From nobody Wed Nov 5 15:00:28 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1534797963464384.04455536632213; Mon, 20 Aug 2018 13:46:03 -0700 (PDT) Received: from localhost ([::1]:49248 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1frr3q-0002Si-9C for importer@patchew.org; Mon, 20 Aug 2018 16:46:02 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52177) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1frqlr-0003Mt-Vq for qemu-devel@nongnu.org; Mon, 20 Aug 2018 16:27:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1frqln-0004Gd-Ui for qemu-devel@nongnu.org; Mon, 20 Aug 2018 16:27:27 -0400 Received: from mout.kundenserver.de ([212.227.126.135]:56386) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1frqlj-0003Qu-Vt for qemu-devel@nongnu.org; Mon, 20 Aug 2018 16:27:21 -0400 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue002 [212.227.15.167]) with ESMTPSA (Nemesis) id 0MXi7y-1fNegQ1FHa-00WSEp; Mon, 20 Aug 2018 22:26:16 +0200 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Mon, 20 Aug 2018 22:26:01 +0200 Message-Id: <20180820202604.14218-5-laurent@vivier.eu> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180820202604.14218-1-laurent@vivier.eu> References: <20180820202604.14218-1-laurent@vivier.eu> X-Provags-ID: V03:K1:emRHv7r3Pf8z1r+U9F38ssq8kJqsC80P2beTDujP1vYXgE3oksW Zm0Rs8ttRpzHmqHzPDo9yR1/3TNZiKKQPFOh/i7Uh69VA6epoemvtezHVXgqlkolTIQkG4O qHr+i42/aFpd05RTVrJeYXKRYsITg1D/6fzUZpoVWGnjem2Q9MYNIMNYmtPwuY4vt7RubRJ 5+oL7H3br8oquj32zFH1w== X-UI-Out-Filterresults: notjunk:1;V01:K0:TP27bvk3RXI=:8Llz07q4l+o/ZNw8ncOsoR 5ChjBFG/jrKx5E1qCcDpE2StzX9FKoqmqm1fyLeAP7ankmNT+1NPAZQvoFk1aCvccCYHSc/xX x8uBVfP5qkbiuPrqv2j/MHjmqvK88ZN83zoTkVPspxWkxCg34ZQKzqJKOXUxT26WpGCe8WTo5 +nokk0w3SBUw7XnnNJhyO0wYcKGZeOXmEn4uoSoNes+P86vf0nPbVo47UBfw93xK4OY2Hx0O7 arKJLD3B85hDE0Gg7KlZFtosIbDJpV2AvXPuN0yh34X7kfWkZ0QHWqu/4MDBxQI1OvUtkk1Md lzxOjwY/9li+K/mIjaK3RPJI6JQFKujixNKqla/SGDSF6kVXz7TmdPUXjisofDWDC8eSXpCyW orBreNpTJSUZAPcOWjVH3OpXDRUXp6e9xt6fFLmDl0XLKmWP6x743/y0klHJ5/OQ+/E8fNEKz TZxC3NHQvFqCU1nMAJWnSz++yrtffi1IQ0iW2eS9S4l5ezM81j7fC9wHEDrP0YXwN1SdaodqS b5SI+WMY/+YB1uH9jba2IjpJjdJ2NP4ugC4MbuNA4cWgE8RYlGHCcYbKzkU0Hl1EvprZdIp24 bDI3yfgpPcBIQjHF8OCWvR6x/WwTEllV5MwGVQqe0izd7MiaO6S8KhkBUf8RQULikcSp+Z3yR Ahq4pY5mp1QiVH9rLsGIsBqSARW34bfmNgmaHnwrFSM7CnXQmw/ZD/5xaey3F2zDNeJ8= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 212.227.126.135 Subject: [Qemu-devel] [PULL 4/7] linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Crosthwaite , Riku Voipio , Laurent Vivier , Paolo Bonzini , Aurelien Jarno , Richard Henderson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the real length even if it was longer than the passed buffer. So when we translate the buffer we must check we don't go beyond the end of the buffer. Bug: https://github.com/vivier/qemu-m68k/issues/33 Reported-by: John Paul Adrian Glaubitz Signed-off-by: Laurent Vivier Reviewed-by: Peter Maydell Message-Id: <20180820171557.7734-2-laurent@vivier.eu> --- linux-user/syscall.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 1806b33b02..e66faf1c62 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -3892,7 +3892,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct = target_msghdr *msgp, len =3D ret; if (fd_trans_host_to_target_data(fd)) { ret =3D fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_= base, - len); + MIN(msg.msg_iov->iov_len, l= en)); } else { ret =3D host_to_target_cmsg(msgp, &msg); } @@ -4169,7 +4169,12 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, s= ize_t len, int flags, } if (!is_error(ret)) { if (fd_trans_host_to_target_data(fd)) { - ret =3D fd_trans_host_to_target_data(fd)(host_msg, ret); + abi_long trans; + trans =3D fd_trans_host_to_target_data(fd)(host_msg, MIN(ret, = len)); + if (is_error(trans)) { + ret =3D trans; + goto fail; + } } if (target_addr) { host_to_target_sockaddr(target_addr, addr, addrlen); --=20 2.17.1