net: rework recvmsg handler msg_name and msg_namelen logic

This patch now always passes msg->msg_namelen as 0. recvmsg handlers must set msg_namelen to the proper size <= sizeof(struct sockaddr_storage) to return msg_name to the user. This prevents numerous uninitialized memory leaks we had in the recvmsg handlers and makes it harder for new code to accidentally leak uninitialized memory. Optimize for the case recvfrom is called with NULL as address. We don't need to copy the address at all, so set it to NULL before invoking the recvmsg handler. We can do so, because all the recvmsg handlers must cope with the case a plain read() is called on them. read() also sets msg_name to NULL. Also document these changes in include/linux/net.h as suggested by David Miller. Changes since RFC: Set msg->msg_name = NULL if user specified a NULL in msg_name but had a non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't affect sendto as it would bail out earlier while trying to copy-in the address. It also more naturally reflects the logic by the callers of verify_iovec. With this change in place I could remove " if (!uaddr || msg_sys->msg_namelen == 0) msg->msg_name = NULL ". This change does not alter the user visible error logic as we ignore msg_namelen as long as msg_name is NULL. Also remove two unnecessary curly brackets in ___sys_recvmsg and change comments to netdev style. Cc: David Miller <davem@davemloft.net> Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>

net: rework recvmsg handler msg_name and msg_namelen logic
This patch now always passes msg->msg_namelen as 0. recvmsg handlers must set msg_namelen to the proper size <= sizeof(struct sockaddr_storage) to return msg_name to the user. This prevents numerous uninitialized memory leaks we had in the recvmsg handlers and makes it harder for new code to accidentally leak uninitialized memory. Optimize for the case recvfrom is called with NULL as address. We don't need to copy the address at all, so set it to NULL before invoking the recvmsg handler. We can do so, because all the recvmsg handlers must cope with the case a plain read() is called on them. read() also sets msg_name to NULL. Also document these changes in include/linux/net.h as suggested by David Miller. Changes since RFC: Set msg->msg_name = NULL if user specified a NULL in msg_name but had a non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't affect sendto as it would bail out earlier while trying to copy-in the address. It also more naturally reflects the logic by the callers of verify_iovec. With this change in place I could remove " if (!uaddr || msg_sys->msg_namelen == 0) msg->msg_name = NULL ". This change does not alter the user visible error logic as we ignore msg_namelen as long as msg_name is NULL. Also remove two unnecessary curly brackets in ___sys_recvmsg and change comments to netdev style. Cc: David Miller <davem@davemloft.net> Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Hannes Frederic Sowa · David S. Miller · Eric Lee · Eric Lee · Eric Lee · Eric Lee
1 parent f873042093
Showing 35 changed files with 67 additions and 115 deletions Side-by-side Diff
crypto/algif_hash.c
crypto/algif_skcipher.c
drivers/isdn/mISDN/socket.c
drivers/net/ppp/pppoe.c
include/linux/net.h
net/appletalk/ddp.c
net/atm/common.c
net/ax25/af_ax25.c
net/bluetooth/af_bluetooth.c
net/bluetooth/hci_sock.c
net/bluetooth/rfcomm/sock.c
net/bluetooth/sco.c
net/caif/caif_socket.c
net/compat.c
net/core/iovec.c
net/ipx/af_ipx.c
net/irda/af_irda.c
net/iucv/af_iucv.c
net/key/af_key.c
net/l2tp/l2tp_ppp.c
@@ -161,8 +161,6 @@
 	else if (len < ds)
 		msg->msg_flags |= MSG_TRUNC;
  
-	msg->msg_namelen = 0;
-
 	lock_sock(sk);
 	if (ctx->more) {
 		ctx->more = 0;
@@ -432,7 +432,6 @@
 	long copied = 0;
  
 	lock_sock(sk);
-	msg->msg_namelen = 0;
 	for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
 	     iovlen--, iov++) {
 		unsigned long seglen = iov->iov_len;
@@ -117,7 +117,6 @@
 {
 	struct sk_buff		*skb;
 	struct sock		*sk = sock->sk;
-	struct sockaddr_mISDN	*maddr;
  
 	int		copied, err;
  
@@ -135,9 +134,9 @@
 	if (!skb)
 		return err;
  
