summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2020-07-27 19:22:20 +0100
committerDavid S. Miller <davem@davemloft.net>2020-07-27 13:25:39 -0700
commit181964e619b76ae2e71bcdc6001cf977bec4cf6e (patch)
tree84fc012351abcb4d314b7711b0bc2a69e4a046b7 /net
parent11d268107ad4c7d694148269e3b23ef43dd0e8ba (diff)
downloadlwn-181964e619b76ae2e71bcdc6001cf977bec4cf6e.tar.gz
lwn-181964e619b76ae2e71bcdc6001cf977bec4cf6e.zip
fix a braino in cmsghdr_from_user_compat_to_kern()
commit 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to copy_from_user()") missed one of the places where ucmlen should've been replaced with cmsg.cmsg_len, now that we are fetching the entire struct rather than doing it field-by-field. As the result, compat sendmsg() with several different-sized cmsg attached started to fail with EINVAL. Trivial to fix, fortunately. Fixes: 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to copy_from_user()") Reported-by: Nick Bowler <nbowler@draconx.ca> Tested-by: Nick Bowler <nbowler@draconx.ca> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/compat.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/compat.c b/net/compat.c
index 5e3041a2c37d..434838bef5f8 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -202,7 +202,7 @@ int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk,
/* Advance. */
kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
- ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
+ ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, cmsg.cmsg_len);
}
/*