git: 820bafd0bc14 - main - unix/dgram: don't panic if socket buffer has negative space
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 19 Aug 2022 19:15:53 UTC
The branch main has been updated by glebius:
URL: https://cgit.FreeBSD.org/src/commit/?id=820bafd0bc14a1448d7e5314e6c9f026518a66de
commit 820bafd0bc14a1448d7e5314e6c9f026518a66de
Author: Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2022-08-19 19:13:34 +0000
Commit: Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2022-08-19 19:15:38 +0000
unix/dgram: don't panic if socket buffer has negative space
That's a legitimate scenario, although unlikely.
Reported by: https://syzkaller.appspot.com/bug?extid=6e8be1ec8d77578a3df4
---
sys/kern/uipc_usrreq.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 1f2d8a6647b9..2b78c3e51907 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1096,8 +1096,13 @@ uipc_dgram_sbspace(struct sockbuf *sb, u_int cc, u_int mbcnt)
{
u_int bleft, mleft;
- MPASS(sb->sb_hiwat >= sb->uxdg_cc);
- MPASS(sb->sb_mbmax >= sb->uxdg_mbcnt);
+ /*
+ * Negative space may happen if send(2) is followed by
+ * setsockopt(SO_SNDBUF/SO_RCVBUF) that shrinks maximum.
+ */
+ if (__predict_false(sb->sb_hiwat < sb->uxdg_cc ||
+ sb->sb_mbmax < sb->uxdg_mbcnt))
+ return (false);
if (__predict_false(sb->sb_state & SBS_CANTRCVMORE))
return (false);