From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1LOw4d-0006rT-0F
	for qemu-devel@nongnu.org; Mon, 19 Jan 2009 10:29:59 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1LOw4c-0006qs-CJ
	for qemu-devel@nongnu.org; Mon, 19 Jan 2009 10:29:58 -0500
Received: from [199.232.76.173] (port=54929 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1LOw4c-0006ql-6T
	for qemu-devel@nongnu.org; Mon, 19 Jan 2009 10:29:58 -0500
Received: from [84.20.150.76] (port=44530 helo=narury.org)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <nchip@kos.to>) id 1LOw4b-0006W9-Ly
	for qemu-devel@nongnu.org; Mon, 19 Jan 2009 10:29:58 -0500
Received: from kos.to (localhost.localdomain [127.0.0.1])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by narury.org (Postfix) with ESMTP id 613D43274001
	for <qemu-devel@nongnu.org>; Mon, 19 Jan 2009 17:29:52 +0200 (EET)
Date: Mon, 19 Jan 2009 17:29:52 +0200
From: Riku Voipio <riku.voipio@iki.fi>
Message-ID: <20090119152952.GA20874@kos.to>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Subject: [Qemu-devel] [PATCH] linux-user: return EINVAL on incorrect sockaddr
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

From: Lauro Ramos Venancio <lauro.venancio@gmail.com>

Fixes ltp test accept01

Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
---
 linux-user/syscall.c |   33 +++++++++++++++++++++++++++++++--
 1 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index ab81b3a..adb27de 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1185,11 +1185,19 @@ static abi_long do_socket(int domain, int type, int protocol)
     return get_errno(socket(domain, type, protocol));
 }
 
+/* MAX_SOCK_ADDR from linux/net/socket.c */
+#define MAX_SOCK_ADDR	128
+
 /* do_bind() Must return target values and target errnos. */
 static abi_long do_bind(int sockfd, abi_ulong target_addr,
                         socklen_t addrlen)
 {
-    void *addr = alloca(addrlen);
+    void *addr;
+
+    if (addrlen < 0 || addrlen > MAX_SOCK_ADDR)
+        return -TARGET_EINVAL;
+
+    addr = alloca(addrlen);
 
     target_to_host_sockaddr(addr, target_addr, addrlen);
     return get_errno(bind(sockfd, addr, addrlen));
@@ -1199,7 +1207,12 @@ static abi_long do_bind(int sockfd, abi_ulong target_addr,
 static abi_long do_connect(int sockfd, abi_ulong target_addr,
                            socklen_t addrlen)
 {
-    void *addr = alloca(addrlen);
+    void *addr;
+
+    if (addrlen < 0 || addrlen > MAX_SOCK_ADDR)
+        return -TARGET_EINVAL;
+
+    addr = alloca(addrlen);
 
     target_to_host_sockaddr(addr, target_addr, addrlen);
     return get_errno(connect(sockfd, addr, addrlen));
@@ -1271,6 +1284,9 @@ static abi_long do_accept(int fd, abi_ulong target_addr,
     if (get_user_u32(addrlen, target_addrlen_addr))
         return -TARGET_EFAULT;
 
+    if (addrlen < 0 || addrlen > MAX_SOCK_ADDR)
+        return -TARGET_EINVAL;
+
     addr = alloca(addrlen);
 
     ret = get_errno(accept(fd, addr, &addrlen));
@@ -1293,6 +1309,9 @@ static abi_long do_getpeername(int fd, abi_ulong target_addr,
     if (get_user_u32(addrlen, target_addrlen_addr))
         return -TARGET_EFAULT;
 
+    if (addrlen < 0 || addrlen > MAX_SOCK_ADDR)
+        return -TARGET_EINVAL;
+
     addr = alloca(addrlen);
 
     ret = get_errno(getpeername(fd, addr, &addrlen));
@@ -1315,6 +1334,9 @@ static abi_long do_getsockname(int fd, abi_ulong target_addr,
     if (get_user_u32(addrlen, target_addrlen_addr))
         return -TARGET_EFAULT;
 
+    if (addrlen < 0 || addrlen > MAX_SOCK_ADDR)
+        return -TARGET_EINVAL;
+
     addr = alloca(addrlen);
 
     ret = get_errno(getsockname(fd, addr, &addrlen));
@@ -1350,6 +1372,9 @@ static abi_long do_sendto(int fd, abi_ulong msg, size_t len, int flags,
     void *host_msg;
     abi_long ret;
 
+    if (addrlen < 0 || addrlen > MAX_SOCK_ADDR)
+        return -TARGET_EINVAL;
+
     host_msg = lock_user(VERIFY_READ, msg, len, 1);
     if (!host_msg)
         return -TARGET_EFAULT;
@@ -1382,6 +1407,10 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, size_t len, int flags,
             ret = -TARGET_EFAULT;
             goto fail;
         }
+        if (addrlen < 0 || addrlen > MAX_SOCK_ADDR) {
+            ret = -TARGET_EINVAL;
+            goto fail;
+        }
         addr = alloca(addrlen);
         ret = get_errno(recvfrom(fd, host_msg, len, flags, addr, &addrlen));
     } else {
-- 
1.5.6.5


-- 
"rm -rf" only sounds scary if you don't have backups