commit d67f20debc80ad98c76b0edb8fc44002ca9ea0cd

Author: Mark Wielaard <mjw@redhat.com>

Date:   Tue May 13 15:07:52 2014 +0200

    Use safe_to_deref in coregrind syswrap-generic.c (msghdr_foreachfield).

    Call ML_(safe_to_deref) before using msghdr msg_name, msg_iov or msg_control.

    Fixes bug #334705.

diff --git a/coregrind/m_syswrap/syswrap-generic.c b/coregrind/m_syswrap/syswrap-generic.c

index cdf64ea..f1207f4 100644

--- a/coregrind/m_syswrap/syswrap-generic.c

+++ b/coregrind/m_syswrap/syswrap-generic.c

@@ -951,13 +951,15 @@ void msghdr_foreachfield (

    if ( recv )

       foreach_func ( tid, False, fieldName, (Addr)&msg->msg_flags, sizeof( msg->msg_flags ) );

-   if ( msg->msg_name ) {

+   if ( ML_(safe_to_deref)(&msg->msg_name, sizeof (void *))

+        && msg->msg_name ) {

       VG_(sprintf) ( fieldName, "(%s.msg_name)", name );

       foreach_func ( tid, False, fieldName, 

                      (Addr)msg->msg_name, msg->msg_namelen );

    }

-   if ( msg->msg_iov ) {

+   if ( ML_(safe_to_deref)(&msg->msg_iov, sizeof (void *))

+        && msg->msg_iov ) {

       struct vki_iovec *iov = msg->msg_iov;

       UInt i;

@@ -975,7 +977,8 @@ void msghdr_foreachfield (

       }

    }

-   if ( msg->msg_control ) 

+   if ( ML_(safe_to_deref) (&msg->msg_control, sizeof (void *))

+        && msg->msg_control )

    {

       VG_(sprintf) ( fieldName, "(%s.msg_control)", name );

       foreach_func ( tid, False, fieldName,