asmlinkage long sys_getsockname(int fd, struct sockaddr *usockaddr, int
*usockaddr_len)
{
struct socket *sock;
char address[MAX_SOCK_ADDR];
int len, err;
sock = sockfd_lookup(fd, &err);
if (!sock)
goto out;
err = sock->ops->getname(sock, (struct sockaddr *)address, &len, 0);
if (err)
goto out_put;
err = move_addr_to_user(address, len, usockaddr, usockaddr_len);
out_put:
sockfd_put(sock);
out:
return err;
}
The man page getpeername(2) says
========================================================
The namelen parameter should be initialized to
indicate the amount of space pointed to by name.
On return it contains the actual size of the name
returned (in bytes). The name is truncated if the buffer
provided is too small.
=========================================================
The code does not copy_from_user the passed value of
length (by the user). It instead passes to the protocol
specific code a pointer in the stack (len). The copyout to
user space is correct. But still the value passed
from the user should also be considered. If this value
is less than what we want to copyout, the smaller value
should be used.
The same bug exists even in getsockname. The fix is
trivial.
1. Copy in the value the user passed.
2. Pass this value to the protocol (sock ops) getpeername
or getsockname. Let it decide what to do if the user
passed value is smaller than the size it wants to
return.
3. Copyout the values
Am I missing something or is this a known bug.
If this fix is acceptable I can quickly send a patch
after testing it. Please cc me, I am no longer subscribed
to lkml.
Thanks,
Balbir
_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/