On Sat, Jul 17, 2010 at 03:36:43PM +0200, Ludovic Courtès wrote:
> Emilio Pozuelo Monfort <poch...@gmail.com> writes:
>
> > error_t
> > S_socket_getopt (struct sock_user *user,
> > int level, int opt,
> > char **value, size_t *value_len)
> > {
> > - return EOPNOTSUPP;
> > + int ret = 0;
> > +
> > + if (!user)
> > + return EOPNOTSUPP;
> > +
> > + mutex_lock (&user->sock->lock);
> > + switch (level)
> > + {
> > + case SOL_SOCKET:
> > + switch (opt)
> > + {
> > + case SO_TYPE:
> > + assert (*value_len >= sizeof (int));
>
> IIUC, a client could pass *VALUE_LEN = 0 and cause the server to abort,
> because of the assertion here.
We have thought of this.
The value does not come from the client, it comes from MIG generated
code which gives you the (hard coded) length of a buffer inlined in the
reply message. The client cannot affect this.
Regards,
Fredrik
