Fix crash on too long msg_controllen

Currently when running in 32-on-64 mode sendmsg calls won't be patched #151 (comment)
termux · May 30, 2021 · 8f67d6c · 8f67d6c
1 parent a984f8e
commit 8f67d6c
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/src/extension/fake_id0/sendmsg.c b/src/extension/fake_id0/sendmsg.c
@@ -3,11 +3,14 @@
 #include <sys/types.h>   /* uid_t, gid_t, get*id(2), */
 #include <linux/net.h>   /* SYS_SENDMSG, */
 
+#include "cli/note.h"
 #include "tracee/mem.h"
 #include "syscall/sysnum.h"
 #include "syscall/syscall.h"
 #include "extension/fake_id0/sendmsg.h"
 
+#define MAX_CONTROLLEN 1024
+
 int handle_sendmsg_enter_end(Tracee *tracee, word_t sysnum)
 {
 	/* Read sendmsg header.  */
@@ -53,6 +56,11 @@ int handle_sendmsg_enter_end(Tracee *tracee, word_t sysnum)
 	{
 		bool did_modify = 0;
 
+		if (msg.msg_controllen > MAX_CONTROLLEN) {
+			VERBOSE(tracee, 1, "sendmsg() with msg_controllen=%zu, is_32on64_mode=%d, not doing fixup", msg.msg_controllen, is_32on64_mode(tracee));
+			return 0;
+		}
+
 		/* Read cmsg header.  */
 		char cmsg_buf[msg.msg_controllen];
 		status = read_data(tracee, cmsg_buf, (word_t) msg.msg_control, msg.msg_controllen);