fix undefined pointer arithmetic in CMSG_NXTHDR macro

previously, the only way the stopping condition could be met with correct lengths in the headers invoked undefined behavior, adding sizeof(struct cmsghdr) beyond the end of the cmsg buffer. instead, compute and compare sizes rather than pointers.

fix undefined pointer arithmetic in CMSG_NXTHDR macro
previously, the only way the stopping condition could be met with correct lengths in the headers invoked undefined behavior, adding sizeof(struct cmsghdr) beyond the end of the cmsg buffer. instead, compute and compare sizes rather than pointers.
81fb75a1 · Rich Felker · 51eeb6eb · 81fb75a1
隐藏空白更改
内联并排

Showing with 3 addition and 3 deletion

include/sys/socket.h include/sys/socket.h +3 -3

未找到文件。
--- a/include/sys/socket.h
+++ b/include/sys/socket.h
@@ -266,9 +266,9 @@ struct linger
 #define __MHDR_END(mhdr) ((unsigned char *)(mhdr)->msg_control + (mhdr)->msg_controllen)
 #define CMSG_DATA(cmsg) ((unsigned char *) (((struct cmsghdr *)(cmsg)) + 1))
-#define CMSG_NXTHDR(mhdr, cmsg) ((cmsg)->cmsg_len < sizeof (struct cmsghdr) ? (struct cmsghdr *)0 : \
+#define CMSG_NXTHDR(mhdr, cmsg) ((cmsg)->cmsg_len < sizeof (struct cmsghdr) || \
-        (__CMSG_NEXT(cmsg) + sizeof (struct cmsghdr) >= __MHDR_END(mhdr) ? (struct cmsghdr *)0 : \
+	__CMSG_LEN(cmsg) + sizeof(struct cmsghdr) >= __MHDR_END(mhdr) - (unsigned char *)(cmsg) \
-        ((struct cmsghdr *)__CMSG_NEXT(cmsg))))
+	? 0 : (struct cmsghdr *)__CMSG_NEXT(cmsg))
 #define CMSG_FIRSTHDR(mhdr) ((size_t) (mhdr)->msg_controllen >= sizeof (struct cmsghdr) ? (struct cmsghdr *) (mhdr)->msg_control : (struct cmsghdr *) 0)
 #define CMSG_ALIGN(len) (((len) + sizeof (size_t) - 1) & (size_t) ~(sizeof (size_t) - 1))