d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

freebsd32: fix padding of computed control message length for recvmsg()

Browse Source 
Each control message region must be aligned on a 4-byte boundary on 32-bit
architectures. The 32-bit compat shim for recvmsg() gets the actual layout
right, but doesn't pad the payload length when computing msg_controllen for
the output message header. If a control message contains an unaligned
payload, such as the 1-byte TTL field in the example attached to PR 236737,
this can produce control message payload boundaries that extend beyond
the boundary reported by msg_controllen.

PR:	236737
Reported by:	Yuval Pavel Zholkover <paulzhol@gmail.com>
Reviewed by:	markj
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D19768
This commit is contained in:
Jason A. Harmening 2019-03-30 23:43:58 +00:00
parent ca1163bd5f
commit f0645b3a06
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/compat/freebsd32/freebsd32_misc.c
View File

@ -1160,8 +1160,8 @@ freebsd32_copy_msg_out(struct msghdr *msg, struct mbuf *control)
cm = NULL;
}
msg->msg_controllen += FREEBSD32_ALIGN(sizeof(*cm)) +
datalen_out;
msg->msg_controllen +=
FREEBSD32_CMSG_SPACE(datalen_out);
}
}
if (len == 0 && m != NULL) {