[1/2] linux-user: fd_trans_host_to_target_data() must process only received data
diff mbox

Message ID 1466103697-27279-2-git-send-email-laurent@vivier.eu
State New
Headers show

Commit Message

Laurent Vivier June 16, 2016, 7:01 p.m. UTC
if we process the whole buffer, the netlink helpers can try
to swap invalid data.

Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Peter Maydell June 16, 2016, 9:05 p.m. UTC | #1
On 16 June 2016 at 20:01, Laurent Vivier <laurent@vivier.eu> wrote:
> if we process the whole buffer, the netlink helpers can try
> to swap invalid data.
>
> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
> ---
>  linux-user/syscall.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 0b937ca..3c30437 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -2987,7 +2987,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp,
>              len = ret;
>              if (fd_trans_host_to_target_data(fd)) {
>                  ret = fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_base,
> -                                                       msg.msg_iov->iov_len);
> +                                                       len);
>              } else {
>                  ret = host_to_target_cmsg(msgp, &msg);
>              }

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

thanks
-- PMM

Patch
diff mbox

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 0b937ca..3c30437 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2987,7 +2987,7 @@  static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp,
             len = ret;
             if (fd_trans_host_to_target_data(fd)) {
                 ret = fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_base,
-                                                       msg.msg_iov->iov_len);
+                                                       len);
             } else {
                 ret = host_to_target_cmsg(msgp, &msg);
             }