Hi! > FWIW, you need that fix in drbd 9 too. I recently found this during a code review and submitted a patch already. http://lists.linbit.com/pipermail/drbd-user/2016-November/023392.html The archive doesn't save attachments, so I added the patch again.
You may check it and an "Acked-by", if you like. BR, Jasmin
>From 36f1ffa748c57c262a8375cc4c37803ef28d51fc Mon Sep 17 00:00:00 2001 From: Jasmin Jessich <jas...@anw.at> Date: Sun, 27 Nov 2016 02:52:33 +0100 Subject: [PATCH] drbd9: Fix kernel_sendmsg() usage - potential NULL deref Don't pass a size larger than iov_len to kernel_sendmsg(). Otherwise it will cause a NULL pointer deref when kernel_sendmsg() returns with rv < size. I found this during a recent code review triggered by a email on the drbd-user mailing list. It is a simple port of this commit http://git.drbd.org/drbd-8.4.git/commit/e0645836e870346cafe688cbdd8ec29092f6cdb5 Signed-off-by: Jasmin Jessich <jas...@anw.at> --- drbd/drbd_transport_tcp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drbd/drbd_transport_tcp.c b/drbd/drbd_transport_tcp.c index f7e937f..ed2ff8e 100644 --- a/drbd/drbd_transport_tcp.c +++ b/drbd/drbd_transport_tcp.c @@ -229,7 +229,7 @@ static int _dtt_send(struct drbd_tcp_transport *tcp_transport, struct socket *so * do we need to block DRBD_SIG if sock == &meta.socket ?? * otherwise wake_asender() might interrupt some send_*Ack ! */ - rv = kernel_sendmsg(socket, &msg, &iov, 1, size); + rv = kernel_sendmsg(socket, &msg, &iov, 1, iov.iov_len); if (rv == -EAGAIN) { struct drbd_transport *transport = &tcp_transport->transport; enum drbd_stream stream = -- 1.9.1
_______________________________________________ drbd-user mailing list drbd-user@lists.linbit.com http://lists.linbit.com/mailman/listinfo/drbd-user
