fix undefined pointer arithmetic in CMSG_NXTHDR macro

previously, the only way the stopping condition could be met with
correct lengths in the headers invoked undefined behavior, adding
sizeof(struct cmsghdr) beyond the end of the cmsg buffer.

instead, compute and compare sizes rather than pointers.

diff --git a/include/sys/socket.h b/include/sys/socket.h
index fd6534909f1e2ded767da11b573611574d67f10f..678837501dd592dec80fd8a9134b74c1ec77a6f7 100644 (file)
--- a/include/sys/socket.h
+++ b/include/sys/socket.h
@@ -266,9 +266,9 @@ struct linger
 #define __MHDR_END(mhdr) ((unsigned char *)(mhdr)->msg_control + (mhdr)->msg_controllen)
 
 #define CMSG_DATA(cmsg) ((unsigned char *) (((struct cmsghdr *)(cmsg)) + 1))
-#define CMSG_NXTHDR(mhdr, cmsg) ((cmsg)->cmsg_len < sizeof (struct cmsghdr) ? (struct cmsghdr *)0 : \
-        (__CMSG_NEXT(cmsg) + sizeof (struct cmsghdr) >= __MHDR_END(mhdr) ? (struct cmsghdr *)0 : \
-        ((struct cmsghdr *)__CMSG_NEXT(cmsg))))
+#define CMSG_NXTHDR(mhdr, cmsg) ((cmsg)->cmsg_len < sizeof (struct cmsghdr) || \
+       __CMSG_LEN(cmsg) + sizeof(struct cmsghdr) >= __MHDR_END(mhdr) - (unsigned char *)(cmsg) \
+       ? 0 : (struct cmsghdr *)__CMSG_NEXT(cmsg))
 #define CMSG_FIRSTHDR(mhdr) ((size_t) (mhdr)->msg_controllen >= sizeof (struct cmsghdr) ? (struct cmsghdr *) (mhdr)->msg_control : (struct cmsghdr *) 0)
 
 #define CMSG_ALIGN(len) (((len) + sizeof (size_t) - 1) & (size_t) ~(sizeof (size_t) - 1))