Subject: kern/11115: CMSG_NXTHDR() can be a source of infinite loop
To: None <>
From: None <>
List: netbsd-bugs
Date: 10/02/2000 03:56:30
>Number:         11115
>Category:       kern
>Synopsis:       CMSG_NXTHDR() can be a source of infinite loop
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Oct 02 04:02:00 PDT 2000
>Originator:     Jun-ichiro itojun Hagino
>Release:        1.5F and 1.4.2
System: NetBSD 1.5G NetBSD 1.5G (STARFRUIT) #175: Sun Oct 1 22:11:40 JST 2000 i386

	the declaration of CMSG_NXTHDR() basically follows whatever declared
	in RFC2292/2292bis.  if cmsg_len is 0, CMSG_NXTHDR() returns the
	original value as is.

	the following loop can go into infinite loop:
		while (cmsg = CMSG_NXTHDR(&msg, cmsg)) != NULL) {
			/* foo */
	the following should be okay:
		while (cmsg->cmsg_len > sizeof(struct cmsghdr) &&
		    cmsg = CMSG_NXTHDR(&msg, cmsg)) != NULL) {
			/* foo */
	it would be better if we have more validation in CMSG_NXTHDR() itself,
	to avoid misuse.

	i've looked into sys/kern and found no such loop so far.

	code inspection.
	- if cmsg_len < sizeof(struct cmsghdr), it looks always bogus.
	  CMSG_NXTHDR should return NULL in this case?
	- relationship with standards.