From: Wanlong Gao <gaowanlong@cn.fujitsu.com>
To: Jan Stancek <jstancek@redhat.com>
Cc: ltp-list@lists.sourceforge.net
Subject: Re: [LTP] [PATCH] sendmsg01: use invalid but positive msg_namelen value
Date: Fri, 06 Dec 2013 08:43:11 +0800 [thread overview]
Message-ID: <52A11D9F.7040702@cn.fujitsu.com> (raw)
In-Reply-To: <e4485bb27118d14c0247d35fcea0f85458cda012.1386242514.git.jstancek@redhat.com>
On 12/05/2013 07:23 PM, Jan Stancek wrote:
> After following 2 kernel commits:
> commit 1661bf364ae9c506bc8795fef70d1532931be1e8
> Author: Dan Carpenter <dan.carpenter@oracle.com>
> Date: Thu Oct 3 00:27:20 2013 +0300
> net: heap overflow in __audit_sockaddr()
>
> commit db31c55a6fb245fdbb752a2ca4aefec89afabb06
> Author: Dan Carpenter <dan.carpenter@oracle.com>
> Date: Wed Nov 27 15:40:21 2013 +0300
> net: clamp ->msg_namelen instead of returning an error
>
> msg_namelen is treated as an unsigned value because of this
> condition, which compares signed and unsigned arguments:
> net/socket.c copy_msghdr_from_user()
> if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
>
> User-space (accordding to POSIX spec) defines it as
> "unsigned opaque integral type of length of at least 32 bits".
>
> Passing -1 now has the effect as passing very large number
> and syscall completes successfully.
>
> Change the test to use invalid, but positive value for
> "invalid to buffer length" testcase.
Nice log, thank you, pushed.
Wanlong Gao
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
prev parent reply other threads:[~2013-12-06 1:15 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-05 11:23 [LTP] [PATCH] sendmsg01: use invalid but positive msg_namelen value Jan Stancek
2013-12-06 0:43 ` Wanlong Gao [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52A11D9F.7040702@cn.fujitsu.com \
--to=gaowanlong@cn.fujitsu.com \
--cc=jstancek@redhat.com \
--cc=ltp-list@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.