[PATCH] Fix 32bit sendmsg() flaw

[linux-2.6] / net / socket.c

diff --git a/net/socket.c b/net/socket.c
index e1bd5d84d7bf11acce8a2c6b73d0f5ac41809d05..c699e93c33d72141332fdfa0c16afa87ed4a971e 100644 (file)
--- a/net/socket.c
+++ b/net/socket.c
@@ -1745,10 +1745,11 @@ asmlinkage long sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
                goto out_freeiov;
        ctl_len = msg_sys.msg_controllen; 
        if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
-               err = cmsghdr_from_user_compat_to_kern(&msg_sys, ctl, sizeof(ctl));
+               err = cmsghdr_from_user_compat_to_kern(&msg_sys, sock->sk, ctl, sizeof(ctl));
                if (err)
                        goto out_freeiov;
                ctl_buf = msg_sys.msg_control;
+               ctl_len = msg_sys.msg_controllen;
        } else if (ctl_len) {
                if (ctl_len > sizeof(ctl))
                {