linux-user: Handle short lengths in host_to_target_sockaddr()
If userspace specifies a short buffer for a target sockaddr, the kernel will only copy in as much as it has space for (or none at all if the length is zero) -- see the kernel move_addr_to_user() function. Mimic this in QEMU's host_to_target_sockaddr() routine. In particular, this fixes a segfault running the LTP recvfrom01 test, where the guest makes a recvfrom() call with a bad buffer pointer and other parameters which cause the kernel to set the addrlen to zero; because we did not skip the attempt to swap the sa_family field we segfaulted on the bad address. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
This commit is contained in:
parent
31efaef1d9
commit
a1e221929f
@ -1376,12 +1376,19 @@ static inline abi_long host_to_target_sockaddr(abi_ulong target_addr,
|
||||
{
|
||||
struct target_sockaddr *target_saddr;
|
||||
|
||||
if (len == 0) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
target_saddr = lock_user(VERIFY_WRITE, target_addr, len, 0);
|
||||
if (!target_saddr)
|
||||
return -TARGET_EFAULT;
|
||||
memcpy(target_saddr, addr, len);
|
||||
target_saddr->sa_family = tswap16(addr->sa_family);
|
||||
if (addr->sa_family == AF_NETLINK) {
|
||||
if (len >= offsetof(struct target_sockaddr, sa_family) +
|
||||
sizeof(target_saddr->sa_family)) {
|
||||
target_saddr->sa_family = tswap16(addr->sa_family);
|
||||
}
|
||||
if (addr->sa_family == AF_NETLINK && len >= sizeof(struct sockaddr_nl)) {
|
||||
struct sockaddr_nl *target_nl = (struct sockaddr_nl *)target_saddr;
|
||||
target_nl->nl_pid = tswap32(target_nl->nl_pid);
|
||||
target_nl->nl_groups = tswap32(target_nl->nl_groups);
|
||||
|
Loading…
Reference in New Issue
Block a user