From 53e1b9276c24afe0f3fd6119ecbb5755999c8d68 Mon Sep 17 00:00:00 2001 From: rootvector2 Date: Thu, 28 May 2026 17:07:08 +0530 Subject: [PATCH] recvmsg: compute cmsg nexthdr end without firsthdr In io_uring_recvmsg_cmsg_nexthdr() the cmsg region end is computed as io_uring_recvmsg_cmsg_firsthdr(o, msgh) + o->controllen. firsthdr returns NULL when o->controllen < sizeof(struct cmsghdr), and the addition becomes a non-zero offset applied to a null pointer, which is undefined behavior. Compute end directly as name + namelen + controllen so the arithmetic is always on a real pointer. The value is identical to the old expression when firsthdr would have succeeded, and the function still returns NULL for any cmsg that does not fit in the cmsg region. Signed-off-by: rootvector2 --- src/include/liburing.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/include/liburing.h b/src/include/liburing.h index ce7c45cf2..3e8cfafaf 100644 --- a/src/include/liburing.h +++ b/src/include/liburing.h @@ -1237,8 +1237,8 @@ io_uring_recvmsg_cmsg_nexthdr(struct io_uring_recvmsg_out *o, struct msghdr *msg if (cmsg->cmsg_len < sizeof(struct cmsghdr)) return NULL; - end = (unsigned char *) io_uring_recvmsg_cmsg_firsthdr(o, msgh) + - o->controllen; + end = (unsigned char *) io_uring_recvmsg_name(o) + + msgh->msg_namelen + o->controllen; cmsg = (struct cmsghdr *)((unsigned char *) cmsg + CMSG_ALIGN(cmsg->cmsg_len));