-	if (msg->msg_namelen >= sizeof(struct sockaddr_mISDN)) {
-		msg->msg_namelen = sizeof(struct sockaddr_mISDN);
-		maddr = (struct sockaddr_mISDN *)msg->msg_name;
+	if (msg->msg_name) {
+		struct sockaddr_mISDN *maddr = msg->msg_name;
+
 		maddr->family = AF_ISDN;
 		maddr->dev = _pms(sk)->dev->id;
 		if ((sk->sk_protocol == ISDN_P_LAPD_TE) ||
@@ -150,11 +149,7 @@
 			maddr->sapi = _pms(sk)->ch.addr & 0xFF;
 			maddr->tei =  (_pms(sk)->ch.addr >> 8) & 0xFF;
 		}
-	} else {
-		if (msg->msg_namelen)
-			printk(KERN_WARNING "%s: too small namelen %d\n",
-			       __func__, msg->msg_namelen);
-		msg->msg_namelen = 0;
+		msg->msg_namelen = sizeof(*maddr);
 	}
  
 	copied = skb->len + MISDN_HEADER_LEN;
@@ -979,8 +979,6 @@
 	if (error < 0)
 		goto end;
  
-	m->msg_namelen = 0;
-
 	if (skb) {
 		total_len = min_t(size_t, total_len, skb->len);
 		error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len);
@@ -164,6 +164,14 @@
 #endif
 	int		(*sendmsg)   (struct kiocb *iocb, struct socket *sock,
 				      struct msghdr *m, size_t total_len);
+	/* Notes for implementing recvmsg:
+	 * ===============================
+	 * msg->msg_namelen should get updated by the recvmsg handlers
+	 * iff msg_name != NULL. It is by default 0 to prevent
+	 * returning uninitialized memory to user space.  The recvfrom
+	 * handlers can assume that msg.msg_name is either NULL or has
+	 * a minimum size of sizeof(struct sockaddr_storage).
+	 */
 	int		(*recvmsg)   (struct kiocb *iocb, struct socket *sock,
 				      struct msghdr *m, size_t total_len,
 				      int flags);
@@ -1735,7 +1735,6 @@
 			 size_t size, int flags)
 {
 	struct sock *sk = sock->sk;
-	struct sockaddr_at *sat = (struct sockaddr_at *)msg->msg_name;
 	struct ddpehdr *ddp;
 	int copied = 0;
 	int offset = 0;
@@ -1764,14 +1763,13 @@
 	}
 	err = skb_copy_datagram_iovec(skb, offset, msg->msg_iov, copied);
  
-	if (!err) {
-		if (sat) {
-			sat->sat_family      = AF_APPLETALK;
-			sat->sat_port        = ddp->deh_sport;
-			sat->sat_addr.s_node = ddp->deh_snode;
-			sat->sat_addr.s_net  = ddp->deh_snet;
-		}
-		msg->msg_namelen = sizeof(*sat);
+	if (!err && msg->msg_name) {
+		struct sockaddr_at *sat = msg->msg_name;
+		sat->sat_family      = AF_APPLETALK;
+		sat->sat_port        = ddp->deh_sport;
+		sat->sat_addr.s_node = ddp->deh_snode;
+		sat->sat_addr.s_net  = ddp->deh_snet;
+		msg->msg_namelen     = sizeof(*sat);
 	}
  
 	skb_free_datagram(sk, skb);	/* Free the datagram. */
@@ -531,8 +531,6 @@
 	struct sk_buff *skb;
 	int copied, error = -EINVAL;
  
-	msg->msg_namelen = 0;
-
 	if (sock->state != SS_CONNECTED)
 		return -ENOTCONN;
  
@@ -1636,11 +1636,11 @@
  
 	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
  
-	if (msg->msg_namelen != 0) {
-		struct sockaddr_ax25 *sax = (struct sockaddr_ax25 *)msg->msg_name;
+	if (msg->msg_name) {
 		ax25_digi digi;
 		ax25_address src;
 		const unsigned char *mac = skb_mac_header(skb);
+		struct sockaddr_ax25 *sax = msg->msg_name;
  
 		memset(sax, 0, sizeof(struct full_sockaddr_ax25));
 		ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
@@ -224,10 +224,9 @@
  
 	skb = skb_recv_datagram(sk, flags, noblock, &err);
 	if (!skb) {
-		if (sk->sk_shutdown & RCV_SHUTDOWN) {
-			msg->msg_namelen = 0;
+		if (sk->sk_shutdown & RCV_SHUTDOWN)
 			return 0;
-		}
+
 		return err;
 	}
  
