon, 20 Aug 2018 00:17:26 +0200
From: Laurent Vivier <laurent@vivier.eu>
To: qemu-devel@nongnu.org
Date: Mon, 20 Aug 2018 00:17:05 +0200
Message-Id: <20180819221707.20693-5-laurent@vivier.eu>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180819221707.20693-1-laurent@vivier.eu>
References: <20180819221707.20693-1-laurent@vivier.eu>
X-Provags-ID: V03:K1:NYUYLD7SG3r8B5uaUMlqVguU1uwa98x55Q70lvWUIW1uConh4QA
	2aE8XbESeIiq1iWfgGpfM/ViYz7PdwqPG14UokxyfUDnuwM2YVuV14IzdTWreyOnz9c+c/3
	mSFPrDV9/Ssd770wWBw5kSEYo2F2p61tqteOHbmFB1F3CLlXMbAxazfLgVitfQBN6+PuZwv
	Wuj7ULps/XT2S7zmKynEw==
X-UI-Out-Filterresults: notjunk:1; V01:K0:gegwxiplGAg=:6YdlDJjCdWIbo86vsU6QQN
	gClVBjfMq2vNaMC/xwayaqefNNKLgM0AxvZhjktslg01wNMTkLTYc+Dpi61IShiZrji57SVSS
	ch8YCAq5Bk4KBmjValHEx5+l7Zzf850k2fWeOOEik9PvwXVR8gTfKMtKdQQ9UObtQ21PNYD4F
	XU06MvZ5tSG8deEIE3eG4gHAzssSxdA4zZvQrl2Sv73to+BkIbomvnII2/QhDV9xCoO9XIA3f
	TjHkxUK4WtEti10wHu3GjDQxu4DgGcdt6YsZqUWg8WOhVmp86XdimEQ0dYruYI09eILi1dJiE
	+eznTEkq15VGOCd1aSNPO0NWVPe/gjp0gLDeV2UrsnA8Ws/3d/Lp6iG4/UCclKZVgnkv3b2Ir
	VcyDkEIx4YWNtxTRxuQZ1EAkDQy+YVm7JiQIQT1A3YecEFtAJsoBs64wccuastNS+hoZRFVCM
	8az2jLrbRCmhWcd/3dPbltGIdE/Bb+FbegqU/6VtX8fBIFmdXh+YNdn54XwESO8yRsFXJ/gMG
	u5VNfaZ7HalIBrJm+lozJeof6ORYb9szuIOM1gGJTQVx1sxHohbZ4rzCKZIWAwvWec4XXGR3z
	XvmSYW7Jn97WtzVMwuwA1ZHejvsd9kj5wR5V03KMrMYNE2VobU+ISEPgy215EhpmeUylzPwLu
	/Nc8pzo1CFoFlqDpPs6Of2+iQr9np7xc/W1AhJjIb4c80qx29keaW2ZSARN3hEUrOUOw=
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 217.72.192.74
Subject: [Qemu-devel] [PULL 4/6] linux-user: fix recvmsg()/recvfrom() with
	netlink and MSG_TRUNC
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Peter Crosthwaite <crosthwaite.peter@gmail.com>,
	Riku Voipio <riku.voipio@iki.fi>, Laurent Vivier <laurent@vivier.eu>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Aurelien Jarno <aurelien@aurel32.net>,
	Richard Henderson <rth@twiddle.net>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the
real length even if it was longer than the passed buffer.
So when we translate the buffer we must check we don't go beyond the
end of the buffer.

Bug: https://github.com/vivier/qemu-m68k/issues/33
Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20180806211806.29845-1-laurent@vivier.eu>
---
 linux-user/syscall.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 1806b33b02..e66faf1c62 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3892,7 +3892,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp,
             len = ret;
             if (fd_trans_host_to_target_data(fd)) {
                 ret = fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_base,
-                                                       len);
+                                               MIN(msg.msg_iov->iov_len, len));
             } else {
                 ret = host_to_target_cmsg(msgp, &msg);
             }
@@ -4169,7 +4169,12 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, size_t len, int flags,
     }
     if (!is_error(ret)) {
         if (fd_trans_host_to_target_data(fd)) {
-            ret = fd_trans_host_to_target_data(fd)(host_msg, ret);
+            abi_long trans;
+            trans = fd_trans_host_to_target_data(fd)(host_msg, MIN(ret, len));
+            if (is_error(trans)) {
+                ret = trans;
+                goto fail;
+            }
         }
         if (target_addr) {
             host_to_target_sockaddr(target_addr, addr, addrlen);