[PATCH] lib: Fix uninitialized read in msghdr_copy - causes LOCAL-MESSAGING-FDPASS2 to hang

Jeremy Allison jra at samba.org
Tue Jun 7 19:55:51 UTC 2016

On Tue, Jun 07, 2016 at 12:14:20PM -0700, Jeremy Allison wrote:
> I think the bug here is having the msg_controllen field
> nulled out... still investigating.

Found it. msghdr_copy() can be called with a first argument
of msg == NULL, when you're trying to find the size.

Then we call

fd_len = msghdr_prep_fds(&msg->msg, msg->buf, bufsize, fds, num_fds);

without checking that msg == NULL. We seem to get away with this
as inside msghdr_prep_fds() we check for msg == NULL before
indirecting msg, although I would have thought the compiler
would cause a crash due to the &msg->msg, msg->buf parameter,
but apparently not :-).

When msghdr_copy() is called with non-null then msghdr_prep_fds()
calculates the correct size and sets up msg->msg_controllen for
the fd array - but that gets zero'ed out with the original

msg->msg = (struct msghdr) {};

change. Fixed version attached.

Please confirm and push if happy.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-lib-Fix-uninitialized-read-in-msghdr_copy.patch
Type: text/x-diff
Size: 1155 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160607/07cd13ba/0001-lib-Fix-uninitialized-read-in-msghdr_copy.diff>

More information about the samba-technical mailing list