From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Fri, 3 Nov 2000 19:18:31 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Fri, 3 Nov 2000 19:18:22 -0500 Received: from tantale.fifi.org ([216.15.47.52]:59784 "EHLO tantale.fifi.org") by vger.kernel.org with ESMTP id ; Fri, 3 Nov 2000 19:18:06 -0500 To: "David S. Miller" Cc: linux-kernel@vger.kernel.org, alan@lxorguk.ukuu.org.uk Subject: Re: 2.2.x BUG & PATCH: recvmsg() does not check msg_controllen correctly In-Reply-To: <87n1fgvl7a.fsf@tantale.fifi.org> <200011032218.OAA12790@pizda.ninka.net> MIME-Version: 1.0 (generated by SEMI 1.12.1 - "[JR] Nonoichi") Content-Type: text/plain; charset=US-ASCII From: Philippe Troin Date: 03 Nov 2000 16:17:53 -0800 In-Reply-To: <200011032218.OAA12790@pizda.ninka.net> ("David S. Miller"'s message of "Fri, 3 Nov 2000 14:18:35 -0800") Message-ID: <878zr0vbda.fsf@tantale.fifi.org> User-Agent: Semi-gnus/6.10.12 SEMI/1.12.1 ([JR] Nonoichi) FLIM/1.12.7 (Yþzaki) Emacs/20.7 (i386-debian-linux-gnu) MULE/4.0 (HANANOEN) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org "David S. Miller" writes: > The real bug is in the setting of MSG_TRUNC (which is the only side > effect of your change). So the better fix is: > > --- net/core/scm.c.~1~ Tue Jun 15 09:19:30 1999 > +++ net/core/scm.c Fri Nov 3 14:18:06 2000 > @@ -251,7 +251,7 @@ > msg->msg_controllen -= cmlen; > } > } > - if (i < fdnum) > + if (i < fdnum || (fdnum && fdmax <= 0)) > msg->msg_flags |= MSG_CTRUNC; > > /* Mmmh, no, if fdmax <= 0 (which happens when msg_controllen < sizeof(struct cmsghdr)), then alls fds are passed, eventually clobbering past ((char*)(msg_control)+m_controllen). Run the little test case if you're not convinced... I stand by my patch :-) Phil. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/