commit d67f20debc80ad98c76b0edb8fc44002ca9ea0cd
Author: Mark Wielaard <mjw@redhat.com>
Date:   Tue May 13 15:07:52 2014 +0200

    Use safe_to_deref in coregrind syswrap-generic.c (msghdr_foreachfield).
    
    Call ML_(safe_to_deref) before using msghdr msg_name, msg_iov or msg_control.
    Fixes bug #334705.

diff --git a/coregrind/m_syswrap/syswrap-generic.c b/coregrind/m_syswrap/syswrap-generic.c
index cdf64ea..f1207f4 100644
--- a/coregrind/m_syswrap/syswrap-generic.c
+++ b/coregrind/m_syswrap/syswrap-generic.c
@@ -951,13 +951,15 @@ void msghdr_foreachfield (
    if ( recv )
       foreach_func ( tid, False, fieldName, (Addr)&msg->msg_flags, sizeof( msg->msg_flags ) );
 
-   if ( msg->msg_name ) {
+   if ( ML_(safe_to_deref)(&msg->msg_name, sizeof (void *))
+        && msg->msg_name ) {
       VG_(sprintf) ( fieldName, "(%s.msg_name)", name );
       foreach_func ( tid, False, fieldName, 
                      (Addr)msg->msg_name, msg->msg_namelen );
    }
 
-   if ( msg->msg_iov ) {
+   if ( ML_(safe_to_deref)(&msg->msg_iov, sizeof (void *))
+        && msg->msg_iov ) {
       struct vki_iovec *iov = msg->msg_iov;
       UInt i;
 
@@ -975,7 +977,8 @@ void msghdr_foreachfield (
       }
    }
 
-   if ( msg->msg_control ) 
+   if ( ML_(safe_to_deref) (&msg->msg_control, sizeof (void *))
+        && msg->msg_control )
    {
       VG_(sprintf) ( fieldName, "(%s.msg_control)", name );
       foreach_func ( tid, False, fieldName,