fix a braino in cmsghdr_from_user_compat_to_kern()

commit 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to
copy_from_user()") missed one of the places where ucmlen should've been
replaced with cmsg.cmsg_len, now that we are fetching the entire struct
rather than doing it field-by-field.

	As the result, compat sendmsg() with several different-sized cmsg
attached started to fail with EINVAL.  Trivial to fix, fortunately.

Fixes: 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to copy_from_user()")
Reported-by: Nick Bowler <nbowler@draconx.ca>
Tested-by: Nick Bowler <nbowler@draconx.ca>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/compat.c b/net/compat.c
index 5e3041a..434838b 100644 (file)
--- a/net/compat.c
+++ b/net/compat.c
@@ -202,7 +202,7 @@ int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk,
 
                /* Advance. */
                kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
-               ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
+               ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, cmsg.cmsg_len);
        }
 
        /*