From patchwork Mon Aug 20 20:26:01 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Laurent Vivier <laurent@vivier.eu>
X-Patchwork-Id: 959979
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=nongnu.org
	(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;
	envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=vivier.eu
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41vQmS2Yx0z9s4c
	for <incoming@patchwork.ozlabs.org>;
	Tue, 21 Aug 2018 06:45:12 +1000 (AEST)
Received: from localhost ([::1]:49235 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1frr30-00061R-2Z
	for incoming@patchwork.ozlabs.org; Mon, 20 Aug 2018 16:45:10 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52177)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <laurent@vivier.eu>) id 1frqlr-0003Mt-Vq
	for qemu-devel@nongnu.org; Mon, 20 Aug 2018 16:27:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <laurent@vivier.eu>) id 1frqln-0004Gd-Ui
	for qemu-devel@nongnu.org; Mon, 20 Aug 2018 16:27:27 -0400
Received: from mout.kundenserver.de ([212.227.126.135]:56386)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <laurent@vivier.eu>) id 1frqlj-0003Qu-Vt
	for qemu-devel@nongnu.org; Mon, 20 Aug 2018 16:27:21 -0400
Received: from localhost.localdomain ([78.238.229.36]) by
	mrelayeu.kundenserver.de (mreue002 [212.227.15.167]) with ESMTPSA
	(Nemesis)
	id 0MXi7y-1fNegQ1FHa-00WSEp; Mon, 20 Aug 2018 22:26:16 +0200
From: Laurent Vivier <laurent@vivier.eu>
To: qemu-devel@nongnu.org
Date: Mon, 20 Aug 2018 22:26:01 +0200
Message-Id: <20180820202604.14218-5-laurent@vivier.eu>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180820202604.14218-1-laurent@vivier.eu>
References: <20180820202604.14218-1-laurent@vivier.eu>
X-Provags-ID: V03:K1:emRHv7r3Pf8z1r+U9F38ssq8kJqsC80P2beTDujP1vYXgE3oksW
	Zm0Rs8ttRpzHmqHzPDo9yR1/3TNZiKKQPFOh/i7Uh69VA6epoemvtezHVXgqlkolTIQkG4O
	qHr+i42/aFpd05RTVrJeYXKRYsITg1D/6fzUZpoVWGnjem2Q9MYNIMNYmtPwuY4vt7RubRJ
	5+oL7H3br8oquj32zFH1w==
X-UI-Out-Filterresults: notjunk:1; V01:K0:TP27bvk3RXI=:8Llz07q4l+o/ZNw8ncOsoR
	5ChjBFG/jrKx5E1qCcDpE2StzX9FKoqmqm1fyLeAP7ankmNT+1NPAZQvoFk1aCvccCYHSc/xX
	x8uBVfP5qkbiuPrqv2j/MHjmqvK88ZN83zoTkVPspxWkxCg34ZQKzqJKOXUxT26WpGCe8WTo5
	+nokk0w3SBUw7XnnNJhyO0wYcKGZeOXmEn4uoSoNes+P86vf0nPbVo47UBfw93xK4OY2Hx0O7
	arKJLD3B85hDE0Gg7KlZFtosIbDJpV2AvXPuN0yh34X7kfWkZ0QHWqu/4MDBxQI1OvUtkk1Md
	lzxOjwY/9li+K/mIjaK3RPJI6JQFKujixNKqla/SGDSF6kVXz7TmdPUXjisofDWDC8eSXpCyW
	orBreNpTJSUZAPcOWjVH3OpXDRUXp6e9xt6fFLmDl0XLKmWP6x743/y0klHJ5/OQ+/E8fNEKz
	TZxC3NHQvFqCU1nMAJWnSz++yrtffi1IQ0iW2eS9S4l5ezM81j7fC9wHEDrP0YXwN1SdaodqS
	b5SI+WMY/+YB1uH9jba2IjpJjdJ2NP4ugC4MbuNA4cWgE8RYlGHCcYbKzkU0Hl1EvprZdIp24
	bDI3yfgpPcBIQjHF8OCWvR6x/WwTEllV5MwGVQqe0izd7MiaO6S8KhkBUf8RQULikcSp+Z3yR
	Ahq4pY5mp1QiVH9rLsGIsBqSARW34bfmNgmaHnwrFSM7CnXQmw/ZD/5xaey3F2zDNeJ8=
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 212.227.126.135
Subject: [Qemu-devel] [PULL 4/7] linux-user: fix recvmsg()/recvfrom() with
	netlink and MSG_TRUNC
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Peter Crosthwaite <crosthwaite.peter@gmail.com>,
	Riku Voipio <riku.voipio@iki.fi>, Laurent Vivier <laurent@vivier.eu>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Aurelien Jarno <aurelien@aurel32.net>,
	Richard Henderson <rth@twiddle.net>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the
real length even if it was longer than the passed buffer.
So when we translate the buffer we must check we don't go beyond the
end of the buffer.

Bug: https://github.com/vivier/qemu-m68k/issues/33
Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20180820171557.7734-2-laurent@vivier.eu>
---
 linux-user/syscall.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 1806b33b02..e66faf1c62 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3892,7 +3892,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp,
             len = ret;
             if (fd_trans_host_to_target_data(fd)) {
                 ret = fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_base,
-                                                       len);
+                                               MIN(msg.msg_iov->iov_len, len));
             } else {
                 ret = host_to_target_cmsg(msgp, &msg);
             }
@@ -4169,7 +4169,12 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, size_t len, int flags,
     }
     if (!is_error(ret)) {
         if (fd_trans_host_to_target_data(fd)) {
-            ret = fd_trans_host_to_target_data(fd)(host_msg, ret);
+            abi_long trans;
+            trans = fd_trans_host_to_target_data(fd)(host_msg, MIN(ret, len));
+            if (is_error(trans)) {
+                ret = trans;
+                goto fail;
+            }
         }
         if (target_addr) {
             host_to_target_sockaddr(target_addr, addr, addrlen);