Bug 205681

Summary: recvmg is overwriting the buffer passed in msg_name by exceeding msg_namelen
Product: Networking Reporter: SREENIVASA SUDHEENDRA (sudheendrasp)
Component: IPV4Assignee: Stephen Hemminger (stephen)
Status: NEW ---    
Severity: high    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.4,4.0,3.0,2.6 Subsystem:
Regression: No Bisected commit-id:

Description SREENIVASA SUDHEENDRA 2019-11-27 06:36:50 UTC 
if (msg->msg_name) {
        struct sockaddr_rxrpc *srx = msg->msg_name;
        size_t len = sizeof(call->peer->srx);

        memcpy(msg->msg_name, &call->peer->srx, len);
        srx->srx_service = call->service_id;
        msg->msg_namelen = len;
    }


As seen, recvmsg is doing memcpy of len which can be greater than msg_namelen passed.
Comment 1 SREENIVASA SUDHEENDRA 2019-11-28 05:05:28 UTC 
I think I pointed to wrong piece of code.
My actual issue is, I pass msg_namelen as 16 to recvmsg, buffer ptr allocated with 16bytes in msg_name. Its overwriting two extra bytes and returing the msg_namelen as 18.