bug in sendmsg and recvmsg on linux in libc-2.0.95
Stig Venaas
venaas@itea.ntnu.no
Thu Apr 1 00:00:00 GMT 1999
Submitter-Id: net
Originator: venaas@itea.ntnu.no
Organization:
Confidential: no
Synopsis: bug in cmsg_level check in sendmsg and recvmsg on linux
Severity: serious
Priority: medium
Category: libc
Class: sw-bug
Release: libc-2.0.95
Environment:
Host type: i586-pc-linux-gnulibc1
System: Linux ivanova.venaas.com 2.1.132 #4 Mon Dec 28 18:58:40 GMT 1998 i586
Architecture: i586
Addons: crypt linuxthreads
Build CC: gcc
Compiler version: 2.8.1
Kernel headers: 2.1.132
Symbol versioning: yes
Build static: yes
Build shared: yes
Build pic-default: no
Build profile: yes
Build omitfp: no
Build bounded: no
Build static-nss: no
Stdio: libio
Description:
In glibc-2.0.95/sysdeps/unix/sysv/linux/sendmsg.c there's a check
for cm->cmsg_type == SCM_CREDS. This is done without checking
cm->cmsg_level. AFAIK, cmsg_type == 2 does only mean SCM_CREDS at
the socket level, that is cmsg_level == 1 (SOL_SOCKET). The same
goes for glibc-2.0.95/sysdeps/unix/sysv/linux/recvmsg.c.
How-To-Repeat:
Fix:
The patches below should fix it.
--- sendmsg.c~ Tue Jul 28 16:45:45 1998
+++ sendmsg.c Thu Dec 31 22:30:27 1998
@@ -67,7 +67,7 @@
cm = CMSG_FIRSTHDR (message);
while (cm)
{
- if (cm->cmsg_type == SCM_CREDS)
+ if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_CREDS)
{
if (cred ||
cm->cmsg_len < CMSG_LEN (sizeof (struct cmsgcred)))
--- recvmsg.c~ Tue Jul 28 16:45:26 1998
+++ recvmsg.c Fri Jan 1 10:31:50 1999
@@ -45,7 +45,7 @@
cm = CMSG_FIRSTHDR (message);
while (cm)
{
- if (cm->cmsg_type == SCM_CREDS)
+ if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_CREDS)
{
if (cm->cmsg_len < CMSG_SPACE (sizeof (struct cmsgcred)))
{
@@ -68,7 +68,7 @@
if (found_creds)
while (cm)
{
- if (cm->cmsg_type == SCM_CREDS)
+ if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_CREDS)
{
struct cmsgcred *c = (struct cmsgcred *) CMSG_DATA (cm);
struct __kernel_ucred u;
Best wishes for the new year,
Stig
--
Stig VenÃÂ¥s Tel: +47 73 59 53 29
NTNU Fax: +47 73 59 80 98
ITEA/Nett, Prof. Brochs g. 6
N-7034 Trondheim, Norway E-mail: venaas@itea.ntnu.no
More information about the Libc-alpha
mailing list