From: "Balbir Singh" <balbir_soni@hotmail.com>
To: linux-kernel@vger.kernel.org
Subject: [BUG] Suspected bug in getpeername and getsockname
Date: Tue, 15 Jan 2002 16:51:52 -0800 [thread overview]
Message-ID: <F232Ej1I7QY9zK4unnr000139b2@hotmail.com> (raw)
The current code for sys_getpeername is shown below
asmlinkage long sys_getsockname(int fd, struct sockaddr *usockaddr, int
*usockaddr_len)
{
struct socket *sock;
char address[MAX_SOCK_ADDR];
int len, err;
sock = sockfd_lookup(fd, &err);
if (!sock)
goto out;
err = sock->ops->getname(sock, (struct sockaddr *)address, &len, 0);
if (err)
goto out_put;
err = move_addr_to_user(address, len, usockaddr, usockaddr_len);
out_put:
sockfd_put(sock);
out:
return err;
}
The man page getpeername(2) says
========================================================
The namelen parameter should be initialized to
indicate the amount of space pointed to by name.
On return it contains the actual size of the name
returned (in bytes). The name is truncated if the buffer
provided is too small.
=========================================================
The code does not copy_from_user the passed value of
length (by the user). It instead passes to the protocol
specific code a pointer in the stack (len). The copyout to
user space is correct. But still the value passed
from the user should also be considered. If this value
is less than what we want to copyout, the smaller value
should be used.
The same bug exists even in getsockname. The fix is
trivial.
1. Copy in the value the user passed.
2. Pass this value to the protocol (sock ops) getpeername
or getsockname. Let it decide what to do if the user
passed value is smaller than the size it wants to
return.
3. Copyout the values
Am I missing something or is this a known bug.
If this fix is acceptable I can quickly send a patch
after testing it. Please cc me, I am no longer subscribed
to lkml.
Thanks,
Balbir
_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
next reply other threads:[~2002-01-16 0:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-01-16 0:51 Balbir Singh [this message]
2002-01-17 0:54 ` [BUG] Suspected bug in getpeername and getsockname David S. Miller
-- strict thread matches above, loose matches on Subject: below --
2002-01-17 16:27 Balbir Singh
2002-01-17 20:24 ` kuznet
2002-01-17 21:11 ` David S. Miller
2002-01-17 22:11 Balbir Singh
2002-01-17 22:30 ` David S. Miller
2002-01-17 23:20 Balbir Singh
2002-01-17 23:26 ` David S. Miller
2002-01-17 23:35 Balbir Singh
2002-01-17 23:38 ` David S. Miller
2002-01-18 0:05 Balbir Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=F232Ej1I7QY9zK4unnr000139b2@hotmail.com \
--to=balbir_soni@hotmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.