From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 19 Jan 2021 20:34:20 +0000 (+0100)
Subject: tree-wide: ignore messages with too long control data
X-Git-Tag: v248-rc1~291
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=741bfd7f4e60fdc07ecaadbd93f1196dbee657ca;p=thirdparty%2Fsystemd.git

tree-wide: ignore messages with too long control data

Apparently SELinux inserts control data into AF_UNIX datagrams where we
don't expect it, thus miscalculating the control data. This looks like
something to fix in SELinux, but we still should handle this gracefully
and just drop the offending datagram and continue.

recvmsg_safe() actually already drops the datagram, it's just a matter
of actually ignoring EXFULL (which it generates if control data is too
large) in the right places.

This does this wherever an AF_UNIX/SOCK_DGRAM socket is used with
recvmsg_safe() that is not just internal communication.

Fixes: #17795
Follow-up for: 3691bcf3c5eebdcca5b4f1c51c745441c57a6cd1
---

diff --git a/src/core/manager.c b/src/core/manager.c
index 4b215a61766..a1d6f7cc10b 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -2387,6 +2387,10 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t
         n = recvmsg_safe(m->notify_fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC|MSG_TRUNC);
         if (IN_SET(n, -EAGAIN, -EINTR))
                 return 0; /* Spurious wakeup, try again */
+        if (n == -EXFULL) {
+                log_warning("Got message with truncated control data (too many fds sent?), ignoring.");
+                return 0;
+        }
         if (n < 0)
                 /* If this is any other, real error, then let's stop processing this socket. This of course
                  * means we won't take notification messages anymore, but that's still better than busy
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 75cefe84142..a564b95d851 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3995,6 +3995,10 @@ static int nspawn_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t r
         n = recvmsg_safe(fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
         if (IN_SET(n, -EAGAIN, -EINTR))
                 return 0;
+        if (n == -EXFULL) {
+                log_warning("Got message with truncated control data (too many fds sent?), ignoring.");
+                return 0;
+        }
         if (n < 0)
                 return log_warning_errno(n, "Couldn't read notification socket: %m");
 
diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c
index c8ce17ad5b0..bd33bdd2c52 100644
--- a/src/shared/ask-password-api.c
+++ b/src/shared/ask-password-api.c
@@ -943,6 +943,10 @@ int ask_password_agent(
                 n = recvmsg_safe(socket_fd, &msghdr, 0);
                 if (IN_SET(n, -EAGAIN, -EINTR))
                         continue;
+                if (n == -EXFULL) {
+                        log_debug("Got message with truncated control data, ignoring.");
+                        continue;
+                }
                 if (n < 0) {
                         r = (int) n;
                         goto finish;