• Meng Xu's avatar
    net: compat: assert the size of cmsg copied in is as expected · c2a64bb9
    Meng Xu authored
    The actual length of cmsg fetched in during the second loop
    (i.e., kcmsg - kcmsg_base) could be different from what we
    get from the first loop (i.e., kcmlen).
    
    The main reason is that the two get_user() calls in the two
    loops (i.e., get_user(ucmlen, &ucmsg->cmsg_len) and
    __get_user(ucmlen, &ucmsg->cmsg_len)) could cause ucmlen
    to have different values even they fetch from the same userspace
    address, as user can race to change the memory content in
    &ucmsg->cmsg_len across fetches.
    
    Although in the second loop, the sanity check
    if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
    is inplace, it only ensures that the cmsg fetched in during the
    second loop does not exceed the length of kcmlen, but not
    necessarily equal to kcmlen. But indicated by the assignment
    kmsg->msg_controllen = kcmlen, we should enforce that.
    
    This patch adds this additional sanity check and ensures that
    what is recorded in kmsg->msg_controllen is the actual cmsg length.
    Signed-off-by: 's avatarMeng Xu <mengxu.gatech@gmail.com>
    Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
    c2a64bb9
compat.c 24.3 KB