starred/qemu-qemu
1
0
Fork 0
mirror of https://github.com/qemu/qemu.git synced 2026-02-04 02:24:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

linux-user: permit sendto() with NULL buf and 0 len

Browse Source 
If you pass sendto() a NULL buffer, this is usually an error
(causing an EFAULT return); however if you pass a 0 length then
we should not try to validate the buffer provided. Instead we
skip the copying of the user data and possible processing
through fd_trans_target_to_host_data, and call the host syscall
with NULL, 0.

(unlock_user() permits a NULL buffer pointer for "do nothing"
so we don't need to special case the unlock code.)

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3102
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20251028142001.3011630-1-peter.maydell@linaro.org>
This commit is contained in:
Peter Maydell
2025-10-28 14:20:01 +00:00
committed by Richard Henderson
parent 34117f03ed
commit 0db2de22fc
1 changed files with 14 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
linux-user/syscall.c
View File

@@ -3581,7 +3581,7 @@ static abi_long do_sendto(int fd, abi_ulong msg, size_t len, int flags,
abi_ulong target_addr, socklen_t addrlen)
{
void *addr;
void *host_msg;
void *host_msg = NULL;
void *copy_msg = NULL;
abi_long ret;
@@ -3589,16 +3589,19 @@ static abi_long do_sendto(int fd, abi_ulong msg, size_t len, int flags,
return -TARGET_EINVAL;
}
host_msg = lock_user(VERIFY_READ, msg, len, 1);
if (!host_msg)
return -TARGET_EFAULT;
if (fd_trans_target_to_host_data(fd)) {
copy_msg = host_msg;
host_msg = g_malloc(len);
memcpy(host_msg, copy_msg, len);
ret = fd_trans_target_to_host_data(fd)(host_msg, len);
if (ret < 0) {
goto fail;
if (len != 0) {
host_msg = lock_user(VERIFY_READ, msg, len, 1);
if (!host_msg) {
return -TARGET_EFAULT;
}
if (fd_trans_target_to_host_data(fd)) {
copy_msg = host_msg;
host_msg = g_malloc(len);
memcpy(host_msg, copy_msg, len);
ret = fd_trans_target_to_host_data(fd)(host_msg, len);
if (ret < 0) {
goto fail;
}
}
}
if (target_addr) {