@@ -245,8 +244,6 @@
 		if (bt_sk(sk)->skb_msg_name)
 			bt_sk(sk)->skb_msg_name(skb, msg->msg_name,
 						&msg->msg_namelen);
-		else
-			msg->msg_namelen = 0;
 	}
  
 	skb_free_datagram(sk, skb);
@@ -294,8 +291,6 @@
  
 	if (flags & MSG_OOB)
 		return -EOPNOTSUPP;
-
-	msg->msg_namelen = 0;
  
 	BT_DBG("sk %p size %zu", sk, size);
  
@@ -856,8 +856,6 @@
 	if (!skb)
 		return err;
  
-	msg->msg_namelen = 0;
-
 	copied = skb->len;
 	if (len < copied) {
 		msg->msg_flags |= MSG_TRUNC;
@@ -615,7 +615,6 @@
  
 	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 		rfcomm_dlc_accept(d);
-		msg->msg_namelen = 0;
 		return 0;
 	}
  
@@ -711,7 +711,6 @@
 	    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
 		sco_conn_defer_accept(pi->conn->hcon, pi->setting);
 		sk->sk_state = BT_CONFIG;
-		msg->msg_namelen = 0;
  
 		release_sock(sk);
 		return 0;
@@ -286,8 +286,6 @@
 	if (m->msg_flags&MSG_OOB)
 		goto read_error;
  
-	m->msg_namelen = 0;
-
 	skb = skb_recv_datagram(sk, flags, 0 , &ret);
 	if (!skb)
 		goto read_error;
@@ -360,8 +358,6 @@
 	err = -EOPNOTSUPP;
 	if (flags&MSG_OOB)
 		goto out;
-
-	msg->msg_namelen = 0;
  
 	/*
 	 * Lock the socket to prevent queue disordering
@@ -93,7 +93,8 @@
 			if (err < 0)
 				return err;
 		}
-		kern_msg->msg_name = kern_address;
+		if (kern_msg->msg_name)
+			kern_msg->msg_name = kern_address;
 	} else
 		kern_msg->msg_name = NULL;
  
@@ -48,7 +48,8 @@
 			if (err < 0)
 				return err;
 		}
-		m->msg_name = address;
+		if (m->msg_name)
+			m->msg_name = address;
 	} else {
 		m->msg_name = NULL;
 	}
@@ -1823,8 +1823,6 @@
 	if (skb->tstamp.tv64)
 		sk->sk_stamp = skb->tstamp;
  
-	msg->msg_namelen = sizeof(*sipx);
-
 	if (sipx) {
 		sipx->sipx_family	= AF_IPX;
 		sipx->sipx_port		= ipx->ipx_source.sock;
@@ -1832,6 +1830,7 @@
 		sipx->sipx_network	= IPX_SKB_CB(skb)->ipx_source_net;
 		sipx->sipx_type 	= ipx->ipx_type;
 		sipx->sipx_zero		= 0;
+		msg->msg_namelen	= sizeof(*sipx);
 	}
 	rc = copied;
  
@@ -1385,8 +1385,6 @@
  
 	IRDA_DEBUG(4, "%s()\n", __func__);
  
-	msg->msg_namelen = 0;
-
 	skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
 				flags & MSG_DONTWAIT, &err);
 	if (!skb)
@@ -1450,8 +1448,6 @@
 	err = 0;
 	target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);
 	timeo = sock_rcvtimeo(sk, noblock);
-
-	msg->msg_namelen = 0;
  
 	do {
 		int chunk;
@@ -1324,8 +1324,6 @@
 	int err = 0;
 	u32 offset;
  
-	msg->msg_namelen = 0;
-
 	if ((sk->sk_state == IUCV_DISCONN) &&
 	    skb_queue_empty(&iucv->backlog_skb_q) &&
 	    skb_queue_empty(&sk->sk_receive_queue) &&
@@ -3616,7 +3616,6 @@
 	if (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC|MSG_CMSG_COMPAT))
 		goto out;
  
