fix a braino in cmsghdr_from_user_compat_to_kern()
authorAl Viro <viro@zeniv.linux.org.uk>
Mon, 27 Jul 2020 18:22:20 +0000 (19:22 +0100)
committerDavid S. Miller <davem@davemloft.net>
Mon, 27 Jul 2020 20:25:39 +0000 (13:25 -0700)
commit 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to
copy_from_user()") missed one of the places where ucmlen should've been
replaced with cmsg.cmsg_len, now that we are fetching the entire struct
rather than doing it field-by-field.

As the result, compat sendmsg() with several different-sized cmsg
attached started to fail with EINVAL.  Trivial to fix, fortunately.

Fixes: 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to copy_from_user()")
Reported-by: Nick Bowler <nbowler@draconx.ca>
Tested-by: Nick Bowler <nbowler@draconx.ca>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/compat.c

index 5e3041a..434838b 100644 (file)
@@ -202,7 +202,7 @@ int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk,
 
                /* Advance. */
                kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
-               ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
+               ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, cmsg.cmsg_len);
        }
 
        /*