git: 820bafd0bc14 - main - unix/dgram: don't panic if socket buffer has negative space
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 19 Aug 2022 19:15:53 UTC
The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=820bafd0bc14a1448d7e5314e6c9f026518a66de commit 820bafd0bc14a1448d7e5314e6c9f026518a66de Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2022-08-19 19:13:34 +0000 Commit: Gleb Smirnoff <glebius@FreeBSD.org> CommitDate: 2022-08-19 19:15:38 +0000 unix/dgram: don't panic if socket buffer has negative space That's a legitimate scenario, although unlikely. Reported by: https://syzkaller.appspot.com/bug?extid=6e8be1ec8d77578a3df4 --- sys/kern/uipc_usrreq.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 1f2d8a6647b9..2b78c3e51907 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -1096,8 +1096,13 @@ uipc_dgram_sbspace(struct sockbuf *sb, u_int cc, u_int mbcnt) { u_int bleft, mleft; - MPASS(sb->sb_hiwat >= sb->uxdg_cc); - MPASS(sb->sb_mbmax >= sb->uxdg_mbcnt); + /* + * Negative space may happen if send(2) is followed by + * setsockopt(SO_SNDBUF/SO_RCVBUF) that shrinks maximum. + */ + if (__predict_false(sb->sb_hiwat < sb->uxdg_cc || + sb->sb_mbmax < sb->uxdg_mbcnt)) + return (false); if (__predict_false(sb->sb_state & SBS_CANTRCVMORE)) return (false);