-	msg->msg_namelen = 0;
 	skb = skb_recv_datagram(sk, flags, flags & MSG_DONTWAIT, &err);
 	if (skb == NULL)
 		goto out;
@@ -197,8 +197,6 @@
 	if (sk->sk_state & PPPOX_BOUND)
 		goto end;
  
-	msg->msg_namelen = 0;
-
 	err = 0;
 	skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
 				flags & MSG_DONTWAIT, &err);
@@ -720,8 +720,6 @@
 	int target;	/* Read at least this many bytes */
 	long timeo;
  
-	msg->msg_namelen = 0;
-
 	lock_sock(sk);
 	copied = -ENOTCONN;
 	if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))
@@ -2335,8 +2335,6 @@
 	}
 #endif
  
-	msg->msg_namelen = 0;
-
 	copied = data_skb->len;
 	if (len < copied) {
 		msg->msg_flags |= MSG_TRUNC;
@@ -1179,9 +1179,8 @@
 		sax->sax25_family = AF_NETROM;
 		skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
 			      AX25_ADDR_LEN);
+		msg->msg_namelen = sizeof(*sax);
 	}
-
-	msg->msg_namelen = sizeof(*sax);
  
 	skb_free_datagram(sk, skb);
  
@@ -807,8 +807,6 @@
  
 	pr_debug("%p %zu\n", sk, len);
  
-	msg->msg_namelen = 0;
-
 	lock_sock(sk);
  
 	if (sk->sk_state == LLCP_CLOSED &&
@@ -244,8 +244,6 @@
 	if (!skb)
 		return rc;
  
-	msg->msg_namelen = 0;
-
 	copied = skb->len;
 	if (len < copied) {
 		msg->msg_flags |= MSG_TRUNC;
@@ -2660,7 +2660,6 @@
 	struct sock *sk = sock->sk;
 	struct sk_buff *skb;
 	int copied, err;
-	struct sockaddr_ll *sll;
 	int vnet_hdr_len = 0;
  
 	err = -EINVAL;
  
@@ -2744,22 +2743,10 @@
 			goto out_free;
 	}
  
-	/*
-	 *	If the address length field is there to be filled in, we fill
-	 *	it in now.
+	/* You lose any data beyond the buffer you gave. If it worries
+	 * a user program they can ask the device for its MTU
+	 * anyway.
 	 */
-
-	sll = &PACKET_SKB_CB(skb)->sa.ll;
-	if (sock->type == SOCK_PACKET)
-		msg->msg_namelen = sizeof(struct sockaddr_pkt);
-	else
-		msg->msg_namelen = sll->sll_halen + offsetof(struct sockaddr_ll, sll_addr);
-
-	/*
-	 *	You lose any data beyond the buffer you gave. If it worries a
-	 *	user program they can ask the device for its MTU anyway.
-	 */
-
 	copied = skb->len;
 	if (copied > len) {
 		copied = len;
  
@@ -2772,9 +2759,20 @@
  
 	sock_recv_ts_and_drops(msg, sk, skb);
  
-	if (msg->msg_name)
+	if (msg->msg_name) {
+		/* If the address length field is there to be filled
+		 * in, we fill it in now.
+		 */
+		if (sock->type == SOCK_PACKET) {
+			msg->msg_namelen = sizeof(struct sockaddr_pkt);
+		} else {
+			struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll;
+			msg->msg_namelen = sll->sll_halen +
+				offsetof(struct sockaddr_ll, sll_addr);
+		}
 		memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa,
 		       msg->msg_namelen);
+	}
  
 	if (pkt_sk(sk)->auxdata) {
 		struct tpacket_auxdata aux;
@@ -410,8 +410,6 @@
  
 	rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo);
  
-	msg->msg_namelen = 0;
-
 	if (msg_flags & MSG_OOB)
 		goto out;
  
@@ -1216,7 +1216,6 @@
 {
 	struct sock *sk = sock->sk;
 	struct rose_sock *rose = rose_sk(sk);
-	struct sockaddr_rose *srose = (struct sockaddr_rose *)msg->msg_name;
 	size_t copied;
 	unsigned char *asmptr;
 	struct sk_buff *skb;
@@ -1252,8 +1251,11 @@
  
