[PATCH] Fix 32bit sendmsg() flaw

When we copy 32bit ->msg_control contents to kernel, we walk the same
userland data twice without sanity checks on the second pass.

Second version of this patch: the original broke with 64-bit arches
running 32-bit-compat-mode executables doing sendmsg() syscalls with
unaligned CMSG data areas

Another thing is that we use kmalloc() to allocate and sock_kfree_s()
to free afterwards; less serious, but also needs fixing.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

1 files changed, 2 insertions, 1 deletions

diff --git a/net/socket.c b/net/socket.c
index e1bd5d84d7bf..c699e93c33d7 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1745,10 +1745,11 @@ asmlinkage long sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
                 goto out_freeiov;
         ctl_len = msg_sys.msg_controllen; 
         if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
-                err = cmsghdr_from_user_compat_to_kern(&msg_sys, ctl, sizeof(ctl));
+                err = cmsghdr_from_user_compat_to_kern(&msg_sys, sock->sk, ctl, sizeof(ctl));
                 if (err)
                         goto out_freeiov;
                 ctl_buf = msg_sys.msg_control;
+                ctl_len = msg_sys.msg_controllen;
         } else if (ctl_len) {
                 if (ctl_len > sizeof(ctl))
                 {