Hey, I'm sorry if it's false alarm, but Jan pointed out that the
implementation of rt_udp_recvmsg regarding msg_namelen seems wrong. So
I compared the piece of code to Linux and tried to figure out, how it
should be handled... I starred at it for quite a while but I don't get
this part:
0393 struct sockaddr_in *sin;
0419 sin = msg->msg_name;
0420
0421 /* copy the address */
0422 msg->msg_namelen = sizeof(*sin);
0423 if (sin) {
0424 sin->sin_family = AF_INET;
0425 sin->sin_port = uh->source;
0426 sin->sin_addr.s_addr = skb->nh.iph->saddr;
0427 }
Isn't msg->msg_name a user space buffer? Why is it possible to access
it from kernel space (Line 424 - 426)? I'm not really familiar with
the Linux kernel that much, therefore I checked some other parts of
RTnet (ipv4/tcp/tcp.c) and there is something strange as well:
2053 len = msg->msg_iov[0].iov_len;
2054 buf = msg->msg_iov[0].iov_base;
So I'm really getting confused... I mean wouldn't such a bug cause
serious problems? I'm running RTnet since months using the recvmsg
system call (udp) all the time and never encountered a problem. Sorry
ifthis question is somehow stupid, I really tried to figure it out
myself...
|
