diff options
| author | des <des@FreeBSD.org> | 2004-08-23 12:41:29 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2004-08-23 12:41:29 +0000 |
| commit | bf69a165581d2df18a7ae0a951e5879204f1b6fe (patch) | |
| tree | 6f79c400df57d04c123588155a72c157c74bdd96 /sys/compat | |
| parent | ef4abb9432cc1aafe7d102f1dad8c709ff741c86 (diff) | |
| download | FreeBSD-src-bf69a165581d2df18a7ae0a951e5879204f1b6fe.zip FreeBSD-src-bf69a165581d2df18a7ae0a951e5879204f1b6fe.tar.gz | |
Don't try to translate the control message unless we're certain it's
valid; otherwise a caller could trick us into changing any 32-bit word
in kernel memory to LINUX_SOL_SOCKET (0x00000001) if its previous value
is SOL_SOCKET (0x0000ffff).
MFC after: 3 days
Diffstat (limited to 'sys/compat')
| -rw-r--r-- | sys/compat/linux/linux_socket.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/compat/linux/linux_socket.c b/sys/compat/linux/linux_socket.c index fdba099..47cf5d6 100644 --- a/sys/compat/linux/linux_socket.c +++ b/sys/compat/linux/linux_socket.c @@ -1011,7 +1011,8 @@ linux_recvmsg(struct thread *td, struct linux_recvmsg_args *args) if (error) return (error); - if (bsd_args.msg->msg_control != NULL) { + if (bsd_args.msg->msg_control != NULL && + bsd_args.msg->msg_controllen > 0) { cmsg = (struct cmsghdr*)bsd_args.msg->msg_control; cmsg->cmsg_level = bsd_to_linux_sockopt_level(cmsg->cmsg_level); } |
