Use as_mut_ptr() to initialize msg_name in pack_mhdr_to_receive

The msg_name field points to a caller-allocated buffer that is used to return the source address if the socket is unconnected. The caller should set msg_namelen to the size of this buffer before this call; upon return from a successful call, msg_namelen will contain the length of the returned address. If the application does not need to know the source address, msg_name can be specified as NULL. In case we use () msgname_len gets initialized with 0, but a dangling pointer to the array with msg_name. This works for the first iteration somehow, but after that kernel sets msgname_len to a non-zero and second invocation with the same MultiHeader fails Fixes #2506
nix-rust · Nov 2, 2024 · 91950be · 91950be
1 parent a41a1f0
commit 91950be
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/src/sys/socket/mod.rs b/src/sys/socket/mod.rs
@@ -2059,7 +2059,10 @@ unsafe fn pack_mhdr_to_receive<S>(
     let mut mhdr = mem::MaybeUninit::<msghdr>::zeroed();
     let p = mhdr.as_mut_ptr();
     unsafe {
-        (*p).msg_name = address as *mut c_void;
+        // it is important to use as_mut_ptr() here since S can be
+        // a zero sized type representing by a dangling pointer.
+        // as_mut_ptr() handles this case and uses a null pointer instead
+        (*p).msg_name = (*address).as_mut_ptr();
         (*p).msg_namelen = S::size();
         (*p).msg_iov = iov_buffer as *mut iovec;
         (*p).msg_iovlen = iov_buffer_len as _;