[Qemu-devel] [PATCH] linux-user: fix recvmsg()/recvfrom() with netlink and MSG

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC
@ 2018-08-06 21:18 Laurent Vivier
  2018-08-16 13:00 ` Peter Maydell
  0 siblings, 1 reply; 2+ messages in thread
From: Laurent Vivier @ 2018-08-06 21:18 UTC (permalink / raw)
  To: qemu-devel; +Cc: Riku Voipio, John Paul Adrian Glaubitz, Laurent Vivier

If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the
real length even if it was longer than the passed buffer.
So when we translate the buffer we must check we don't go beyond the
end of the buffer.

Bug: https://github.com/vivier/qemu-m68k/issues/33
Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---
 linux-user/syscall.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index dfc851cc35..399da09f38 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3892,7 +3892,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp,
             len = ret;
             if (fd_trans_host_to_target_data(fd)) {
                 ret = fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_base,
-                                                       len);
+                                               MIN(msg.msg_iov->iov_len, len));
             } else {
                 ret = host_to_target_cmsg(msgp, &msg);
             }
@@ -4169,7 +4169,12 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, size_t len, int flags,
     }
     if (!is_error(ret)) {
         if (fd_trans_host_to_target_data(fd)) {
-            ret = fd_trans_host_to_target_data(fd)(host_msg, ret);
+            abi_long trans;
+            trans = fd_trans_host_to_target_data(fd)(host_msg, MIN(ret, len));
+            if (is_error(trans)) {
+                ret = trans;
+                goto fail;
+            }
         }
         if (target_addr) {
             host_to_target_sockaddr(target_addr, addr, addrlen);
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Qemu-devel] [PATCH] linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC
  2018-08-06 21:18 [Qemu-devel] [PATCH] linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC Laurent Vivier
@ 2018-08-16 13:00 ` Peter Maydell
  0 siblings, 0 replies; 2+ messages in thread
From: Peter Maydell @ 2018-08-16 13:00 UTC (permalink / raw)
  To: Laurent Vivier; +Cc: QEMU Developers, Riku Voipio, John Paul Adrian Glaubitz

On 6 August 2018 at 22:18, Laurent Vivier <laurent@vivier.eu> wrote:
> If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the
> real length even if it was longer than the passed buffer.
> So when we translate the buffer we must check we don't go beyond the
> end of the buffer.
>
> Bug: https://github.com/vivier/qemu-m68k/issues/33
> Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
> Signed-off-by: Laurent Vivier <laurent@vivier.eu>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

thanks
-- PMM

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-08-16 13:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-08-06 21:18 [Qemu-devel] [PATCH] linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC Laurent Vivier
2018-08-16 13:00 ` Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).