Skip to content



recvfrom - receive a message from a network socket


The recvfrom() system call reads a message from a socket, and stores it in a buffer. The flags argument can be used to alter the behavior of the call. If src_addr is not NULL, then the source address of the message is filled in. For connection-oriented sockets (e.g., type SOCK_STREAM), this is attempted only on the first message on the socket. If addrlen is not NULL, then it is filled in with the size of the address actually returned.

The recvfrom() call is usually used with connectionless sockets (type SOCK_DGRAM). With a connectionless socket, the source address of the message is returned in src_addr and addrlen holds the size of the address. If src_addr is NULL, nothing is filled in; in this case, addrlen is not used, and should also be NULL.


  • sockfd:int[K] - File descriptor referring to a socket.
  • buf:void*[KU] - Pointer to the buffer in which the message should be stored.
  • len:size_t[KU] - Length of the buffer.
  • flags:int[K] - Flags for the call.
  • src_addr:struct sockaddr*[KU] - Pointer to a buffer which will contain the source address of the message. Can be NULL.
  • addrlen:int*[KU] - Pointer to a buffer which will contain the length of the source address. Can be NULL.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)




Kprobes and Uprobe


To observe the use of recvfrom syscall, the entry point of the syscall can be intercepted with a kprobe. This allows the function to be handled in a safe environment and the arguments to be intercepted and passed to the tracer.





This kprobe is used to handle the buffer passed to the syscall to ensure that it can be read by the kernel safely.

Example Use Case

An example of a use case for recvfrom is for a server logging program, which needs to read the data contained in incoming messages. The program can use recvfrom to receive the messages from the appropriate socket, and it can then process the data contained in the message.


The recvfrom() system call is vulnerable to Time-of-Check-Time-of-Use (TOCTOU) attacks. This means that an attacker could modify the data between the time it is checked and the time it is used. To mitigate this, checks should be performed on the data at both the time of check and time of use.

  • sendto
  • getsockname
  • recv

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.