Hi,
Carl Fredrik Hammar <hammy.l...@gmail.com> writes:
> On Sat, Jul 17, 2010 at 03:36:43PM +0200, Ludovic Courtès wrote:
>> Emilio Pozuelo Monfort <poch...@gmail.com> writes:
>>
>> > error_t
>> > S_socket_getopt (struct sock_user *user,
>> > int level, int opt,
>> > char **value, size_t *value_len)
>> > {
>> > - return EOPNOTSUPP;
>> > + int ret = 0;
>> > +
>> > + if (!user)
>> > + return EOPNOTSUPP;
>> > +
>> > + mutex_lock (&user->sock->lock);
>> > + switch (level)
>> > + {
>> > + case SOL_SOCKET:
>> > + switch (opt)
>> > + {
>> > + case SO_TYPE:
>> > + assert (*value_len >= sizeof (int));
>>
>> IIUC, a client could pass *VALUE_LEN = 0 and cause the server to abort,
>> because of the assertion here.
>
> We have thought of this.
>
> The value does not come from the client, it comes from MIG generated
> code which gives you the (hard coded) length of a buffer inlined in the
> reply message. The client cannot affect this.
OK, thanks for the explanation.
Ludo’.
