[PATCH] Fix 32bit sendmsg() flaw
authorAl Viro <viro@zeniv.linux.org.uk>
Thu, 8 Sep 2005 01:28:51 +0000 (18:28 -0700)
committerLinus Torvalds <torvalds@g5.osdl.org>
Thu, 8 Sep 2005 15:14:11 +0000 (08:14 -0700)
commit8920e8f94c44e31a73bdf923b04721e26e88cadd
tree7a0195643c37c63335224358256fab8cd445a671
parent5aa3b610a7330c3cd6f0cb264d2189a3a1dcf534
[PATCH] Fix 32bit sendmsg() flaw

When we copy 32bit ->msg_control contents to kernel, we walk the same
userland data twice without sanity checks on the second pass.

Second version of this patch: the original broke with 64-bit arches
running 32-bit-compat-mode executables doing sendmsg() syscalls with
unaligned CMSG data areas

Another thing is that we use kmalloc() to allocate and sock_kfree_s()
to free afterwards; less serious, but also needs fixing.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
include/net/compat.h
net/compat.c
net/socket.c