 	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
  
-	if (srose != NULL) {
-		memset(srose, 0, msg->msg_namelen);
+	if (msg->msg_name) {
+		struct sockaddr_rose *srose;
+
+		memset(msg->msg_name, 0, sizeof(struct full_sockaddr_rose));
+		srose = msg->msg_name;
 		srose->srose_family = AF_ROSE;
 		srose->srose_addr   = rose->dest_addr;
 		srose->srose_call   = rose->dest_call;
@@ -143,10 +143,13 @@
  
 		/* copy the peer address and timestamp */
 		if (!continue_call) {
-			if (msg->msg_name && msg->msg_namelen > 0)
+			if (msg->msg_name) {
+				size_t len =
+					sizeof(call->conn->trans->peer->srx);
 				memcpy(msg->msg_name,
-				       &call->conn->trans->peer->srx,
-				       sizeof(call->conn->trans->peer->srx));
+				       &call->conn->trans->peer->srx, len);
+				msg->msg_namelen = len;
+			}
 			sock_recv_ts_and_drops(msg, &rx->sk, skb);
 		}
  
@@ -1840,8 +1840,10 @@
 	msg.msg_iov = &iov;
 	iov.iov_len = size;
 	iov.iov_base = ubuf;
-	msg.msg_name = (struct sockaddr *)&address;
-	msg.msg_namelen = sizeof(address);
+	/* Save some cycles and don't copy the address if not needed */
+	msg.msg_name = addr ? (struct sockaddr *)&address : NULL;
+	/* We assume all kernel code knows the size of sockaddr_storage */
+	msg.msg_namelen = 0;
 	if (sock->file->f_flags & O_NONBLOCK)
 		flags |= MSG_DONTWAIT;
 	err = sock_recvmsg(sock, &msg, size, flags);
  
  
  
@@ -2221,16 +2223,14 @@
 			goto out;
 	}
  
-	/*
-	 *      Save the user-mode address (verify_iovec will change the
-	 *      kernel msghdr to use the kernel address space)
+	/* Save the user-mode address (verify_iovec will change the
+	 * kernel msghdr to use the kernel address space)
 	 */
-
 	uaddr = (__force void __user *)msg_sys->msg_name;
 	uaddr_len = COMPAT_NAMELEN(msg);
-	if (MSG_CMSG_COMPAT & flags) {
+	if (MSG_CMSG_COMPAT & flags)
 		err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
-	} else
+	else
 		err = verify_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
 	if (err < 0)
 		goto out_freeiov;
@@ -2238,6 +2238,9 @@
  
 	cmsg_ptr = (unsigned long)msg_sys->msg_control;
 	msg_sys->msg_flags = flags & (MSG_CMSG_CLOEXEC|MSG_CMSG_COMPAT);
+
+	/* We assume all kernel code knows the size of sockaddr_storage */
+	msg_sys->msg_namelen = 0;
  
 	if (sock->file->f_flags & O_NONBLOCK)
 		flags |= MSG_DONTWAIT;
@@ -980,9 +980,6 @@
 		goto exit;
 	}
  
-	/* will be updated in set_orig_addr() if needed */
-	m->msg_namelen = 0;
-
 	timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
 restart:
  
@@ -1090,9 +1087,6 @@
 		res = -ENOTCONN;
 		goto exit;
 	}
-
-	/* will be updated in set_orig_addr() if needed */
-	m->msg_namelen = 0;
  
 	target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
 	timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
@@ -1754,7 +1754,6 @@
 {
 	struct unix_sock *u = unix_sk(sk);
  
-	msg->msg_namelen = 0;
 	if (u->addr) {
 		msg->msg_namelen = u->addr->len;
 		memcpy(msg->msg_name, u->addr->name, u->addr->len);
@@ -1778,8 +1777,6 @@
 	if (flags&MSG_OOB)
 		goto out;
  
-	msg->msg_namelen = 0;
-
 	err = mutex_lock_interruptible(&u->readlock);
 	if (err) {
 		err = sock_intr_errno(sock_rcvtimeo(sk, noblock));
@@ -1923,8 +1920,6 @@
  
 	target = sock_rcvlowat(sk, flags&MSG_WAITALL, size);
 	timeo = sock_rcvtimeo(sk, flags&MSG_DONTWAIT);
-
-	msg->msg_namelen = 0;
  
