net: rework recvmsg handler msg_name and msg_namelen logic

This patch now always passes msg->msg_namelen as 0. recvmsg handlers must set msg_namelen to the proper size <= sizeof(struct sockaddr_storage) to return msg_name to the user. This prevents numerous uninitialized memory leaks we had in the recvmsg handlers and makes it harder for new code to accidentally leak uninitialized memory. Optimize for the case recvfrom is called with NULL as address. We don't need to copy the address at all, so set it to NULL before invoking the recvmsg handler. We can do so, because all the recvmsg handlers must cope with the case a plain read() is called on them. read() also sets msg_name to NULL. Also document these changes in include/linux/net.h as suggested by David Miller. Changes since RFC: Set msg->msg_name = NULL if user specified a NULL in msg_name but had a non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't affect sendto as it would bail out earlier while trying to copy-in the address. It also more naturally reflects the logic by the callers of verify_iovec. With this change in place I could remove " if (!uaddr || msg_sys->msg_namelen == 0) msg->msg_name = NULL ". This change does not alter the user visible error logic as we ignore msg_namelen as long as msg_name is NULL. Also remove two unnecessary curly brackets in ___sys_recvmsg and change comments to netdev style. Cc: David Miller <davem@davemloft.net> Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Hannes Frederic Sowa <hannes@stressinduktion.org> 2013-11-20 21:14:22 -0500
committer: David S. Miller <davem@davemloft.net> 2013-11-20 21:52:30 -0500
commit: f3d3342602f8bcbf37d7c46641cb9bca7618eb1c (patch)
tree: 11aebad9cca99426db27130b19417141259c81f4 /drivers/isdn
parent: f873042093c0b418d2351fe142222b625c740149 (diff)
1 files changed, 4 insertions, 9 deletions
diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
index e47dcb9d1e91..5cefb479c707 100644
--- a/drivers/isdn/mISDN/socket.c
+++ b/drivers/isdn/mISDN/socket.c
@@ -117,7 +117,6 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
 {
        struct sk_buff          *skb;
        struct sock             *sk = sock->sk;
-        struct sockaddr_mISDN   *maddr;
        int             copied, err;
@@ -135,9 +134,9 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
        if (!skb)
                return err;
-        if (msg->msg_namelen >= sizeof(struct sockaddr_mISDN)) {
+        if (msg->msg_name) {
-                msg->msg_namelen = sizeof(struct sockaddr_mISDN);
+                struct sockaddr_mISDN *maddr = msg->msg_name;
-                maddr = (struct sockaddr_mISDN *)msg->msg_name;
                maddr->family = AF_ISDN;
                maddr->dev = _pms(sk)->dev->id;
                if ((sk->sk_protocol == ISDN_P_LAPD_TE) ||
@@ -150,11 +149,7 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
                        maddr->sapi = _pms(sk)->ch.addr & 0xFF;
                        maddr->tei =  (_pms(sk)->ch.addr >> 8) & 0xFF;
                }
-        } else {
+                msg->msg_namelen = sizeof(*maddr);
-                if (msg->msg_namelen)
-                        printk(KERN_WARNING "%s: too small namelen %d\n",
-                               __func__, msg->msg_namelen);
-                msg->msg_namelen = 0;
        }
        copied = skb->len + MISDN_HEADER_LEN;
author	Hannes Frederic Sowa <hannes@stressinduktion.org>	2013-11-20 21:14:22 -0500
committer	David S. Miller <davem@davemloft.net>	2013-11-20 21:52:30 -0500
commit	f3d3342602f8bcbf37d7c46641cb9bca7618eb1c (patch)
tree	11aebad9cca99426db27130b19417141259c81f4 /drivers/isdn
parent	f873042093c0b418d2351fe142222b625c740149 (diff)

diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c index e47dcb9d1e91..5cefb479c707 100644 --- a/drivers/isdn/mISDN/socket.c +++ b/drivers/isdn/mISDN/socket.c
@@ -117,7 +117,6 @@ mISDN_sock_recvmsg(struct kiocb iocb, struct socket sock,
117	{	117	{
118	struct sk_buff *skb;	118	struct sk_buff *skb;
119	struct sock *sk = sock->sk;	119	struct sock *sk = sock->sk;
120	struct sockaddr_mISDN *maddr;
121		120
122	int copied, err;	121	int copied, err;
123		122
@@ -135,9 +134,9 @@ mISDN_sock_recvmsg(struct kiocb iocb, struct socket sock,
135	if (!skb)	134	if (!skb)
136	return err;	135	return err;
137		136
138	if (msg->msg_namelen >= sizeof(struct sockaddr_mISDN)) {	137	if (msg->msg_name) {
139	msg->msg_namelen = sizeof(struct sockaddr_mISDN);	138	struct sockaddr_mISDN *maddr = msg->msg_name;
140	maddr = (struct sockaddr_mISDN *)msg->msg_name;	139
141	maddr->family = AF_ISDN;	140	maddr->family = AF_ISDN;
142	maddr->dev = _pms(sk)->dev->id;	141	maddr->dev = _pms(sk)->dev->id;
143	if ((sk->sk_protocol == ISDN_P_LAPD_TE) \|\|	142	if ((sk->sk_protocol == ISDN_P_LAPD_TE) \|\|
@@ -150,11 +149,7 @@ mISDN_sock_recvmsg(struct kiocb iocb, struct socket sock,
150	maddr->sapi = _pms(sk)->ch.addr & 0xFF;	149	maddr->sapi = _pms(sk)->ch.addr & 0xFF;
151	maddr->tei = (_pms(sk)->ch.addr >> 8) & 0xFF;	150	maddr->tei = (_pms(sk)->ch.addr >> 8) & 0xFF;
152	}	151	}
153	} else {	152	msg->msg_namelen = sizeof(*maddr);
154	if (msg->msg_namelen)
155	printk(KERN_WARNING "%s: too small namelen %d\n",
156	__func__, msg->msg_namelen);
157	msg->msg_namelen = 0;
158	}	153	}
159		154
160	copied = skb->len + MISDN_HEADER_LEN;	155	copied = skb->len + MISDN_HEADER_LEN;