aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
authorHannes Frederic Sowa <hannes@stressinduktion.org>2013-11-20 21:14:22 -0500
committerDavid S. Miller <davem@davemloft.net>2013-11-20 21:52:30 -0500
commitf3d3342602f8bcbf37d7c46641cb9bca7618eb1c (patch)
tree11aebad9cca99426db27130b19417141259c81f4 /net/bluetooth
parentf873042093c0b418d2351fe142222b625c740149 (diff)
net: rework recvmsg handler msg_name and msg_namelen logic
This patch now always passes msg->msg_namelen as 0. recvmsg handlers must set msg_namelen to the proper size <= sizeof(struct sockaddr_storage) to return msg_name to the user. This prevents numerous uninitialized memory leaks we had in the recvmsg handlers and makes it harder for new code to accidentally leak uninitialized memory. Optimize for the case recvfrom is called with NULL as address. We don't need to copy the address at all, so set it to NULL before invoking the recvmsg handler. We can do so, because all the recvmsg handlers must cope with the case a plain read() is called on them. read() also sets msg_name to NULL. Also document these changes in include/linux/net.h as suggested by David Miller. Changes since RFC: Set msg->msg_name = NULL if user specified a NULL in msg_name but had a non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't affect sendto as it would bail out earlier while trying to copy-in the address. It also more naturally reflects the logic by the callers of verify_iovec. With this change in place I could remove " if (!uaddr || msg_sys->msg_namelen == 0) msg->msg_name = NULL ". This change does not alter the user visible error logic as we ignore msg_namelen as long as msg_name is NULL. Also remove two unnecessary curly brackets in ___sys_recvmsg and change comments to netdev style. Cc: David Miller <davem@davemloft.net> Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/af_bluetooth.c9
-rw-r--r--net/bluetooth/hci_sock.c2
-rw-r--r--net/bluetooth/rfcomm/sock.c1
-rw-r--r--net/bluetooth/sco.c1
4 files changed, 2 insertions, 11 deletions
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index f6a1671ea2ff..56ca494621c6 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -224,10 +224,9 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
224 224
225 skb = skb_recv_datagram(sk, flags, noblock, &err); 225 skb = skb_recv_datagram(sk, flags, noblock, &err);
226 if (!skb) { 226 if (!skb) {
227 if (sk->sk_shutdown & RCV_SHUTDOWN) { 227 if (sk->sk_shutdown & RCV_SHUTDOWN)
228 msg->msg_namelen = 0;
229 return 0; 228 return 0;
230 } 229
231 return err; 230 return err;
232 } 231 }
233 232
@@ -245,8 +244,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
245 if (bt_sk(sk)->skb_msg_name) 244 if (bt_sk(sk)->skb_msg_name)
246 bt_sk(sk)->skb_msg_name(skb, msg->msg_name, 245 bt_sk(sk)->skb_msg_name(skb, msg->msg_name,
247 &msg->msg_namelen); 246 &msg->msg_namelen);
248 else
249 msg->msg_namelen = 0;
250 } 247 }
251 248
252 skb_free_datagram(sk, skb); 249 skb_free_datagram(sk, skb);
@@ -295,8 +292,6 @@ int bt_sock_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
295 if (flags & MSG_OOB) 292 if (flags & MSG_OOB)
296 return -EOPNOTSUPP; 293 return -EOPNOTSUPP;
297 294
298 msg->msg_namelen = 0;
299
300 BT_DBG("sk %p size %zu", sk, size); 295 BT_DBG("sk %p size %zu", sk, size);
301 296
302 lock_sock(sk); 297 lock_sock(sk);
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 71f0be173080..6a6c8bb4fd72 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -856,8 +856,6 @@ static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
856 if (!skb) 856 if (!skb)
857 return err; 857 return err;
858 858
859 msg->msg_namelen = 0;
860
861 copied = skb->len; 859 copied = skb->len;
862 if (len < copied) { 860 if (len < copied) {
863 msg->msg_flags |= MSG_TRUNC; 861 msg->msg_flags |= MSG_TRUNC;
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index c4d3d423f89b..c80766f892c3 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -615,7 +615,6 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
615 615
616 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 616 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
617 rfcomm_dlc_accept(d); 617 rfcomm_dlc_accept(d);
618 msg->msg_namelen = 0;
619 return 0; 618 return 0;
620 } 619 }
621 620
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 12a0e51e21e1..24fa3964b3c8 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -711,7 +711,6 @@ static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
711 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 711 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
712 sco_conn_defer_accept(pi->conn->hcon, pi->setting); 712 sco_conn_defer_accept(pi->conn->hcon, pi->setting);
713 sk->sk_state = BT_CONFIG; 713 sk->sk_state = BT_CONFIG;
714 msg->msg_namelen = 0;
715 714
716 release_sock(sk); 715 release_sock(sk);
717 return 0; 716 return 0;
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-12 21:19:44 -0500