linux, emscripten, android, l4re: handle zero-sized payload differences in CMSG_NXTHDR

musl and its descendants check `next_addr >= max_addr` whilst the rest
do `next_addr > max_addr`. This was previously not reflected in the
implementations, coming to light only after testing was extended to
execute at the controllen boundary.

[musl_ref]: https://www.openwall.com/lists/musl/2025/12/27/1

Author: gibbz00

src/unix/linux_like/emscripten/mod.rs

@@ -1257,7 +1257,7 @@ f! {
         }
         let next = (cmsg as usize + super::CMSG_ALIGN((*cmsg).cmsg_len as usize)) as *mut cmsghdr;
         let max = (*mhdr).msg_control as usize + (*mhdr).msg_controllen as usize;
-        if (next.offset(1)) as usize > max {
+        if (next.offset(1)) as usize >= max {
             core::ptr::null_mut::<cmsghdr>()
         } else {
             next as *mut cmsghdr

src/unix/linux_like/linux_l4re_shared.rs

@@ -1506,7 +1506,14 @@ f! {
             return core::ptr::null_mut();
         }
 
-        let max_addr = (*mhdr).msg_control as usize + (*mhdr).msg_controllen as usize;
+        let mut max_addr = (*mhdr).msg_control as usize + (*mhdr).msg_controllen as usize;
+
+        if cfg!(any(target_env = "musl", target_env = "ohos")) {
+            // musl and some of its descendants do `>= max_addr`
+            // comparisons in the if statement below.
+            // https://www.openwall.com/lists/musl/2025/12/27/1
+            max_addr -= 1;
+        }
 
         if next_cmsg as usize + size_of::<crate::cmsghdr>() > max_addr {
             core::ptr::null_mut::<crate::cmsghdr>()