socket: always process control messages

Even if a received message will not be returned to the caller (e.g.
because it is truncated), process its control messages to avoid leaking
received descriptors.

Fixes: f231efb811ee ("socket: add support for sending and receiving descriptors")

diff --git a/socket.c b/socket.c
index 3480dc03e1e963f4002f2d2ccb2179f1b0013a71..f35841ca4565afa5e64e16b1f5a219383bb24fae 100644 (file)
--- a/socket.c
+++ b/socket.c
@@ -742,18 +742,10 @@ process_header(struct msghdr *msg, int msg_length, int sock_fd, int flags,
                SCK_Message *message)
 {
   struct cmsghdr *cmsg;
+  int r = 1;
 
-  if (msg->msg_iovlen != 1) {
-    DEBUG_LOG("Unexpected iovlen");
-    return 0;
-  }
-
-  if (msg->msg_namelen > sizeof (union sockaddr_all)) {
-    DEBUG_LOG("Truncated source address");
-    return 0;
-  }
-
-  if (msg->msg_namelen > sizeof (((struct sockaddr *)msg->msg_name)->sa_family)) {
+  if (msg->msg_namelen <= sizeof (union sockaddr_all) &&
+      msg->msg_namelen > sizeof (((struct sockaddr *)msg->msg_name)->sa_family)) {
     switch (((struct sockaddr *)msg->msg_name)->sa_family) {
       case AF_INET:
 #ifdef FEAT_IPV6
@@ -767,26 +759,38 @@ process_header(struct msghdr *msg, int msg_length, int sock_fd, int flags,
         message->remote_addr.path = ((struct sockaddr_un *)msg->msg_name)->sun_path;
         break;
       default:
+        init_message_addresses(message, SCK_ADDR_UNSPEC);
         DEBUG_LOG("Unexpected address");
-        return 0;
+        r = 0;
+        break;
     }
   } else {
     init_message_addresses(message, SCK_ADDR_UNSPEC);
+
+    if (msg->msg_namelen > sizeof (union sockaddr_all)) {
+      DEBUG_LOG("Truncated source address");
+      r = 0;
+    }
   }
 
   init_message_nonaddress(message);
 
-  message->data = msg->msg_iov[0].iov_base;
-  message->length = msg_length;
+  if (msg->msg_iovlen == 1) {
+    message->data = msg->msg_iov[0].iov_base;
+    message->length = msg_length;
+  } else {
+    DEBUG_LOG("Unexpected iovlen");
+    r = 0;
+  }
 
   if (msg->msg_flags & MSG_TRUNC) {
     log_message(sock_fd, 1, message, "Truncated", NULL);
-    return 0;
+    r = 0;
   }
 
   if (msg->msg_flags & MSG_CTRUNC) {
     log_message(sock_fd, 1, message, "Truncated cmsg in", NULL);
-    return 0;
+    r = 0;
   }
 
   for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
@@ -873,7 +877,7 @@ process_header(struct msghdr *msg, int msg_length, int sock_fd, int flags,
       if (err.ee_errno != ENOMSG || err.ee_info != SCM_TSTAMP_SND ||
           err.ee_origin != SO_EE_ORIGIN_TIMESTAMPING) {
         log_message(sock_fd, 1, message, "Unexpected extended error in", NULL);
-        return 0;
+        r = 0;
       }
     }
 #endif
@@ -885,13 +889,17 @@ process_header(struct msghdr *msg, int msg_length, int sock_fd, int flags,
         DEBUG_LOG("Unexpected SCM_RIGHTS");
         for (i = 0; CMSG_LEN((i + 1) * sizeof (int)) <= cmsg->cmsg_len; i++)
           close(((int *)CMSG_DATA(cmsg))[i]);
-        return 0;
+        r = 0;
+      } else {
+        message->descriptor = *(int *)CMSG_DATA(cmsg);
       }
-      message->descriptor = *(int *)CMSG_DATA(cmsg);
     }
   }
 
-  return 1;
+  if (!r && message->descriptor != INVALID_SOCK_FD)
+    close(message->descriptor);
+
+  return r;
 }
 
 /* ================================================== */