Downstream bug report from Andreas Schneider: “ This is actually a bug in /usr/include/bits/socket.h with -Werror=strict-overflow. The compiler complains about the CMSG_NXTHDR() macro. In file included from /usr/include/sys/socket.h:33, from /builddir/build/BUILD/socket_wrapper-1.3.3/src/socket_wrapper.c:50: In function '__cmsg_nxthdr', inlined from 'test_sendmsg_cmsg' at /builddir/build/BUILD/socket_wrapper-1.3.3/tests/test_swrap_unit.c:73:9: /usr/include/bits/socket.h:322:6: error: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Werror=strict-overflow] 322 | if ((unsigned char *) (__cmsg + 1) > ((unsigned char *) __mhdr->msg_control | ^ The line in test_swrap_unit.c:73 is: 73 »·······cmsg = CMSG_NXTHDR(&msg, cmsg); ” This also impacts the out-of-line internal implementation in sysdeps/unix/sysv/linux/cmsg_nxthdr.c.
From 9c443ac4559a47ed99859bd80d14dc4b6dd220a1 Mon Sep 17 00:00:00 2001 From: Arjun Shankar <arjun@redhat.com> Date: Tue, 2 Aug 2022 11:10:25 +0200 Subject: [PATCH] socket: Check lengths before advancing pointer in CMSG_NXTHDR The inline and library functions that the CMSG_NXTHDR macro may expand to increment the pointer to the header before checking the stride of the increment against available space. Since C only allows incrementing pointers to one past the end of an array, the increment must be done after a length check. This commit fixes that and includes a regression test for CMSG_FIRSTHDR and CMSG_NXTHDR. The Linux, Hurd, and generic headers are all changed. Tested on Linux on armv7hl, i686, x86_64, aarch64, ppc64le, and s390x. [BZ #28846] Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=9c443ac4559a47ed99859bd80d14dc4b6dd220a1)
Fixed for 2.37.
The release/2.36/master branch has been updated by Arjun Shankar <arjun@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5c62874f423af93e97b51bc9a57af228a546156f commit 5c62874f423af93e97b51bc9a57af228a546156f Author: Arjun Shankar <arjun@redhat.com> Date: Mon Aug 22 18:21:14 2022 +0200 NEWS: Add entry for bug 28846
The release/2.35/master branch has been updated by Arjun Shankar <arjun@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=83f1d9851e0b143991448d41ff50744d9972cb6e commit 83f1d9851e0b143991448d41ff50744d9972cb6e Author: Arjun Shankar <arjun@redhat.com> Date: Mon Aug 22 18:26:29 2022 +0200 NEWS: Add entry for bug 28846
I have also backported the fixes to 2.36, 2.35, and 2.34.