From 1303defb67c586447a03185d60eb20bea91a8eff Mon Sep 17 00:00:00 2001 From: Cameron Gutman Date: Sun, 1 Oct 2023 23:29:00 -0500 Subject: [PATCH] Fix crash during UDP segmentation due to stack garbage CMSG_NXTHDR() tries to read the _next_ message to check if it fits in the provided control buffer length. If that part of the stack has some large value stored in the uninitialized cmsg_len there, CMSG_NXTHDR() will return NULL and we will crash. --- src/platform/linux/misc.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/platform/linux/misc.cpp b/src/platform/linux/misc.cpp index 6c8e391fe3b..aee35b9e28a 100644 --- a/src/platform/linux/misc.cpp +++ b/src/platform/linux/misc.cpp @@ -301,7 +301,7 @@ namespace platf { char buf[CMSG_SPACE(sizeof(uint16_t)) + std::max(CMSG_SPACE(sizeof(struct in_pktinfo)), CMSG_SPACE(sizeof(struct in6_pktinfo)))]; struct cmsghdr alignment; - } cmbuf; + } cmbuf = {}; // Must be zeroed for CMSG_NXTHDR() socklen_t cmbuflen = 0; msg.msg_control = cmbuf.buf;