18a272653SPeter Holm#!/bin/sh 28a272653SPeter Holm 38a272653SPeter Holm# 4*4d846d26SWarner Losh# SPDX-License-Identifier: BSD-2-Clause 58a272653SPeter Holm# 68a272653SPeter Holm# Copyright (c) 2021 Mark Johnston <markj@FreeBSD.org> 78a272653SPeter Holm# 88a272653SPeter Holm# Redistribution and use in source and binary forms, with or without 98a272653SPeter Holm# modification, are permitted provided that the following conditions 108a272653SPeter Holm# are met: 118a272653SPeter Holm# 1. Redistributions of source code must retain the above copyright 128a272653SPeter Holm# notice, this list of conditions and the following disclaimer. 138a272653SPeter Holm# 2. Redistributions in binary form must reproduce the above copyright 148a272653SPeter Holm# notice, this list of conditions and the following disclaimer in the 158a272653SPeter Holm# documentation and/or other materials provided with the distribution. 168a272653SPeter Holm# 178a272653SPeter Holm# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 188a272653SPeter Holm# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 198a272653SPeter Holm# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 208a272653SPeter Holm# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 218a272653SPeter Holm# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 228a272653SPeter Holm# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 238a272653SPeter Holm# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 248a272653SPeter Holm# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 258a272653SPeter Holm# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 268a272653SPeter Holm# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 278a272653SPeter Holm# SUCH DAMAGE. 288a272653SPeter Holm# 298a272653SPeter Holm# Leaking fp references when truncating SCM_RIGHTS control messages 308a272653SPeter Holm# Fixed in r343784 318a272653SPeter Holm 328a272653SPeter Holm. ../default.cfg 338a272653SPeter Holm 348a272653SPeter Holmcd /tmp 358a272653SPeter Holmcat > overflow3.c <<EOF 368a272653SPeter Holm#include <sys/types.h> 378a272653SPeter Holm#include <sys/socket.h> 388a272653SPeter Holm 398a272653SPeter Holm#include <err.h> 408a272653SPeter Holm#include <stdlib.h> 418a272653SPeter Holm#include <string.h> 428a272653SPeter Holm#include <unistd.h> 438a272653SPeter Holm 448a272653SPeter Holmint 458a272653SPeter Holmmain(void) 468a272653SPeter Holm{ 478a272653SPeter Holm struct iovec iov; 488a272653SPeter Holm struct msghdr hdr, rhdr; 498a272653SPeter Holm struct cmsghdr *chdr; 508a272653SPeter Holm int nfds, sv[2]; 518a272653SPeter Holm char ch; 528a272653SPeter Holm 538a272653SPeter Holm if (socketpair(PF_LOCAL, SOCK_STREAM, 0, sv) != 0) 548a272653SPeter Holm err(1, "socketpair"); 558a272653SPeter Holm 568a272653SPeter Holm nfds = 253; 578a272653SPeter Holm 588a272653SPeter Holm memset(&hdr, 0, sizeof(hdr)); 598a272653SPeter Holm ch = 'a'; 608a272653SPeter Holm iov.iov_base = &ch; 618a272653SPeter Holm iov.iov_len = 1; 628a272653SPeter Holm hdr.msg_iov = &iov; 638a272653SPeter Holm hdr.msg_iovlen = 1; 648a272653SPeter Holm hdr.msg_control = calloc(1, CMSG_SPACE(nfds * sizeof(int))); 658a272653SPeter Holm hdr.msg_controllen = CMSG_SPACE(nfds * sizeof(int)); 668a272653SPeter Holm 678a272653SPeter Holm chdr = (struct cmsghdr *)hdr.msg_control; 688a272653SPeter Holm chdr->cmsg_len = CMSG_LEN(nfds * sizeof(int)); 698a272653SPeter Holm chdr->cmsg_level = SOL_SOCKET; 708a272653SPeter Holm chdr->cmsg_type = SCM_RIGHTS; 718a272653SPeter Holm 728a272653SPeter Holm memset(&rhdr, 0, sizeof(rhdr)); 738a272653SPeter Holm rhdr.msg_iov = &iov; 748a272653SPeter Holm rhdr.msg_iovlen = 1; 758a272653SPeter Holm rhdr.msg_control = calloc(1, CMSG_SPACE(0)); 768a272653SPeter Holm rhdr.msg_controllen = CMSG_SPACE(0); 778a272653SPeter Holm 788a272653SPeter Holm for (;;) { 798a272653SPeter Holm if (sendmsg(sv[0], &hdr, 0) != 1) 808a272653SPeter Holm err(1, "sendmsg"); 818a272653SPeter Holm if (recvmsg(sv[1], &rhdr, 0) != 1) 828a272653SPeter Holm err(1, "recvmsg"); 838a272653SPeter Holm if ((rhdr.msg_flags & MSG_CTRUNC) == 0) 848a272653SPeter Holm errx(1, "MSG_CTRUNC not set"); 858a272653SPeter Holm } 868a272653SPeter Holm 878a272653SPeter Holm return (0); 888a272653SPeter Holm} 898a272653SPeter HolmEOF 908a272653SPeter Holmmycc -o overflow3 -Wall -Wextra -O2 overflow3.c || exit 1 918a272653SPeter Holmrm overflow3.c 928a272653SPeter Holm 938a272653SPeter Holmtimeout 2m ./overflow3 948a272653SPeter Holm 958a272653SPeter Holmrm overflow3 968a272653SPeter Holmexit 97