|
From: <sv...@va...> - 2014-05-14 11:36:04
|
Author: mjw
Date: Wed May 14 11:35:54 2014
New Revision: 13963
Log:
Use safe_to_deref in coregrind syswrap-generic.c (msghdr_foreachfield).
Call ML_(safe_to_deref) before using msghdr msg_name, msg_iov or msg_control.
Fixes bug #334705.
Modified:
trunk/NEWS
trunk/coregrind/m_syswrap/syswrap-generic.c
Modified: trunk/NEWS
==============================================================================
--- trunk/NEWS (original)
+++ trunk/NEWS Wed May 14 11:35:54 2014
@@ -119,6 +119,7 @@
333228 AAarch64 Missing instruction encoding: mrs %[reg], ctr_el0
333230 AAarch64 missing instruction encodings: dc, ic, dsb.
333666 Recognize MPX instructions and bnd prefix.
+334705 sendmsg and recvmsg should guard against bogus msghdr fields.
334727 Build fails with -Werror=format-security
n-i-bz Fix KVM_CREATE_IRQCHIP ioctl handling
n-i-bz s390x: Fix memory corruption for multithreaded applications
Modified: trunk/coregrind/m_syswrap/syswrap-generic.c
==============================================================================
--- trunk/coregrind/m_syswrap/syswrap-generic.c (original)
+++ trunk/coregrind/m_syswrap/syswrap-generic.c Wed May 14 11:35:54 2014
@@ -951,13 +951,15 @@
if ( recv )
foreach_func ( tid, False, fieldName, (Addr)&msg->msg_flags, sizeof( msg->msg_flags ) );
- if ( msg->msg_name ) {
+ if ( ML_(safe_to_deref)(&msg->msg_name, sizeof (void *))
+ && msg->msg_name ) {
VG_(sprintf) ( fieldName, "(%s.msg_name)", name );
foreach_func ( tid, False, fieldName,
(Addr)msg->msg_name, msg->msg_namelen );
}
- if ( msg->msg_iov ) {
+ if ( ML_(safe_to_deref)(&msg->msg_iov, sizeof (void *))
+ && msg->msg_iov ) {
struct vki_iovec *iov = msg->msg_iov;
UInt i;
@@ -975,7 +977,8 @@
}
}
- if ( msg->msg_control )
+ if ( ML_(safe_to_deref) (&msg->msg_control, sizeof (void *))
+ && msg->msg_control )
{
VG_(sprintf) ( fieldName, "(%s.msg_control)", name );
foreach_func ( tid, False, fieldName,
|