ACK: [lucid/precise/trusty/utopic 1/1] net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland.
Chris J Arges
chris.j.arges at canonical.com
Fri Dec 12 19:11:39 UTC 2014
On 12/12/2014 11:16 AM, Andy Whitcroft wrote:
> From: Ani Sinha <ani at arista.com>
>
> Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when
> msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage
> value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will
> break old binaries and any code for which there is no access to source code.
> To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland.
>
> Signed-off-by: Ani Sinha <ani at arista.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
>
> (cherry picked from commit 6a2a2b3ae0759843b22c929881cc184b00cc63ff)
> BugLink: http://bugs.launchpad.net/bugs/1335478
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
> ---
> net/socket.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/socket.c b/net/socket.c
> index abf56b2..6d48a43 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -1988,6 +1988,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
> if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
> return -EFAULT;
>
> + if (kmsg->msg_name == NULL)
> + kmsg->msg_namelen = 0;
> +
> if (kmsg->msg_namelen < 0)
> return -EINVAL;
>
>
More information about the kernel-team
mailing list