linux-user: Handle short lengths in host_to_target_sockaddr()
If userspace specifies a short buffer for a target sockaddr,
the kernel will only copy in as much as it has space for
(or none at all if the length is zero) -- see the kernel
move_addr_to_user() function. Mimic this in QEMU's
host_to_target_sockaddr() routine.
In particular, this fixes a segfault running the LTP
recvfrom01 test, where the guest makes a recvfrom()
call with a bad buffer pointer and other parameters which
cause the kernel to set the addrlen to zero; because we
did not skip the attempt to swap the sa_family field we
segfaulted on the bad address.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 0a99af8..ca6a2b4 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1376,12 +1376,19 @@
{
struct target_sockaddr *target_saddr;
+ if (len == 0) {
+ return 0;
+ }
+
target_saddr = lock_user(VERIFY_WRITE, target_addr, len, 0);
if (!target_saddr)
return -TARGET_EFAULT;
memcpy(target_saddr, addr, len);
- target_saddr->sa_family = tswap16(addr->sa_family);
- if (addr->sa_family == AF_NETLINK) {
+ if (len >= offsetof(struct target_sockaddr, sa_family) +
+ sizeof(target_saddr->sa_family)) {
+ target_saddr->sa_family = tswap16(addr->sa_family);
+ }
+ if (addr->sa_family == AF_NETLINK && len >= sizeof(struct sockaddr_nl)) {
struct sockaddr_nl *target_nl = (struct sockaddr_nl *)target_saddr;
target_nl->nl_pid = tswap32(target_nl->nl_pid);
target_nl->nl_groups = tswap32(target_nl->nl_groups);
