| Message ID | 1424347241-21456-1-git-send-email-luis.henriques@canonical.com |
|---|---|
| State | New |
| Headers | show |
diff --git a/net/socket.c b/net/socket.c index 7050240a951b..4980af97d87c 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1985,6 +1985,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) return -EFAULT; + if (kmsg->msg_name == NULL) + kmsg->msg_namelen = 0; + if (kmsg->msg_namelen < 0) return -EINVAL;
This is a note to let you know that I have just added a patch titled net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland. to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.16.y-queue This patch is scheduled to be released in version 3.16.7-ckt7. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.16.y-ckt tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Luis ------ From 988bfeffd3a59c947d755ed87b3e67d622a66ab9 Mon Sep 17 00:00:00 2001 From: Ani Sinha <ani@arista.com> Date: Mon, 8 Sep 2014 14:49:59 -0700 Subject: net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland. commit 6a2a2b3ae0759843b22c929881cc184b00cc63ff upstream. Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will break old binaries and any code for which there is no access to source code. To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland. Signed-off-by: Ani Sinha <ani@arista.com> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Michal Marek <mmarek@suse.cz> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> --- net/socket.c | 3 +++ 1 file changed, 3 insertions(+) -- 2.1.4