 	/* Lock the socket to prevent queue disordering
 	 * while sleeps in memcpy_tomsg
@@ -1662,8 +1662,6 @@
 	vsk = vsock_sk(sk);
 	err = 0;
  
-	msg->msg_namelen = 0;
-
 	lock_sock(sk);
  
 	if (sk->sk_state != SS_CONNECTED) {
@@ -1746,8 +1746,6 @@
 	if (flags & MSG_OOB || flags & MSG_ERRQUEUE)
 		return -EOPNOTSUPP;
  
-	msg->msg_namelen = 0;
-
 	/* Retrieve the head sk_buff from the socket's receive queue. */
 	err = 0;
 	skb = skb_recv_datagram(&vsk->sk, flags, noblock, &err);
@@ -1340,9 +1340,8 @@
 	if (sx25) {
 		sx25->sx25_family = AF_X25;
 		sx25->sx25_addr   = x25->dest_addr;
+		msg->msg_namelen = sizeof(*sx25);
 	}
-
-	msg->msg_namelen = sizeof(struct sockaddr_x25);
  
 	x25_check_rbuf(sk);
 	rc = copied;
...	...	@@ -161,8 +161,6 @@
161	161	else if (len < ds)
162	162	msg->msg_flags \|= MSG_TRUNC;
163	163
164		- msg->msg_namelen = 0;
165		-
166	164	lock_sock(sk);
167	165	if (ctx->more) {
168	166	ctx->more = 0;
...	...	@@ -432,7 +432,6 @@
432	432	long copied = 0;
433	433
434	434	lock_sock(sk);
435		- msg->msg_namelen = 0;
436	435	for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
437	436	iovlen--, iov++) {
438	437	unsigned long seglen = iov->iov_len;
...	...	@@ -117,7 +117,6 @@
117	117	{
118	118	struct sk_buff *skb;
119	119	struct sock *sk = sock->sk;
120		- struct sockaddr_mISDN *maddr;
121	120
122	121	int copied, err;
123	122
...	...	@@ -135,9 +134,9 @@
135	134	if (!skb)
136	135	return err;
137	136
138		- if (msg->msg_namelen >= sizeof(struct sockaddr_mISDN)) {
139		- msg->msg_namelen = sizeof(struct sockaddr_mISDN);
140		- maddr = (struct sockaddr_mISDN *)msg->msg_name;
	137	+ if (msg->msg_name) {
	138	+ struct sockaddr_mISDN *maddr = msg->msg_name;
	139	+
141	140	maddr->family = AF_ISDN;
142	141	maddr->dev = _pms(sk)->dev->id;
143	142	if ((sk->sk_protocol == ISDN_P_LAPD_TE) \|\|
...	...	@@ -150,11 +149,7 @@
150	149	maddr->sapi = _pms(sk)->ch.addr & 0xFF;
151	150	maddr->tei = (_pms(sk)->ch.addr >> 8) & 0xFF;
152	151	}
153		- } else {
154		- if (msg->msg_namelen)
155		- printk(KERN_WARNING "%s: too small namelen %d\n",
156		- __func__, msg->msg_namelen);
157		- msg->msg_namelen = 0;
	152	+ msg->msg_namelen = sizeof(*maddr);
158	153	}
159	154
160	155	copied = skb->len + MISDN_HEADER_LEN;
...	...	@@ -979,8 +979,6 @@
979	979	if (error < 0)
980	980	goto end;
981	981
982		- m->msg_namelen = 0;
983		-
984	982	if (skb) {
985	983	total_len = min_t(size_t, total_len, skb->len);
986	984	error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len);
...	...	@@ -164,6 +164,14 @@
164	164	#endif
165	165	int (sendmsg) (struct kiocb iocb, struct socket *sock,
166	166	struct msghdr *m, size_t total_len);
	167	+ /* Notes for implementing recvmsg:
	168	+ * ===============================
	169	+ * msg->msg_namelen should get updated by the recvmsg handlers
	170	+ * iff msg_name != NULL. It is by default 0 to prevent
	171	+ * returning uninitialized memory to user space. The recvfrom
	172	+ * handlers can assume that msg.msg_name is either NULL or has
