From patchwork Mon Aug 20 17:15:54 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Laurent Vivier <laurent@vivier.eu>
X-Patchwork-Id: 959845
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=nongnu.org
	(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;
	envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=vivier.eu
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41vLF42t8Pz9s4v
	for <incoming@patchwork.ozlabs.org>;
	Tue, 21 Aug 2018 03:21:12 +1000 (AEST)
Received: from localhost ([::1]:48286 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1frnrZ-0001zY-VO
	for incoming@patchwork.ozlabs.org; Mon, 20 Aug 2018 13:21:10 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49074)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <laurent@vivier.eu>) id 1frnmz-0007B9-M9
	for qemu-devel@nongnu.org; Mon, 20 Aug 2018 13:16:26 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <laurent@vivier.eu>) id 1frnmv-0003CP-AT
	for qemu-devel@nongnu.org; Mon, 20 Aug 2018 13:16:25 -0400
Received: from mout.kundenserver.de ([212.227.126.133]:42567)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <laurent@vivier.eu>) id 1frnmu-0003BZ-Up
	for qemu-devel@nongnu.org; Mon, 20 Aug 2018 13:16:21 -0400
Received: from localhost.localdomain ([78.238.229.36]) by
	mrelayeu.kundenserver.de (mreue003 [212.227.15.167]) with ESMTPSA
	(Nemesis)
	id 0MC5H2-1fiy6603Ci-008oCd; Mon, 20 Aug 2018 19:16:10 +0200
From: Laurent Vivier <laurent@vivier.eu>
To: qemu-devel@nongnu.org
Date: Mon, 20 Aug 2018 19:15:54 +0200
Message-Id: <20180820171557.7734-2-laurent@vivier.eu>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180820171557.7734-1-laurent@vivier.eu>
References: <20180820171557.7734-1-laurent@vivier.eu>
X-Provags-ID: V03:K1:GgbRk838MvCttP9xketnCjfjh1cQzbB0iCtRECwSxhreiXyC3gP
	MHXk7PjSuO2oDBVQZsGbo+uZH71Pg1d1buot7+O7otp2VbnGKZB2+e8YEt8JICFwTdc+DmD
	lzjhCyffN3KCtVARoTTuUy3PKTXyE+KUCB7qqAoi2KHWiVcpBxN6a2B/qJI9WFj7ih+s4M8
	A26B85ZXBaIWsfFqUthjA==
X-UI-Out-Filterresults: notjunk:1; V01:K0:Qbmaj38etoI=:dURDqSErkndKlW4a/1s5wy
	8SnVRANG7kSXDAuGMnFDKNmqLLw3L4Oid+042fkp5/cqcLNCIldIwtTtvJjKYgUfQEEAg67SQ
	E/qy0gvxWF4DZsxe9dJSLZuEWWoy/9OeNKHn4GJWkDl2rEWnpfAeHSOeBud2djrifNdL9K/3h
	P5BFhyKAjjVCROXpVmI49GWhJq1xaGyx8A5GhwuxXPBFpDPtoYHjZmzRadDaQlq5PI2wXT36L
	QZ1PfPvhKdM300rqXXUCvmfUiinLiUOoiigiA0cGTESt7UvzZchKnQfz0rzo+L1P5HpQQu16G
	4oVj5ER2ZY8mXahETzL2H7qHfGISoCDaJuFUK9euwzUItJL1VJsofhtxBd/x/A3W5x7hcknw4
	lze0vXZeZKoHS5jLCZ72WZlP/oAC5JL+h5YBvj9gXb49d8hzgp/9eydT0XksCEvP1gDrSD1D6
	SrTTjR5DL9nejrDL+IV8KCHAzfVFSG6ZqXS1VQX6jE1Mq+imCc/Vphu1esDqL6f2n7P5iij/U
	x5PuAXSYCwlWxWtoRNCA3ij68IuimaDUktERXrzNbPkL+dEAESobghPStESgdwiT2IsJ5aUqU
	dJPD/xsrDRIJNlOimvhIIograzAh2K0IERoQhgfAlhxpzKAmShppRv0ncqXjAIr6hExdu39oZ
	573KAO/SthramcJAWKJqDNRzw9n5mP+dc+qzz51LEDNrpH1iNFG+nL6aHQBfikeR8Xrs=
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 212.227.126.133
Subject: [Qemu-devel] [PATCH v2 1/4] linux-user: fix recvmsg()/recvfrom()
	with netlink and MSG_TRUNC
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Peter Maydell <peter.maydell@linaro.org>,
	Riku Voipio <riku.voipio@iki.fi>, Laurent Vivier <laurent@vivier.eu>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the
real length even if it was longer than the passed buffer.
So when we translate the buffer we must check we don't go beyond the
end of the buffer.

Bug: https://github.com/vivier/qemu-m68k/issues/33
Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/syscall.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index bb42a225eb..a62cd15dc7 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3892,7 +3892,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp,
             len = ret;
             if (fd_trans_host_to_target_data(fd)) {
                 ret = fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_base,
-                                                       len);
+                                               MIN(msg.msg_iov->iov_len, len));
             } else {
                 ret = host_to_target_cmsg(msgp, &msg);
             }
@@ -4169,7 +4169,12 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, size_t len, int flags,
     }
     if (!is_error(ret)) {
         if (fd_trans_host_to_target_data(fd)) {
-            ret = fd_trans_host_to_target_data(fd)(host_msg, ret);
+            abi_long trans;
+            trans = fd_trans_host_to_target_data(fd)(host_msg, MIN(ret, len));
+            if (is_error(trans)) {
+                ret = trans;
+                goto fail;
+            }
         }
         if (target_addr) {
             host_to_target_sockaddr(target_addr, addr, addrlen);