On Wed, Dec 05, 2001 at 04:33:04PM -0600, Robert Williamson wrote: > Using the "recv01" test from the LTP testsuite, a test is done to see if > the "recv" system call returns EFAULT as documented in the manpage. EFAULT > should return when the receive buffer pointer points outside the process's > address space. Strangely, the test passes about 20% of the time and fails > the remaining 80% . Looking at the code for "recvfrom", I can add the > following two lines after line 1253: I just tested recv01 from the LTP version I had laying around (from Oct 11) and recv01 works: % ./recv01 recv01 1 PASS : bad file descriptor successful recv01 2 PASS : invalid socket successful recv01 3 PASS : invalid recv buffer successful recv01 4 PASS : invalid flags set successful This receives to a (void *)-1 socket address. I guess you have some different version. What exactly does it test ? As far as I am reading the source sys_recvfrom() also does all necessary checks for EFAULT. > 1251 sock = sockfd_lookup(fd, &err); > 1252 if (!sock) > 1253 goto out; > ***1254 err2 = verify_area(VERIFY_WRITE, ubuf, size); > ***1255 if ( err2 ) return -EFAULT; > > to handle the situation. However, since I don't know the meaning of the > comment from Alan, I'm hesitant to make this change. Any help would be > appreciated. verify_area() is mostly useless with 2.2+. All it checks is that a user pointer is not in kernel memory to avoid security holes; but this check is usually repeated later on. If you want true pointer checking including catching of unmapped area the low level get_user or copy_from_user needs to do the error check. > 1) Was this done for performance reasons, and if so, what were they? The changelog refers to some earlier unrelated change. verify_area() was mostly removed between 2.0 and 2.2 because it is useless now (in 2.0 it actually walked memory maps, but 2.2+ uses an exception handler based scheme in the actual user access) > > 2) In the "sys_recvfrom" definition, within socket.c, how does the > function handle an invalid address? That is, is there any checking done on > the variable "ubuf"? The socket address copy is handled by move_addr_to_usre() (which does a EFAULT error return as needed) The data copy depends on the underlying protocol. UDP/TCP should check correctly for faults at least. -Andi - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
