unix/dgram: don't panic if socket buffer has negative space

That's a legitimate scenario, although unlikely. Reported by: https://syzkaller.appspot.com/bug?extid=6e8be1ec8d77578a3df4
2022-08-19 12:13:34 -07:00 · 2022-08-19 12:13:34 -07:00 · 820bafd0bc
commit 820bafd0bc
parent 97be6fced7
1 changed files with 7 additions and 2 deletions
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@ -1096,8 +1096,13 @@ uipc_dgram_sbspace(struct sockbuf *sb, u_int cc, u_int mbcnt)
 {
 	u_int bleft, mleft;

-	MPASS(sb->sb_hiwat >= sb->uxdg_cc);
-	MPASS(sb->sb_mbmax >= sb->uxdg_mbcnt);
+	/*
+	 * Negative space may happen if send(2) is followed by
+	 * setsockopt(SO_SNDBUF/SO_RCVBUF) that shrinks maximum.
+	 */
+	if (__predict_false(sb->sb_hiwat < sb->uxdg_cc ||
+	    sb->sb_mbmax < sb->uxdg_mbcnt))
+		return (false);

 	if (__predict_false(sb->sb_state & SBS_CANTRCVMORE))
 		return (false);