linux: Fix sockopt copyout
The Linux getsockopt did not check the size of the provided buffer when copying out the value, leading to buffer overflows (e.g., for TCP_INFO). Fix is to use the smaller of the option value size and the provided buffer. MFC after: 1 month Relnotes: yes Reviewed by: kib, markj Differential Revision: https://reviews.freebsd.org/D55881
This commit is contained in:
@@ -2316,10 +2316,21 @@ linux_sockopt_copyout(struct thread *td, void *val, socklen_t len,
|
||||
struct linux_getsockopt_args *args)
|
||||
{
|
||||
int error;
|
||||
l_int loptlen;
|
||||
socklen_t optlen;
|
||||
|
||||
error = copyout(val, PTRIN(args->optval), len);
|
||||
if (error == 0)
|
||||
error = copyout(&len, PTRIN(args->optlen), sizeof(len));
|
||||
error = copyin(PTRIN(args->optlen), &loptlen, sizeof(loptlen));
|
||||
if (error != 0)
|
||||
return (error);
|
||||
if (loptlen < 0)
|
||||
return (EINVAL);
|
||||
|
||||
optlen = (socklen_t)loptlen;
|
||||
error = copyout(val, PTRIN(args->optval), min(len, optlen));
|
||||
if (error == 0) {
|
||||
loptlen = (l_int)len;
|
||||
error = copyout(&loptlen, PTRIN(args->optlen), sizeof(loptlen));
|
||||
}
|
||||
return (error);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user