[PATCH] Fix 32bit sendmsg() flaw When we copy 32bit ->msg_control contents to kernel, we walk the same userland data twice without sanity checks on the second pass. Second version of this patch: the original broke with 64-bit arches running 32-bit-compat-mode executables doing sendmsg() syscalls with unaligned CMSG data areas Another thing is that we use kmalloc() to allocate and sock_kfree_s() to free afterwards; less serious, but also needs fixing. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

commit: 8920e8f94c44e31a73bdf923b04721e26e88cadd [log] [tgz]
author: Al Viro <viro@zeniv.linux.org.uk> Wed Sep 07 18:28:51 2005 -0700
committer: Linus Torvalds <torvalds@g5.osdl.org> Thu Sep 08 08:14:11 2005 -0700
tree: 7a0195643c37c63335224358256fab8cd445a671
parent: 5aa3b610a7330c3cd6f0cb264d2189a3a1dcf534 [diff] [blame]
diff --git a/net/socket.c b/net/socket.c
index e1bd5d84..c699e93 100644
--- a/net/socket.c
+++ b/net/socket.c

@@ -1745,10 +1745,11 @@
 		goto out_freeiov;
 	ctl_len = msg_sys.msg_controllen; 
 	if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
-		err = cmsghdr_from_user_compat_to_kern(&msg_sys, ctl, sizeof(ctl));
+		err = cmsghdr_from_user_compat_to_kern(&msg_sys, sock->sk, ctl, sizeof(ctl));
 		if (err)
 			goto out_freeiov;
 		ctl_buf = msg_sys.msg_control;
+		ctl_len = msg_sys.msg_controllen;
 	} else if (ctl_len) {
 		if (ctl_len > sizeof(ctl))
 		{
commit	8920e8f94c44e31a73bdf923b04721e26e88cadd	[log] [tgz]
author	Al Viro <viro@zeniv.linux.org.uk>	Wed Sep 07 18:28:51 2005 -0700
committer	Linus Torvalds <torvalds@g5.osdl.org>	Thu Sep 08 08:14:11 2005 -0700
tree	7a0195643c37c63335224358256fab8cd445a671
parent	5aa3b610a7330c3cd6f0cb264d2189a3a1dcf534 [diff] [blame]