if (msg->msg_name) { struct sockaddr_rxrpc *srx = msg->msg_name; size_t len = sizeof(call->peer->srx); memcpy(msg->msg_name, &call->peer->srx, len); srx->srx_service = call->service_id; msg->msg_namelen = len; } As seen, recvmsg is doing memcpy of len which can be greater than msg_namelen passed.
I think I pointed to wrong piece of code. My actual issue is, I pass msg_namelen as 16 to recvmsg, buffer ptr allocated with 16bytes in msg_name. Its overwriting two extra bytes and returing the msg_namelen as 18.