truss: Make control message header parsing more robust

print_cmsg() was assuming that the control message chain is well-formed, but that isn't necessarily the case for sendmsg(2). In particular, if cmsg_len is zero, print_cmsg() will loop forever. Check for truncated headers and try to recover if possible. Reviewed by: tuexen MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35476
2022-06-14 11:34:57 -04:00 · 2022-06-14 11:34:57 -04:00 · 4b0c6fa0dc
parent a14465e1b9
commit 4b0c6fa0dc
1 changed files with 10 additions and 0 deletions
--- a/usr.bin/truss/syscalls.c
+++ b/usr.bin/truss/syscalls.c
@ -1480,6 +1480,16 @@ print_cmsgs(FILE *fp, pid_t pid, bool receive, struct msghdr *msghdr)
 	for (cmsghdr = CMSG_FIRSTHDR(msghdr);
 	   cmsghdr != NULL;
 	   cmsghdr = CMSG_NXTHDR(msghdr, cmsghdr)) {
+		if (cmsghdr->cmsg_len < sizeof(*cmsghdr)) {
+			fprintf(fp, "{<invalid cmsg, len=%u>}",
+			    cmsghdr->cmsg_len);
+			if (cmsghdr->cmsg_len == 0) {
+				/* Avoid looping forever. */
+				break;
+			}
+			continue;
+		}
+
 		level = cmsghdr->cmsg_level;
 		type = cmsghdr->cmsg_type;
 		len = cmsghdr->cmsg_len;