This is the mail archive of the libc-alpha@cygnus.com mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

bug in sendmsg and recvmsg on linux in libc-2.0.95

To: libc-alpha@cygnus.com
Subject: bug in sendmsg and recvmsg on linux in libc-2.0.95
From: Stig Venaas <venaas@itea.ntnu.no>
Date: Fri, 1 Jan 1999 12:03:09 +0100

Submitter-Id:	net
Originator:	venaas@itea.ntnu.no
Organization:
Confidential:	no
Synopsis:	bug in cmsg_level check in sendmsg and recvmsg on linux 
Severity:	serious
Priority:	medium
Category:	libc
Class:		sw-bug
Release:	libc-2.0.95
Environment:

Host type: i586-pc-linux-gnulibc1
System: Linux ivanova.venaas.com 2.1.132 #4 Mon Dec 28 18:58:40 GMT 1998 i586
Architecture: i586

Addons: crypt linuxthreads

Build CC: gcc
Compiler version: 2.8.1
Kernel headers: 2.1.132
Symbol versioning: yes
Build static: yes
Build shared: yes
Build pic-default: no
Build profile: yes
Build omitfp: no
Build bounded: no
Build static-nss: no
Stdio: libio

Description:
	In glibc-2.0.95/sysdeps/unix/sysv/linux/sendmsg.c there's a check
	for cm->cmsg_type == SCM_CREDS. This is done without checking
	cm->cmsg_level. AFAIK, cmsg_type == 2 does only mean SCM_CREDS at
	the socket level, that is cmsg_level == 1 (SOL_SOCKET). The same
	goes for glibc-2.0.95/sysdeps/unix/sysv/linux/recvmsg.c.

How-To-Repeat:

Fix:
	The patches below should fix it.

--- sendmsg.c~  Tue Jul 28 16:45:45 1998
+++ sendmsg.c   Thu Dec 31 22:30:27 1998
@@ -67,7 +67,7 @@
       cm = CMSG_FIRSTHDR (message);
       while (cm)
        {
-         if (cm->cmsg_type == SCM_CREDS)
+         if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_CREDS)
            {
              if (cred ||
                  cm->cmsg_len < CMSG_LEN (sizeof (struct cmsgcred)))
--- recvmsg.c~  Tue Jul 28 16:45:26 1998
+++ recvmsg.c   Fri Jan  1 10:31:50 1999
@@ -45,7 +45,7 @@
   cm = CMSG_FIRSTHDR (message);
   while (cm)
     {
-      if (cm->cmsg_type == SCM_CREDS)
+      if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_CREDS)
        {
          if (cm->cmsg_len < CMSG_SPACE (sizeof (struct cmsgcred)))
            {
@@ -68,7 +68,7 @@
   if (found_creds)
     while (cm)
       {
-       if (cm->cmsg_type == SCM_CREDS)
+       if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_CREDS)
          {
            struct cmsgcred *c = (struct cmsgcred *) CMSG_DATA (cm);
            struct __kernel_ucred u;

Best wishes for the new year,

Stig

-- 
Stig Venås                      Tel:    +47 73 59 53 29
NTNU				Fax:    +47 73 59 80 98
ITEA/Nett, Prof. Brochs g. 6
N-7034 Trondheim, Norway	E-mail: venaas@itea.ntnu.no

Follow-Ups:
- Re: bug in sendmsg and recvmsg on linux in libc-2.0.95
  - From: Andreas Jaeger <aj@arthur.rhein-neckar.de>
- Re: bug in sendmsg and recvmsg on linux in libc-2.0.95
  - From: Thorsten Kukuk <kukuk@weber-eb.uni-paderborn.de>

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]