recv() with MSG_TRUNC flag kills perl with SEGV or glibc double-free #10377
Created by @leonerd
When using a PF_PACKET socket, the MSG_TRUNC flag can be useful on a recv()
use Socket qw( SOCK_DGRAM );
my $sock = IO::Socket::Packet->new(
# 40 bytes is enough to extract the IPv4 addresses from the IPv4 header
# Extract src and dst IP addresses
printf "Recieved a packet pkttype %d, length %d bytes from %s to %s\n", $pkttype, length $buffer, $src, $dst;
(this tested against Socket::Packet 0.04)
This program captures IPv4 packets and prints their lengths and IP addresses.
*** glibc detected *** /usr/bin/perl: malloc(): memory corruption (fast): 0x0000000001a355c0 ***
I believe this bug is caused by the following lines from pp_sys.c:
buffer = SvGROW(bufsv, (STRLEN)(length+1));
This causes problems if the kernel's return value in count is larger than the
As this is a fairly rare use case, I'm quite happy to provide a special
my ( $addr, $len ) = recv_len( $sock, my $buffer, $maxlen, $flags );
semantics. I think this would be sufficient to safely use the MSG_TRUNC flag.
* grow the buffer
On Thu, May 13, 2010 at 10:18:37AM -0700, Paul LeoNerd Evans wrote:
Thanks for the report. I've gone with the 'clamp the returned length'