liburing.h: fix integer overflow in recvmsg_validate and payload_length wraparound

YooLCD · YooLCD · commit 4dd113a49dbf · 2026-04-01T15:49:45.000Z
Signed-off-by: Youichi Uemura &lt;youichi0929@outlook.jp&gt;
diff --git a/src/include/liburing.h b/src/include/liburing.h
@@ -1195,9 +1195,17 @@ IOURINGINLINE struct io_uring_recvmsg_out *
 io_uring_recvmsg_validate(void *buf, int buf_len, struct msghdr *msgh)
 	LIBURING_NOEXCEPT
 {
-	unsigned long header = msgh->msg_controllen + msgh->msg_namelen +
-				sizeof(struct io_uring_recvmsg_out);
-	if (buf_len < 0 || (unsigned long)buf_len < header)
+	unsigned long ulen = (unsigned long)(unsigned int)buf_len;
+	unsigned long hdr  = sizeof(struct io_uring_recvmsg_out);
+	unsigned long namelen    = msgh->msg_namelen;
+	unsigned long controllen = msgh->msg_controllen;
+
+	if (buf_len < 0 || ulen < hdr)
+		return NULL;
+	/* check each addition separately to avoid integer overflow */
+	if (namelen > ulen - hdr)
+		return NULL;
+	if (controllen > ulen - hdr - namelen)
 		return NULL;
 	return (struct io_uring_recvmsg_out *)buf;
 }
@@ -1257,8 +1265,12 @@ io_uring_recvmsg_payload_length(struct io_uring_recvmsg_out *o,
 {
 	unsigned long payload_start, payload_end;
 
+	if (buf_len < 0)
+		return 0;
 	payload_start = (unsigned long) io_uring_recvmsg_payload(o, msgh);
 	payload_end = (unsigned long) o + buf_len;
+	if (payload_start >= payload_end)
+		return 0;
 	return (unsigned int) (payload_end - payload_start);
 }
 
diff --git a/test/recv-multishot.c b/test/recv-multishot.c
@@ -474,6 +474,65 @@ static int test(struct args *args)
 	return ret;
 }
 
+static int test_recvmsg_validate(void)
+{
+	struct io_uring_recvmsg_out *o;
+	unsigned char buf[64];
+	struct msghdr msgh;
+	unsigned int len;
+
+	memset(buf, 0, sizeof(buf));
+	memset(&msgh, 0, sizeof(msgh));
+	o = (struct io_uring_recvmsg_out *)buf;
+
+	msgh.msg_namelen = 4;
+	msgh.msg_controllen = 8;
+	if (!io_uring_recvmsg_validate(buf, 64, &msgh))
+		return -1;
+
+	/* exact fit */
+	if (!io_uring_recvmsg_validate(buf, 28, &msgh))
+		return -1;
+
+	/* one byte short */
+	if (io_uring_recvmsg_validate(buf, 27, &msgh))
+		return -1;
+
+	/* negative buf_len */
+	if (io_uring_recvmsg_validate(buf, -1, &msgh))
+		return -1;
+
+	/* buf smaller than header alone */
+	msgh.msg_namelen = 0;
+	msgh.msg_controllen = 0;
+	if (io_uring_recvmsg_validate(buf, 15, &msgh))
+		return -1;
+
+	/* controllen overflow must be rejected */
+	msgh.msg_controllen = (socklen_t)(~(socklen_t)0 - sizeof(struct io_uring_recvmsg_out));
+	msgh.msg_namelen = 4;
+	if (io_uring_recvmsg_validate(buf, 64, &msgh))
+		return -1;
+
+	msgh.msg_namelen = 4;
+	msgh.msg_controllen = 8;
+	len = io_uring_recvmsg_payload_length(o, 64, &msgh);
+	if (len != 36)
+		return -1;
+
+	/* negative buf_len */
+	if (io_uring_recvmsg_payload_length(o, -1, &msgh) != 0)
+		return -1;
+
+	/* name+ctrl > buf_len must return 0, not wrap around */
+	msgh.msg_namelen = 40;
+	msgh.msg_controllen = 30;
+	if (io_uring_recvmsg_payload_length(o, 64, &msgh) != 0)
+		return -1;
+
+	return 0;
+}
+
 static int test_enobuf(void)
 {
 	struct io_uring ring;
@@ -564,6 +623,12 @@ int main(int argc, char *argv[])
 
 	has_defer = t_probe_defer_taskrun();
 
+	ret = test_recvmsg_validate();
+	if (ret) {
+		fprintf(stderr, "test_recvmsg_validate() failed: %d\n", ret);
+		return T_EXIT_FAIL;
+	}
+
 	for (loop = 0; loop < 16; loop++) {
 		struct args a = {
 			.stream = loop & 0x01,
