qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL 10/10] linux-user: Check lock_user result for ip_mreq_source socko

From: Laurent Vivier
Subject: [PULL 10/10] linux-user: Check lock_user result for ip_mreq_source sockopts
Date: Thu, 16 Sep 2021 17:12:37 +0200 
From: Peter Maydell <peter.maydell@linaro.org>

In do_setsockopt(), the code path for the options which take a struct
ip_mreq_source (IP_BLOCK_SOURCE, IP_UNBLOCK_SOURCE,
IP_ADD_SOURCE_MEMBERSHIP and IP_DROP_SOURCE_MEMBERSHIP) fails to
check the return value from lock_user().  Handle this in the usual
way by returning -TARGET_EFAULT.

(In practice this was probably harmless because we'd pass a NULL
pointer to setsockopt() and the kernel would then return EFAULT.)

Fixes: Coverity CID 1459987
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20210809155424.30968-1-peter.maydell@linaro.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---
 linux-user/syscall.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index e4ffdec0d83c..544f5b662ffe 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2127,6 +2127,9 @@ static abi_long do_setsockopt(int sockfd, int level, int 
optname,
                 return -TARGET_EINVAL;
 
             ip_mreq_source = lock_user(VERIFY_READ, optval_addr, optlen, 1);
+            if (!ip_mreq_source) {
+                return -TARGET_EFAULT;
+            }
             ret = get_errno(setsockopt(sockfd, level, optname, ip_mreq_source, 
optlen));
             unlock_user (ip_mreq_source, optval_addr, 0);
             break;
-- 
2.31.1
reply via email to
[Prev in Thread] Current Thread [Next in Thread]