mirror of
https://sourceware.org/git/glibc.git
synced 2024-11-30 00:31:08 +00:00
9c443ac455
The inline and library functions that the CMSG_NXTHDR macro may expand to increment the pointer to the header before checking the stride of the increment against available space. Since C only allows incrementing pointers to one past the end of an array, the increment must be done after a length check. This commit fixes that and includes a regression test for CMSG_FIRSTHDR and CMSG_NXTHDR. The Linux, Hurd, and generic headers are all changed. Tested on Linux on armv7hl, i686, x86_64, aarch64, ppc64le, and s390x. [BZ #28846] Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
61 lines
2.3 KiB
C
61 lines
2.3 KiB
C
/* Return point to next ancillary data entry in message header.
|
|
Copyright (C) 1997-2022 Free Software Foundation, Inc.
|
|
This file is part of the GNU C Library.
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Lesser General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
License along with the GNU C Library; if not, see
|
|
<https://www.gnu.org/licenses/>. */
|
|
|
|
#include <stddef.h>
|
|
#include <sys/socket.h>
|
|
|
|
|
|
struct cmsghdr *
|
|
__cmsg_nxthdr (struct msghdr *mhdr, struct cmsghdr *cmsg)
|
|
{
|
|
/* We may safely assume that cmsg lies between mhdr->msg_control and
|
|
mhdr->msg_controllen because the user is required to obtain the first
|
|
cmsg via CMSG_FIRSTHDR, set its length, then obtain subsequent cmsgs
|
|
via CMSG_NXTHDR, setting lengths along the way. However, we don't yet
|
|
trust the value of cmsg->cmsg_len and therefore do not use it in any
|
|
pointer arithmetic until we check its value. */
|
|
|
|
unsigned char * msg_control_ptr = (unsigned char *) mhdr->msg_control;
|
|
unsigned char * cmsg_ptr = (unsigned char *) cmsg;
|
|
|
|
size_t size_needed = sizeof (struct cmsghdr)
|
|
+ __CMSG_PADDING (cmsg->cmsg_len);
|
|
|
|
/* The current header is malformed, too small to be a full header. */
|
|
if ((size_t) cmsg->cmsg_len < sizeof (struct cmsghdr))
|
|
return (struct cmsghdr *) 0;
|
|
|
|
/* There isn't enough space between cmsg and the end of the buffer to
|
|
hold the current cmsg *and* the next one. */
|
|
if (((size_t)
|
|
(msg_control_ptr + mhdr->msg_controllen - cmsg_ptr)
|
|
< size_needed)
|
|
|| ((size_t)
|
|
(msg_control_ptr + mhdr->msg_controllen - cmsg_ptr
|
|
- size_needed)
|
|
< cmsg->cmsg_len))
|
|
|
|
return (struct cmsghdr *) 0;
|
|
|
|
/* Now, we trust cmsg_len and can use it to find the next header. */
|
|
cmsg = (struct cmsghdr *) ((unsigned char *) cmsg
|
|
+ CMSG_ALIGN (cmsg->cmsg_len));
|
|
return cmsg;
|
|
}
|
|
libc_hidden_def (__cmsg_nxthdr)
|