[adding developers of the two syscalls to CC; maybe they have some insights.]
On Wed, Jun 11, 2014 at 6:12 AM, Rich Felker <dal...@libc.org> wrote: > While looking to add support for the recvmmsg and sendmmsg syscalls in > musl libc, I ran into some disturbing findings on the kernel side. In > the struct mmsghdr, the field where the result for each message is > stored has type int, which is inconsistent with the return type > ssize_t of recvmsg/sendmsg. So I tried to track down what happens when > the result is or would be larger than 2GB, and quickly found an > explanation for why the type in the structure was defined wrong: > internally, the kernel uses int as the return type for revcmsg and > sendmsg. Oops. > > A bit more RTFS'ing brought me to tcp_sendmsg in net/ipv4/tcp.c (I > figured let's look at a stream-based protocol, since datagrams can > likely never be that big for any existing protocol), and as far as I > can tell, it's haphazardly mixing int and size_t with no checks for > overflows. I looked for anywhere the kernel might try to verify before > starting that the sum of the lengths of all the iovec components > doesn't overflow INT_MAX or even SIZE_MAX, but didn't find any such > checks. > > Is there some magic that makes this all safe, or is this a big mess of > possibly-security-relevant bugs? > > Rich > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Author of "The Linux Programming Interface", http://blog.man7.org/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/