mailing list of musl libc
 help / color / mirror / Atom feed
* [musl] [PATCH] fix segfault in recvmsg when msg argument is NULL
       [not found] <20210112075724.58561-1-zhuyan34@huawei.com>
@ 2021-01-12  7:58 ` zhuyan (M)
  2021-01-26  2:44   ` Rich Felker
  2021-01-26  2:32 ` zhuyan (M)
  1 sibling, 1 reply; 4+ messages in thread
From: zhuyan (M) @ 2021-01-12  7:58 UTC (permalink / raw)
  To: musl; +Cc: Zengweilin, liucheng (G), chenzefeng (A)


When msg is NULL, msg->msg_controllen exists to dereference a null pointer in recvmsg.

The commit ae388becb529428ac926da102f1d025b3c3968da introduces this problem

Signed-off-by: Qing Wu <wuqing30@huawei.com>
Signed-off-by: Yan Zhu <zhuyan34@huawei.com>
---
 src/network/recvmsg.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/network/recvmsg.c b/src/network/recvmsg.c index 03641625..c36ffb8d 100644
--- a/src/network/recvmsg.c
+++ b/src/network/recvmsg.c
@@ -4,6 +4,7 @@
 #include <sys/time.h>
 #include <string.h>
 #include "syscall.h"
+#include <errno.h>
 
 hidden void __convert_scm_timestamps(struct msghdr *, socklen_t);
 
@@ -49,6 +50,8 @@ void __convert_scm_timestamps(struct msghdr *msg, socklen_t csize)
 
 ssize_t recvmsg(int fd, struct msghdr *msg, int flags)  {
+	if (!msg) return -EINVAL;
+
 	ssize_t r;
 	socklen_t orig_controllen = msg->msg_controllen;  #if LONG_MAX > INT_MAX
--
2.12.3


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [musl] [PATCH] fix segfault in recvmsg when msg argument is NULL
       [not found] <20210112075724.58561-1-zhuyan34@huawei.com>
  2021-01-12  7:58 ` [musl] [PATCH] fix segfault in recvmsg when msg argument is NULL zhuyan (M)
@ 2021-01-26  2:32 ` zhuyan (M)
  1 sibling, 0 replies; 4+ messages in thread
From: zhuyan (M) @ 2021-01-26  2:32 UTC (permalink / raw)
  To: musl; +Cc: Zengweilin, liucheng (G), chenzefeng (A)


When msg is NULL, msg->msg_controllen exists to dereference a null pointer in recvmsg.

The commit ae388becb529428ac926da102f1d025b3c3968da introduces this problem

Signed-off-by: Qing Wu <wuqing30@huawei.com>
Signed-off-by: Yan Zhu <zhuyan34@huawei.com>
---
 src/network/recvmsg.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/network/recvmsg.c b/src/network/recvmsg.c index 03641625..c36ffb8d 100644
--- a/src/network/recvmsg.c
+++ b/src/network/recvmsg.c
@@ -4,6 +4,7 @@
 #include <sys/time.h>
 #include <string.h>
 #include "syscall.h"
+#include <errno.h>
 
 hidden void __convert_scm_timestamps(struct msghdr *, socklen_t);
 
@@ -49,6 +50,8 @@ void __convert_scm_timestamps(struct msghdr *msg, socklen_t csize)
 
 ssize_t recvmsg(int fd, struct msghdr *msg, int flags)  {
+	if (!msg) return -EINVAL;
+
 	ssize_t r;
 	socklen_t orig_controllen = msg->msg_controllen;  #if LONG_MAX > INT_MAX
--
2.12.3


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [musl] [PATCH] fix segfault in recvmsg when msg argument is NULL
  2021-01-12  7:58 ` [musl] [PATCH] fix segfault in recvmsg when msg argument is NULL zhuyan (M)
@ 2021-01-26  2:44   ` Rich Felker
  2021-01-26 17:41     ` Rich Felker
  0 siblings, 1 reply; 4+ messages in thread
From: Rich Felker @ 2021-01-26  2:44 UTC (permalink / raw)
  To: zhuyan (M); +Cc: musl, Zengweilin, liucheng (G), chenzefeng (A)

On Tue, Jan 12, 2021 at 07:58:26AM +0000, zhuyan (M) wrote:
> 
> When msg is NULL, msg->msg_controllen exists to dereference a null pointer in recvmsg.

"The recvmsg() function takes the following arguments:
    ...
    message
        Points to a msghdr structure, ..."
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [musl] [PATCH] fix segfault in recvmsg when msg argument is NULL
  2021-01-26  2:44   ` Rich Felker
@ 2021-01-26 17:41     ` Rich Felker
  0 siblings, 0 replies; 4+ messages in thread
From: Rich Felker @ 2021-01-26 17:41 UTC (permalink / raw)
  To: zhuyan (M); +Cc: musl, Zengweilin, liucheng (G), chenzefeng (A)

On Mon, Jan 25, 2021 at 09:44:25PM -0500, Rich Felker wrote:
> On Tue, Jan 12, 2021 at 07:58:26AM +0000, zhuyan (M) wrote:
> > 
> > When msg is NULL, msg->msg_controllen exists to dereference a null pointer in recvmsg.
> 
> "The recvmsg() function takes the following arguments:
>     ...
>     message
>         Points to a msghdr structure, ..."
>         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

It was pointed out to me on IRC that there is an "if (msg) condition
later (only on 64-bit archs), which makes this at least inconsistent.
So some cleanup is probably called for.

Also, the patch was incorrect even if you want to avoid crashing. It
returns a negated error code rather than setting errno and returning
-1.

Rich

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-01-26 17:41 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20210112075724.58561-1-zhuyan34@huawei.com>
2021-01-12  7:58 ` [musl] [PATCH] fix segfault in recvmsg when msg argument is NULL zhuyan (M)
2021-01-26  2:44   ` Rich Felker
2021-01-26 17:41     ` Rich Felker
2021-01-26  2:32 ` zhuyan (M)

mailing list of musl libc

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/musl

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 musl musl/ http://inbox.vuxu.org/musl \
		musl@inbox.vuxu.org
	public-inbox-index musl

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.musl


code repositories for the project(s) associated with this inbox:

	https://git.vuxu.org/mirror/musl/

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git