From a7044c60a5c87dede146b8ef40b3c2b33bb8b218 Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Tue, 18 Aug 2020 14:17:14 +0000 Subject: [PATCH] Fix handling of ancillary data on non-AF_UNIX Linux sockets. After r340674, the "continue" would restart the loop without having updated clen, resulting in an infinite loop. Restore the old behaviour of simply ignoring all control messages on such sockets, since we currently only implement handling for AF_UNIX-specific messages. Reported by: syzkaller Reviewed by: tijl MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D26093 --- sys/compat/linux/linux_socket.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/compat/linux/linux_socket.c b/sys/compat/linux/linux_socket.c index 9cd2eb3b120..6e8169115ab 100644 --- a/sys/compat/linux/linux_socket.c +++ b/sys/compat/linux/linux_socket.c @@ -1067,7 +1067,7 @@ linux_sendmsg_common(struct thread *td, l_int s, struct l_msghdr *msghdr, * FreeBSD system call interface. */ if (sa_family != AF_UNIX) - continue; + goto next; if (cmsg->cmsg_type == SCM_CREDS) { len = sizeof(struct cmsgcred); @@ -1094,6 +1094,7 @@ linux_sendmsg_common(struct thread *td, l_int s, struct l_msghdr *msghdr, data = (char *)data + CMSG_SPACE(len); datalen += CMSG_SPACE(len); +next: if (clen <= LINUX_CMSG_ALIGN(linux_cmsg.cmsg_len)) break;