diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2020-07-27 19:22:20 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2020-07-27 13:25:39 -0700 |
commit | 181964e619b76ae2e71bcdc6001cf977bec4cf6e (patch) | |
tree | 84fc012351abcb4d314b7711b0bc2a69e4a046b7 /net | |
parent | 11d268107ad4c7d694148269e3b23ef43dd0e8ba (diff) | |
download | lwn-181964e619b76ae2e71bcdc6001cf977bec4cf6e.tar.gz lwn-181964e619b76ae2e71bcdc6001cf977bec4cf6e.zip |
fix a braino in cmsghdr_from_user_compat_to_kern()
commit 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to
copy_from_user()") missed one of the places where ucmlen should've been
replaced with cmsg.cmsg_len, now that we are fetching the entire struct
rather than doing it field-by-field.
As the result, compat sendmsg() with several different-sized cmsg
attached started to fail with EINVAL. Trivial to fix, fortunately.
Fixes: 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to copy_from_user()")
Reported-by: Nick Bowler <nbowler@draconx.ca>
Tested-by: Nick Bowler <nbowler@draconx.ca>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/compat.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/compat.c b/net/compat.c index 5e3041a2c37d..434838bef5f8 100644 --- a/net/compat.c +++ b/net/compat.c @@ -202,7 +202,7 @@ int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk, /* Advance. */ kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp); - ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen); + ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, cmsg.cmsg_len); } /* |