[3.16.y-ckt stable] Patch "net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland." has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Thu Feb 19 12:00:41 UTC 2015 

This is a note to let you know that I have just added a patch titled

    net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland.

to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.16.y-queue

This patch is scheduled to be released in version 3.16.7-ckt7.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.16.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From 988bfeffd3a59c947d755ed87b3e67d622a66ab9 Mon Sep 17 00:00:00 2001
From: Ani Sinha <ani at arista.com>
Date: Mon, 8 Sep 2014 14:49:59 -0700
Subject: net:socket: set msg_namelen to 0 if msg_name is passed as NULL in
 msghdr struct from userland.

commit 6a2a2b3ae0759843b22c929881cc184b00cc63ff upstream.

Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when
msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage
value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will
break old binaries and any code for which there is no access to source code.
To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland.

Signed-off-by: Ani Sinha <ani at arista.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Cc: Michal Marek <mmarek at suse.cz>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/socket.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/socket.c b/net/socket.c
index 7050240a951b..4980af97d87c 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1985,6 +1985,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
 	if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
 		return -EFAULT;

+	if (kmsg->msg_name == NULL)
+		kmsg->msg_namelen = 0;
+
 	if (kmsg->msg_namelen < 0)
 		return -EINVAL;

--
2.1.4

More information about the kernel-team mailing list