Hi,
I was reading linux_socket.c when I came across a bug in
linux_sendmsg().
Index: linux_socket.c
===================================================================
RCS file: /cvs/src/sys/compat/linux/linux_socket.c,v
retrieving revision 1.46
diff -u -r1.46 linux_socket.c
--- linux_socket.c 26 Jun 2012 10:18:08 -0000 1.46
+++ linux_socket.c 14 Dec 2013 17:45:37 -0000
@@ -1214,7 +1214,7 @@
struct msghdr msg, *nmsg = NULL;
int error;
caddr_t control;
- int level;
+ int level = -1;
if ((error = copyin((caddr_t) uap, (caddr_t) &lla, sizeof lla)))
return error;
At l.1252, if control == NULL, the function jumps to 'done' and 'level'
is checked while it hasn't been initialized. As 'control' is NULL,
copyout() tries to write to NULL->cmsg_level.
What the kernel wants to do is to translate the level from 1 to
SOL_SOCKET, call OpenBSD's sendmsg(), and then reset it to 1. By
setting level to -1, we prevent it from entering the if in 'done'.
Ok/Comments?
