musl - [PATCH] fix CMSG_NXTHDR result when cmsghdr ends exactly before __MHDR

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <CACwv9n3txsA+pRT7o+Rw9yyPvsQrmv4TapTkwb6j4CSkpVn=8w@mail.gmail.com>
Date: Sat, 27 Dec 2025 18:21:20 +0100
From: Gabriel Hansson <gabrielhansson00@...il.com>
To: musl@...ts.openwall.com
Subject: [PATCH] fix CMSG_NXTHDR result when cmsghdr ends exactly before __MHDR_END

Boundary check should not evaluate to null when `cmsg_addr + cmsg_len +
sizeof(cmsghdr) == mhdr_addr + mhdr.msg_controllen` since the bytes in use are
always len - 1.
---
 include/sys/socket.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/sys/socket.h b/include/sys/socket.h
index 6dc1e40a..170c7fe9 100644
--- a/include/sys/socket.h
+++ b/include/sys/socket.h
@@ -355,7 +355,7 @@ struct linger {

 #define CMSG_DATA(cmsg) ((unsigned char *) (((struct cmsghdr *)(cmsg)) + 1))
 #define CMSG_NXTHDR(mhdr, cmsg) ((cmsg)->cmsg_len < sizeof (struct
cmsghdr) || \
-    __CMSG_LEN(cmsg) + sizeof(struct cmsghdr) >= __MHDR_END(mhdr) -
(unsigned char *)(cmsg) \
+    __CMSG_LEN(cmsg) + sizeof(struct cmsghdr) > __MHDR_END(mhdr) -
(unsigned char *)(cmsg) \
     ? 0 : (struct cmsghdr *)__CMSG_NEXT(cmsg))
 #define CMSG_FIRSTHDR(mhdr) ((size_t) (mhdr)->msg_controllen >=
sizeof (struct cmsghdr) ? (struct cmsghdr *) (mhdr)->msg_control :
(struct cmsghdr *) 0)

-- 
2.52.0

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.