linux: Fix sockopt copyout

The Linux getsockopt did not check the size of the provided buffer when
copying out the value, leading to buffer overflows (e.g., for TCP_INFO).

Fix is to use the smaller of the option value size and the provided
buffer.

MFC after:	1 month
Relnotes:	yes
Reviewed by:	kib, markj
Differential Revision:	https://reviews.freebsd.org/D55881
This commit is contained in:
Chuck Tuffli
2026-06-08 14:19:34 -07:00
parent ea3426bc80
commit 471fdd91d9
+14 -3
View File
@@ -2316,10 +2316,21 @@ linux_sockopt_copyout(struct thread *td, void *val, socklen_t len,
struct linux_getsockopt_args *args)
{
int error;
l_int loptlen;
socklen_t optlen;
error = copyout(val, PTRIN(args->optval), len);
if (error == 0)
error = copyout(&len, PTRIN(args->optlen), sizeof(len));
error = copyin(PTRIN(args->optlen), &loptlen, sizeof(loptlen));
if (error != 0)
return (error);
if (loptlen < 0)
return (EINVAL);
optlen = (socklen_t)loptlen;
error = copyout(val, PTRIN(args->optval), min(len, optlen));
if (error == 0) {
loptlen = (l_int)len;
error = copyout(&loptlen, PTRIN(args->optlen), sizeof(loptlen));
}
return (error);
}