We were led astray (like many others before us) to believe that

msg_controllen should be CMSG_LEN() instead of CMSG_SPACE() because
the kernel fd passing code was erroring out when
     "cm->cmsg_len != control->m_len"
instead of
     "CMSG_ALIGN(cm->cmsg_len) != control->m_len".
On machines with 16-byte alignment, when one thinks about how the ALIGN
padding happens, it is clear that msg_controllen has to be CMSG_SPACE()
or the kernel cannot hope to bounds check the messages correctly.
For now, change the check to cm->cmsg_len > control->m_len to permit the
old ABI to continue working.  Later perhaps when all the old binaries
are gone we can stop permitting their use.
lots of discussion with kettenis

1 files changed, 10 insertions, 2 deletions

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 104ac5f0ca4..2d8e791aaf3 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_usrreq.c,v 1.37 2007/11/28 16:56:46 tedu Exp $	*/
+/*	$OpenBSD: uipc_usrreq.c,v 1.38 2008/03/24 16:07:37 deraadt Exp $	*/
 /*	$NetBSD: uipc_usrreq.c,v 1.18 1996/02/09 19:00:50 christos Exp $	*/
 
 /*
@@ -733,8 +733,16 @@ unp_internalize(struct mbuf *control, struct proc *p)
 	int i, error;
 	int nfds, *ip, fd, neededspace;
 
+	/* XXX
+	 * To be more strict with the API/ABI, the following check for
+	 *	cm->cmsg_len > control->m_len
+	 * should be changed to
+	 *	CMSG_ALIGN(cm->cmsg_len) != control->m_len
+	 * after 4.3 is released (and all callers correctly set msg_controllen
+	 * using CMSG_SPACE().  In particular, sparc64 alignment changes.
+	 */ 
 	if (cm->cmsg_type != SCM_RIGHTS || cm->cmsg_level != SOL_SOCKET ||
-	    cm->cmsg_len != control->m_len)
+	    cm->cmsg_len > control->m_len)
 		return (EINVAL);
 	nfds = (cm->cmsg_len - CMSG_ALIGN(sizeof(*cm))) / sizeof (int);