linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC

If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the real length even if it was longer than the passed buffer. So when we translate the buffer we must check we don't go beyond the end of the buffer. Bug: https://github.com/vivier/qemu-m68k/issues/33 Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Signed-off-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20180820171557.7734-2-laurent@vivier.eu>
2018-08-20 19:15:54 +02:00 · 2018-08-20 19:15:54 +02:00 · 2a03d3e6ae
parent 5b38d02640
commit 2a03d3e6ae
1 changed files with 7 additions and 2 deletions
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@ -3892,7 +3892,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp,
            len = ret;
            if (fd_trans_host_to_target_data(fd)) {
                ret = fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_base,
-                                                       len);
+                                               MIN(msg.msg_iov->iov_len, len));
            } else {
                ret = host_to_target_cmsg(msgp, &msg);
            }
@ -4169,7 +4169,12 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, size_t len, int flags,
    }
    if (!is_error(ret)) {
        if (fd_trans_host_to_target_data(fd)) {
-            ret = fd_trans_host_to_target_data(fd)(host_msg, ret);
+            abi_long trans;
+            trans = fd_trans_host_to_target_data(fd)(host_msg, MIN(ret, len));
+            if (is_error(trans)) {
+                ret = trans;
+                goto fail;
+            }
        }
        if (target_addr) {
            host_to_target_sockaddr(target_addr, addr, addrlen);