Fix crash during UDP segmentation due to stack garbage

CMSG_NXTHDR() tries to read the _next_ message to check if it fits in the provided control buffer length. If that part of the stack has some large value stored in the uninitialized cmsg_len there, CMSG_NXTHDR() will return NULL and we will crash.
LizardByte · Oct 2, 2023 · 1303def · 1303def
1 parent f76879e
commit 1303def
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/platform/linux/misc.cpp b/src/platform/linux/misc.cpp
@@ -301,7 +301,7 @@ namespace platf {
       char buf[CMSG_SPACE(sizeof(uint16_t)) +
                std::max(CMSG_SPACE(sizeof(struct in_pktinfo)), CMSG_SPACE(sizeof(struct in6_pktinfo)))];
       struct cmsghdr alignment;
-    } cmbuf;
+    } cmbuf = {};  // Must be zeroed for CMSG_NXTHDR()
     socklen_t cmbuflen = 0;
 
     msg.msg_control = cmbuf.buf;