diff options
author | Andrei Vagin <avagin@google.com> | 2021-02-22 11:37:13 -0800 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-02-22 11:51:30 -0800 |
commit | c5a4e100085ccbd063df36706cccf93951439cb7 (patch) | |
tree | f97c68b9043fec0c37df46a94b8bf1e79fc22422 /pkg/sentry/syscalls/linux/vfs2 | |
parent | 19fe3a2bfb72622c307311dc61019238896a756b (diff) |
unix: sendmmsg and recvmsg have to cap a number of message to UIO_MAXIOV
Reported-by: syzbot+f2489ba0b999a45d1ad1@syzkaller.appspotmail.com
PiperOrigin-RevId: 358866218
Diffstat (limited to 'pkg/sentry/syscalls/linux/vfs2')
-rw-r--r-- | pkg/sentry/syscalls/linux/vfs2/socket.go | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/pkg/sentry/syscalls/linux/vfs2/socket.go b/pkg/sentry/syscalls/linux/vfs2/socket.go index 7636ca453..346fd1cea 100644 --- a/pkg/sentry/syscalls/linux/vfs2/socket.go +++ b/pkg/sentry/syscalls/linux/vfs2/socket.go @@ -660,6 +660,10 @@ func RecvMMsg(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sysc return 0, nil, syserror.EINVAL } + if vlen > linux.UIO_MAXIOV { + vlen = linux.UIO_MAXIOV + } + // Reject flags that we don't handle yet. if flags & ^(baseRecvFlags|linux.MSG_CMSG_CLOEXEC|linux.MSG_ERRQUEUE) != 0 { return 0, nil, syserror.EINVAL @@ -941,6 +945,10 @@ func SendMMsg(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sysc return 0, nil, syserror.EINVAL } + if vlen > linux.UIO_MAXIOV { + vlen = linux.UIO_MAXIOV + } + // Get socket from the file descriptor. file := t.GetFileVFS2(fd) if file == nil { |