From: Philippe Troin <phil@fifi.org>
Date: 03 Nov 2000 16:17:53 -0800
Mmmh, no, if fdmax <= 0 (which happens when msg_controllen <
sizeof(struct cmsghdr)), then alls fds are passed, eventually
clobbering past ((char*)(msg_control)+m_controllen).
Run the little test case if you're not convinced...
I stand by my patch :-)
If fdmax <= 0, no iterations of the "for (i=0" loop will run.
'i' will therefore be left equal to zero. Therefore the next
bit of code writing in the SOL_SOCKET/SCM_RIGHTS/etc. values
will not run.
Next comes the test I modified, which will set MSG_CTRUNC.
Next scm_destroy(scm) is called which frees the list (this has to get
called and is why I say your patch wasn't correct).
So where in this code are all the fds passed to the user in this case?
I don't care what it actually does, I want to be shown why because as
far as I see it doesn't do what you say it does.
Later,
David S. Miller
davem@redhat.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Nov 07 2000 - 21:00:15 EST