1#!/bin/sh 2 3# 4# SPDX-License-Identifier: BSD-2-Clause 5# 6# Copyright (c) 2021 Mark Johnston <markj@FreeBSD.org> 7# 8# Redistribution and use in source and binary forms, with or without 9# modification, are permitted provided that the following conditions 10# are met: 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 2. Redistributions in binary form must reproduce the above copyright 14# notice, this list of conditions and the following disclaimer in the 15# documentation and/or other materials provided with the distribution. 16# 17# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27# SUCH DAMAGE. 28# 29# Leaking fp references when truncating SCM_RIGHTS control messages 30# Fixed in r343784 31 32. ../default.cfg 33 34cd /tmp 35cat > overflow3.c <<EOF 36#include <sys/types.h> 37#include <sys/socket.h> 38 39#include <err.h> 40#include <stdlib.h> 41#include <string.h> 42#include <unistd.h> 43 44int 45main(void) 46{ 47 struct iovec iov; 48 struct msghdr hdr, rhdr; 49 struct cmsghdr *chdr; 50 int nfds, sv[2]; 51 char ch; 52 53 if (socketpair(PF_LOCAL, SOCK_STREAM, 0, sv) != 0) 54 err(1, "socketpair"); 55 56 nfds = 253; 57 58 memset(&hdr, 0, sizeof(hdr)); 59 ch = 'a'; 60 iov.iov_base = &ch; 61 iov.iov_len = 1; 62 hdr.msg_iov = &iov; 63 hdr.msg_iovlen = 1; 64 hdr.msg_control = calloc(1, CMSG_SPACE(nfds * sizeof(int))); 65 hdr.msg_controllen = CMSG_SPACE(nfds * sizeof(int)); 66 67 chdr = (struct cmsghdr *)hdr.msg_control; 68 chdr->cmsg_len = CMSG_LEN(nfds * sizeof(int)); 69 chdr->cmsg_level = SOL_SOCKET; 70 chdr->cmsg_type = SCM_RIGHTS; 71 72 memset(&rhdr, 0, sizeof(rhdr)); 73 rhdr.msg_iov = &iov; 74 rhdr.msg_iovlen = 1; 75 rhdr.msg_control = calloc(1, CMSG_SPACE(0)); 76 rhdr.msg_controllen = CMSG_SPACE(0); 77 78 for (;;) { 79 if (sendmsg(sv[0], &hdr, 0) != 1) 80 err(1, "sendmsg"); 81 if (recvmsg(sv[1], &rhdr, 0) != 1) 82 err(1, "recvmsg"); 83 if ((rhdr.msg_flags & MSG_CTRUNC) == 0) 84 errx(1, "MSG_CTRUNC not set"); 85 } 86 87 return (0); 88} 89EOF 90mycc -o overflow3 -Wall -Wextra -O2 overflow3.c || exit 1 91rm overflow3.c 92 93timeout 2m ./overflow3 94 95rm overflow3 96exit 97