linux: Fix sockopt copyout
Needs ReviewPublic
Actions

Authored by chuck on Mon, Mar 16, 6:34 PM.

Details

Reviewers

emaste
kib
markj

Summary

The Linux getsockopt did not check the size of the provided buffer when
copying out the value, leading to buffer overflows (e.g., for TCP_INFO).

Fix is to use the smaller of the option value size and the provided
buffer.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 71430
Build 68313: arc lint + arc unit

Event Timeline

chuck created this revision.Mon, Mar 16, 6:34 PM

Herald added a subscriber: imp. · View Herald TranscriptMon, Mar 16, 6:34 PM

chuck requested review of this revision.Mon, Mar 16, 6:34 PM

Harbormaster completed remote builds in B71430: Diff 173763.Mon, Mar 16, 6:34 PM

chuck added a child revision: D55882: linux: Add TCP_INFO support.Mon, Mar 16, 6:35 PM

kib added inline comments.Mon, Mar 16, 8:43 PM

sys/compat/linux/linux_socket.c
2199	Is it right to use FreeBSD-native type for socklen? Do we need e.g. linux_socklen_t, if we do not have it already?

chuck added inline comments.Tue, Mar 17, 2:43 PM

sys/compat/linux/linux_socket.c
2199	There is a `l_socklen_t` in `sys/amd64/linux/linux.h`, but it is defined as an `l_ulong`. Since `linux_getsockopt_args` defines `optlen` as `l_uintptr_t`, perhaps this should be `l_uint`?

kib added inline comments.Tue, Mar 17, 3:16 PM

sys/compat/linux/linux_socket.c
2199	But why l_uint? It should be l_socklen_t, no?

markj added inline comments.Fri, Mar 20, 2:59 AM

sys/compat/linux/linux_socket.c
2199	In the Linux sources the type is `int *`. I don't know why our emulator uses l_uintptr_t, it looks incorrect. Probably that should be fixed.

Revision Contents
Changeset List

Path

Size

sys/

compat/

linux/

linux_socket.c

7 lines

Diff 173763

View Options

sys/compat/linux/linux_socket.c

linux: Fix sockopt copyoutNeeds ReviewPublicActions