git: 3d81c26f92e1 - stable/13 - truss: Make control message header parsing more robust

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Wed, 29 Jun 2022 14:40:53 UTC
The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=3d81c26f92e14db25dcc6046af1493c0d5a75443

commit 3d81c26f92e14db25dcc6046af1493c0d5a75443
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-06-14 15:34:57 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-06-29 14:12:33 +0000

    truss: Make control message header parsing more robust
    
    print_cmsg() was assuming that the control message chain is well-formed,
    but that isn't necessarily the case for sendmsg(2).  In particular, if
    cmsg_len is zero, print_cmsg() will loop forever.  Check for truncated
    headers and try to recover if possible.
    
    Reviewed by:    tuexen
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 4b0c6fa0dceac797f43dffd5642c1aed727c6ea6)
---
 usr.bin/truss/syscalls.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/usr.bin/truss/syscalls.c b/usr.bin/truss/syscalls.c
index 06e984de3fe8..cf863d2bfaaa 100644
--- a/usr.bin/truss/syscalls.c
+++ b/usr.bin/truss/syscalls.c
@@ -1663,6 +1663,16 @@ print_cmsgs(FILE *fp, pid_t pid, bool receive, struct msghdr *msghdr)
 	for (cmsghdr = CMSG_FIRSTHDR(msghdr);
 	   cmsghdr != NULL;
 	   cmsghdr = CMSG_NXTHDR(msghdr, cmsghdr)) {
+		if (cmsghdr->cmsg_len < sizeof(*cmsghdr)) {
+			fprintf(fp, "{<invalid cmsg, len=%u>}",
+			    cmsghdr->cmsg_len);
+			if (cmsghdr->cmsg_len == 0) {
+				/* Avoid looping forever. */
+				break;
+			}
+			continue;
+		}
+
 		level = cmsghdr->cmsg_level;
 		type = cmsghdr->cmsg_type;
 		len = cmsghdr->cmsg_len;