aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLaurent Vivier <laurent@vivier.eu>2018-08-20 19:15:54 +0200
committerLaurent Vivier <laurent@vivier.eu>2018-08-20 22:03:49 +0200
commit2a03d3e6ae1b1ca86199a0c36a35e8ac847905f6 (patch)
treed1833d5fc846c95ee59b1db644811a23270ea5d7
parent5b38d0264064055255db991e29d938491f9e8a32 (diff)
linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC
If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the real length even if it was longer than the passed buffer. So when we translate the buffer we must check we don't go beyond the end of the buffer. Bug: https://github.com/vivier/qemu-m68k/issues/33 Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Signed-off-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20180820171557.7734-2-laurent@vivier.eu>
-rw-r--r--linux-user/syscall.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 1806b33b02..e66faf1c62 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3892,7 +3892,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp,
len = ret;
if (fd_trans_host_to_target_data(fd)) {
ret = fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_base,
- len);
+ MIN(msg.msg_iov->iov_len, len));
} else {
ret = host_to_target_cmsg(msgp, &msg);
}
@@ -4169,7 +4169,12 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, size_t len, int flags,
}
if (!is_error(ret)) {
if (fd_trans_host_to_target_data(fd)) {
- ret = fd_trans_host_to_target_data(fd)(host_msg, ret);
+ abi_long trans;
+ trans = fd_trans_host_to_target_data(fd)(host_msg, MIN(ret, len));
+ if (is_error(trans)) {
+ ret = trans;
+ goto fail;
+ }
}
if (target_addr) {
host_to_target_sockaddr(target_addr, addr, addrlen);