lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sat, 18 Feb 2012 22:23:39 +0100
From:	Piergiorgio Beruto <>
To:	David Miller <>
Subject: Re: Possible bugfix for AF_UNIX, SOCK_SEQPACKET sockets

I've tested the patch on my Linux box running kernel 3.2.6 and rich of
userspace apps and everything seems to work fine.

Then I used the following test program to verify the patch effects:

// ---------------------------------------------------

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/un.h>
#include <stdio.h>
#include <errno.h>

int main()
   int sv[2];
   if(socketpair(AF_UNIX, SOCK_SEQPACKET, 0, sv) != 0)
      printf("socketpair() error %d\n", errno);
      return 1;

   // write two messages of size 3 and 2
   const char msg[] = "abc";
   send(sv[1], msg, 2, 0);
   send(sv[1], msg, 3, 0);

   int sz = 0;
   if(ioctl(sv[0], FIONREAD, &sz) != 0)
      printf("ioctl() error %d\n", errno);
      return 1;

   printf("ioctl(SIOCINQ) returned %d\n", sz);

   char dummy;
   sz = recv(sv[0], &dummy, 0, MSG_PEEK | MSG_TRUNC);
   printf("recv(MSG_TRUNC) returned %d\n", sz);

   return 0;

// ----------------------------------------------------------

the output of this program with the patched kernel is, as expected:
ioctl(SIOCINQ) returned 5
recv(MSG_TRUNC) returned 2

which validates the test.

Furthermore, I found this in the man page of recv:

MSG_TRUNC (since Linux 2.2)
              For raw (AF_PACKET), Internet datagram (since Linux
2.4.27/2.6.8), and netlink (since Linux 2.6.22) sockets: return
              the  real  length  of  the packet or datagram, even when
it was longer than the passed buffer.  Not implemented for
              UNIX domain (unix(7)) sockets.

The "not implemented for unix domain sockets" sounds to me such as no
userland applications should have used this flag, but I wonder why it
was not implemented since kernel 2.2 (?)

Thank you again,


Il 15 febbraio 2012 20:55, David Miller <> ha scritto:
> From: Eric Dumazet <>
> Date: Wed, 15 Feb 2012 13:42:07 +0100
>> @@ -1824,7 +1824,7 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock,
>>               if (UNIXCB(skb).fp)
>>                       siocb->scm->fp = scm_fp_dup(UNIXCB(skb).fp);
>>       }
>> -     err = size;
>> +     err = (flags & MSG_TRUNC) ? skb->len : size;
>>       scm_recv(sock, msg, siocb->scm, flags);
> I'm ok with this, but if it is found to break even one userland application
> I'm reverting with impunity.
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists