git: 3d81c26f92e1 - stable/13 - truss: Make control message header parsing more robust
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 29 Jun 2022 14:40:53 UTC
The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=3d81c26f92e14db25dcc6046af1493c0d5a75443 commit 3d81c26f92e14db25dcc6046af1493c0d5a75443 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2022-06-14 15:34:57 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-06-29 14:12:33 +0000 truss: Make control message header parsing more robust print_cmsg() was assuming that the control message chain is well-formed, but that isn't necessarily the case for sendmsg(2). In particular, if cmsg_len is zero, print_cmsg() will loop forever. Check for truncated headers and try to recover if possible. Reviewed by: tuexen Sponsored by: The FreeBSD Foundation (cherry picked from commit 4b0c6fa0dceac797f43dffd5642c1aed727c6ea6) --- usr.bin/truss/syscalls.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/usr.bin/truss/syscalls.c b/usr.bin/truss/syscalls.c index 06e984de3fe8..cf863d2bfaaa 100644 --- a/usr.bin/truss/syscalls.c +++ b/usr.bin/truss/syscalls.c @@ -1663,6 +1663,16 @@ print_cmsgs(FILE *fp, pid_t pid, bool receive, struct msghdr *msghdr) for (cmsghdr = CMSG_FIRSTHDR(msghdr); cmsghdr != NULL; cmsghdr = CMSG_NXTHDR(msghdr, cmsghdr)) { + if (cmsghdr->cmsg_len < sizeof(*cmsghdr)) { + fprintf(fp, "{<invalid cmsg, len=%u>}", + cmsghdr->cmsg_len); + if (cmsghdr->cmsg_len == 0) { + /* Avoid looping forever. */ + break; + } + continue; + } + level = cmsghdr->cmsg_level; type = cmsghdr->cmsg_type; len = cmsghdr->cmsg_len;