Re: 2.2.x BUG & PATCH: recvmsg() does not check msg_controllen correctly

From: Philippe Troin (phil@fifi.org)
Date: Fri Nov 03 2000 - 19:17:53 EST

"David S. Miller" <davem@redhat.com> writes:

> The real bug is in the setting of MSG_TRUNC (which is the only side
> effect of your change). So the better fix is:
>
> --- net/core/scm.c.~1~ Tue Jun 15 09:19:30 1999
> +++ net/core/scm.c Fri Nov 3 14:18:06 2000
> @@ -251,7 +251,7 @@
> msg->msg_controllen -= cmlen;
> }
> }
> - if (i < fdnum)
> + if (i < fdnum || (fdnum && fdmax <= 0))
> msg->msg_flags |= MSG_CTRUNC;
>
> /*

Mmmh, no, if fdmax <= 0 (which happens when msg_controllen <
sizeof(struct cmsghdr)), then alls fds are passed, eventually
clobbering past ((char*)(msg_control)+m_controllen).

Run the little test case if you're not convinced...
I stand by my patch :-)

Phil.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Tue Nov 07 2000 - 21:00:15 EST