From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Sat, 4 Nov 2000 21:41:21 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Sat, 4 Nov 2000 21:41:02 -0500 Received: from tantale.fifi.org ([216.15.47.52]:60810 "EHLO tantale.fifi.org") by vger.kernel.org with ESMTP id ; Sat, 4 Nov 2000 21:40:50 -0500 To: "David S. Miller" Cc: linux-kernel@vger.kernel.org, alan@lxorguk.ukuu.org.uk Subject: Re: 2.2.x BUG & PATCH: recvmsg() does not check msg_controllen correctly In-Reply-To: <87n1fgvl7a.fsf@tantale.fifi.org> <200011032218.OAA12790@pizda.ninka.net> <878zr0vbda.fsf@tantale.fifi.org> <200011040038.QAA13178@pizda.ninka.net> <87u29oz93z.fsf@tantale.fifi.org> <200011040451.UAA13833@pizda.ninka.net> MIME-Version: 1.0 (generated by SEMI 1.12.1 - "[JR] Nonoichi") Content-Type: multipart/mixed; boundary="Multipart_Sat_Nov__4_18:40:30_2000-1" From: Philippe Troin Date: 04 Nov 2000 18:40:30 -0800 In-Reply-To: <200011040451.UAA13833@pizda.ninka.net> ("David S. Miller"'s message of "Fri, 3 Nov 2000 20:51:55 -0800") Message-ID: <87snp7gmzl.fsf@tantale.fifi.org> User-Agent: Semi-gnus/6.10.12 SEMI/1.12.1 ([JR] Nonoichi) FLIM/1.12.7 (Yþzaki) Emacs/20.7 (i386-debian-linux-gnu) MULE/4.0 (HANANOEN) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org --Multipart_Sat_Nov__4_18:40:30_2000-1 Content-Type: text/plain; charset=US-ASCII "David S. Miller" writes: > From: Philippe Troin > Date: 03 Nov 2000 19:53:04 -0800 > > Yes I agree, mixing signed and unsigned arithmetic is evil... Doesn't > gcc have a flag for unsafe signed/unsigned mixtures ? > > Would you consider this patch (or a variant) for inclusion ? > > I would accept a patch which made the code set fdmax <= 0 when > (msg->msg_controllen < (sizeof(struct cmsghdr) + sizeof(int))) > because it is the sole reason this bug exists at all. How about this one ? Phil. --Multipart_Sat_Nov__4_18:40:30_2000-1 Content-Type: application/octet-stream; type=patch Content-Disposition: attachment; filename="linux-2.2.17-scmrights.patch" Content-Transfer-Encoding: quoted-printable diff -ruN linux.orig/net/core/scm.c linux/net/core/scm.c --- linux.orig/net/core/scm.c Thu Apr 22 19:45:19 1999 +++ linux/net/core/scm.c Sat Nov 4 17:19:34 2000 @@ -210,12 +210,16 @@ { struct cmsghdr *cm =3D (struct cmsghdr*)msg->msg_control; =20 - int fdmax =3D (msg->msg_controllen - sizeof(struct cmsghdr))/sizeof(int); + int fdmax =3D 0; int fdnum =3D scm->fp->count; struct file **fp =3D scm->fp->fp; int *cmfptr; int err =3D 0, i; =20 + if (msg->msg_controllen > sizeof(struct cmsghdr)) + fdmax =3D (msg->msg_controllen - sizeof(struct cmsghdr)) + /sizeof(int); + if (fdnum < fdmax) fdmax =3D fdnum; =20 @@ -251,7 +255,7 @@ msg->msg_controllen -=3D cmlen; } } - if (i < fdnum) + if (i < fdnum || (fdnum && fdmax =3D=3D 0)) msg->msg_flags |=3D MSG_CTRUNC; =20 /* --Multipart_Sat_Nov__4_18:40:30_2000-1-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/