	173	+ * a minimum size of sizeof(struct sockaddr_storage).
	174	+ */
167	175	int (recvmsg) (struct kiocb iocb, struct socket *sock,
168	176	struct msghdr *m, size_t total_len,
169	177	int flags);
...	...	@@ -1735,7 +1735,6 @@
1735	1735	size_t size, int flags)
1736	1736	{
1737	1737	struct sock *sk = sock->sk;
1738		- struct sockaddr_at sat = (struct sockaddr_at )msg->msg_name;
1739	1738	struct ddpehdr *ddp;
1740	1739	int copied = 0;
1741	1740	int offset = 0;
...	...	@@ -1764,14 +1763,13 @@
1764	1763	}
1765	1764	err = skb_copy_datagram_iovec(skb, offset, msg->msg_iov, copied);
1766	1765
1767		- if (!err) {
1768		- if (sat) {
1769		- sat->sat_family = AF_APPLETALK;
1770		- sat->sat_port = ddp->deh_sport;
1771		- sat->sat_addr.s_node = ddp->deh_snode;
1772		- sat->sat_addr.s_net = ddp->deh_snet;
1773		- }
1774		- msg->msg_namelen = sizeof(*sat);
	1766	+ if (!err && msg->msg_name) {
	1767	+ struct sockaddr_at *sat = msg->msg_name;
	1768	+ sat->sat_family = AF_APPLETALK;
	1769	+ sat->sat_port = ddp->deh_sport;
	1770	+ sat->sat_addr.s_node = ddp->deh_snode;
	1771	+ sat->sat_addr.s_net = ddp->deh_snet;
	1772	+ msg->msg_namelen = sizeof(*sat);
1775	1773	}
1776	1774
1777	1775	skb_free_datagram(sk, skb); /* Free the datagram. */
...	...	@@ -531,8 +531,6 @@
531	531	struct sk_buff *skb;
532	532	int copied, error = -EINVAL;
533	533
534		- msg->msg_namelen = 0;
535		-
536	534	if (sock->state != SS_CONNECTED)
537	535	return -ENOTCONN;
538	536
...	...	@@ -1636,11 +1636,11 @@
1636	1636
1637	1637	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
1638	1638
1639		- if (msg->msg_namelen != 0) {
1640		- struct sockaddr_ax25 sax = (struct sockaddr_ax25 )msg->msg_name;
	1639	+ if (msg->msg_name) {
1641	1640	ax25_digi digi;
1642	1641	ax25_address src;
1643	1642	const unsigned char *mac = skb_mac_header(skb);
	1643	+ struct sockaddr_ax25 *sax = msg->msg_name;
1644	1644
1645	1645	memset(sax, 0, sizeof(struct full_sockaddr_ax25));
1646	1646	ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
...	...	@@ -224,10 +224,9 @@
224	224
225	225	skb = skb_recv_datagram(sk, flags, noblock, &err);
226	226	if (!skb) {
227		- if (sk->sk_shutdown & RCV_SHUTDOWN) {
228		- msg->msg_namelen = 0;
	227	+ if (sk->sk_shutdown & RCV_SHUTDOWN)
229	228	return 0;
230		- }
	229	+
231	230	return err;
232	231	}
233	232
...	...	@@ -245,8 +244,6 @@
245	244	if (bt_sk(sk)->skb_msg_name)
246	245	bt_sk(sk)->skb_msg_name(skb, msg->msg_name,
247	246	&msg->msg_namelen);
248		- else
249		- msg->msg_namelen = 0;
250	247	}
251	248
252	249	skb_free_datagram(sk, skb);
...	...	@@ -294,8 +291,6 @@
294	291
295	292	if (flags & MSG_OOB)
296	293	return -EOPNOTSUPP;
297		-
298		- msg->msg_namelen = 0;
299	294
300	295	BT_DBG("sk %p size %zu", sk, size);
301	296
...	...	@@ -856,8 +856,6 @@
856	856	if (!skb)
857	857	return err;
858	858
859		- msg->msg_namelen = 0;
860		-
861	859	copied = skb->len;
862	860	if (len < copied) {
863	861	msg->msg_flags \|= MSG_TRUNC;