From nobody Wed Nov 5 12:16:35 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1534717374653700.0070041280768; Sun, 19 Aug 2018 15:22:54 -0700 (PDT) Received: from localhost ([::1]:44288 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1frW61-00064P-J7 for importer@patchew.org; Sun, 19 Aug 2018 18:22:53 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38911) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1frW1Q-0001zH-1k for qemu-devel@nongnu.org; Sun, 19 Aug 2018 18:18:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1frW1O-0003Cd-DI for qemu-devel@nongnu.org; Sun, 19 Aug 2018 18:18:08 -0400 Received: from mout.kundenserver.de ([217.72.192.74]:41177) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1frW1O-0003B5-5H for qemu-devel@nongnu.org; Sun, 19 Aug 2018 18:18:06 -0400 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue105 [212.227.15.183]) with ESMTPSA (Nemesis) id 0MMWPG-1fmZWi0iUg-008Jbn; Mon, 20 Aug 2018 00:17:26 +0200 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Mon, 20 Aug 2018 00:17:05 +0200 Message-Id: <20180819221707.20693-5-laurent@vivier.eu> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180819221707.20693-1-laurent@vivier.eu> References: <20180819221707.20693-1-laurent@vivier.eu> X-Provags-ID: V03:K1:NYUYLD7SG3r8B5uaUMlqVguU1uwa98x55Q70lvWUIW1uConh4QA 2aE8XbESeIiq1iWfgGpfM/ViYz7PdwqPG14UokxyfUDnuwM2YVuV14IzdTWreyOnz9c+c/3 mSFPrDV9/Ssd770wWBw5kSEYo2F2p61tqteOHbmFB1F3CLlXMbAxazfLgVitfQBN6+PuZwv Wuj7ULps/XT2S7zmKynEw== X-UI-Out-Filterresults: notjunk:1;V01:K0:gegwxiplGAg=:6YdlDJjCdWIbo86vsU6QQN gClVBjfMq2vNaMC/xwayaqefNNKLgM0AxvZhjktslg01wNMTkLTYc+Dpi61IShiZrji57SVSS ch8YCAq5Bk4KBmjValHEx5+l7Zzf850k2fWeOOEik9PvwXVR8gTfKMtKdQQ9UObtQ21PNYD4F XU06MvZ5tSG8deEIE3eG4gHAzssSxdA4zZvQrl2Sv73to+BkIbomvnII2/QhDV9xCoO9XIA3f TjHkxUK4WtEti10wHu3GjDQxu4DgGcdt6YsZqUWg8WOhVmp86XdimEQ0dYruYI09eILi1dJiE +eznTEkq15VGOCd1aSNPO0NWVPe/gjp0gLDeV2UrsnA8Ws/3d/Lp6iG4/UCclKZVgnkv3b2Ir VcyDkEIx4YWNtxTRxuQZ1EAkDQy+YVm7JiQIQT1A3YecEFtAJsoBs64wccuastNS+hoZRFVCM 8az2jLrbRCmhWcd/3dPbltGIdE/Bb+FbegqU/6VtX8fBIFmdXh+YNdn54XwESO8yRsFXJ/gMG u5VNfaZ7HalIBrJm+lozJeof6ORYb9szuIOM1gGJTQVx1sxHohbZ4rzCKZIWAwvWec4XXGR3z XvmSYW7Jn97WtzVMwuwA1ZHejvsd9kj5wR5V03KMrMYNE2VobU+ISEPgy215EhpmeUylzPwLu /Nc8pzo1CFoFlqDpPs6Of2+iQr9np7xc/W1AhJjIb4c80qx29keaW2ZSARN3hEUrOUOw= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 217.72.192.74 Subject: [Qemu-devel] [PULL 4/6] linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Crosthwaite , Riku Voipio , Laurent Vivier , Paolo Bonzini , Aurelien Jarno , Richard Henderson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the real length even if it was longer than the passed buffer. So when we translate the buffer we must check we don't go beyond the end of the buffer. Bug: https://github.com/vivier/qemu-m68k/issues/33 Reported-by: John Paul Adrian Glaubitz Signed-off-by: Laurent Vivier Reviewed-by: Peter Maydell Message-Id: <20180806211806.29845-1-laurent@vivier.eu> --- linux-user/syscall.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 1806b33b02..e66faf1c62 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -3892,7 +3892,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct = target_msghdr *msgp, len =3D ret; if (fd_trans_host_to_target_data(fd)) { ret =3D fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_= base, - len); + MIN(msg.msg_iov->iov_len, l= en)); } else { ret =3D host_to_target_cmsg(msgp, &msg); } @@ -4169,7 +4169,12 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, s= ize_t len, int flags, } if (!is_error(ret)) { if (fd_trans_host_to_target_data(fd)) { - ret =3D fd_trans_host_to_target_data(fd)(host_msg, ret); + abi_long trans; + trans =3D fd_trans_host_to_target_data(fd)(host_msg, MIN(ret, = len)); + if (is_error(trans)) { + ret =3D trans; + goto fail; + } } if (target_addr) { host_to_target_sockaddr(target_addr, addr, addrlen); --=20 2.17.1