linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC

[Qemu-devel] [PATCH] linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC

Laurent Vivier posted 1 patch 7 years, 3 months ago

Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20180806211806.29845-1-laurent@vivier.eu

Test checkpatch passed

Test docker-mingw@fedora passed

Test docker-clang@ubuntu passed

Test docker-quick@centos7 passed

linux-user/syscall.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

Expand all Fold all

[Qemu-devel] [PATCH] linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC

Posted by Laurent Vivier 7 years, 3 months ago

If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the
real length even if it was longer than the passed buffer.
So when we translate the buffer we must check we don't go beyond the
end of the buffer.

Bug: https://github.com/vivier/qemu-m68k/issues/33
Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---
 linux-user/syscall.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index dfc851cc35..399da09f38 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3892,7 +3892,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp,
             len = ret;
             if (fd_trans_host_to_target_data(fd)) {
                 ret = fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_base,
-                                                       len);
+                                               MIN(msg.msg_iov->iov_len, len));
             } else {
                 ret = host_to_target_cmsg(msgp, &msg);
             }
@@ -4169,7 +4169,12 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, size_t len, int flags,
     }
     if (!is_error(ret)) {
         if (fd_trans_host_to_target_data(fd)) {
-            ret = fd_trans_host_to_target_data(fd)(host_msg, ret);
+            abi_long trans;
+            trans = fd_trans_host_to_target_data(fd)(host_msg, MIN(ret, len));
+            if (is_error(trans)) {
+                ret = trans;
+                goto fail;
+            }
         }
         if (target_addr) {
             host_to_target_sockaddr(target_addr, addr, addrlen);
-- 
2.17.1

Re: [Qemu-devel] [PATCH] linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC

Posted by Peter Maydell 7 years, 2 months ago

On 6 August 2018 at 22:18, Laurent Vivier <laurent@vivier.eu> wrote:
> If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the
> real length even if it was longer than the passed buffer.
> So when we translate the buffer we must check we don't go beyond the
> end of the buffer.
>
> Bug: https://github.com/vivier/qemu-m68k/issues/33
> Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
> Signed-off-by: Laurent Vivier <laurent@vivier.eu>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

thanks
-- PMM