test2500: Syscall param sendmsg(msg.msg_control) points to uninitialised byte #19714
Description
I did this
As a part of Fedora package build, we run curl tests under valgrind.
Recently I attempted to enable HTTP/3 support (ngtcp2 + nghttp3 + ossl crypto) and observed the following error during execution of all available HTTP/3 tests (2500-2503):
==31241== Syscall param sendmsg(msg.msg_control) points to uninitialised byte(s)
==31241== at 0x4A7AAB0: sendmsg (in /usr/lib64/libc.so.6)
==31241== by 0x493A9AB: do_sendmsg (vquic.c:159)
==31241== by 0x493ACDF: vquic_send_packets (vquic.c:283)
==31241== by 0x493ACDF: vquic_flush (vquic.c:309)
==31241== by 0x493D253: vquic_send (vquic.c:329)
==31241== by 0x493D253: cf_progress_egress.lto_priv.0 (curl_ngtcp2.c:2006)
==31241== by 0x4940248: cf_ngtcp2_connect.lto_priv.0 (curl_ngtcp2.c:2617)
==31241== by 0x489EC60: Curl_conn_cf_connect (cfilters.c:414)
==31241== by 0x489EC60: Curl_conn_cf_connect (cfilters.c:409)
==31241== by 0x489EC60: cf_ip_attempt_connect (cf-ip-happy.c:242)
==31241== by 0x489EC60: cf_ip_ballers_run (cf-ip-happy.c:377)
==31241== by 0x489EC60: is_connected (cf-ip-happy.c:645)
==31241== by 0x489EC60: cf_ip_happy_connect.lto_priv.0 (cf-ip-happy.c:790)
==31241== by 0x48A1E0F: Curl_conn_cf_connect (cfilters.c:414)
==31241== by 0x48A1E0F: Curl_conn_cf_connect (cfilters.c:409)
==31241== by 0x48A1E0F: cf_setup_connect (connect.c:384)
==31241== by 0x48964D6: Curl_conn_cf_connect (cfilters.c:414)
==31241== by 0x48964D6: Curl_conn_cf_connect (cfilters.c:409)
==31241== by 0x48964D6: cf_hc_baller_connect (cf-https-connect.c:180)
==31241== by 0x48964D6: cf_hc_connect.lto_priv.0 (cf-https-connect.c:329)
==31241== by 0x48A52D2: Curl_conn_connect (cfilters.c:503)
==31241== by 0x48F811F: multi_runsingle (multi.c:2467)
==31241== by 0x48F9C0A: curl_multi_perform (multi.c:2800)
==31241== by 0x48B777E: easy_transfer (easy.c:719)
==31241== by 0x48B777E: easy_perform.constprop.0 (easy.c:827)
==31241== by 0x40032A8: serial_transfers (tool_operate.c:1951)
==31241== by 0x40032A8: run_all_transfers (tool_operate.c:2175)
==31241== by 0x40032A8: operate (tool_operate.c:2314)
==31241== by 0x40032A8: main (tool_main.c:199)
==31241== Address 0x1ffeffe712 is on thread 1's stack
==31241== in frame #1, created by do_sendmsg (vquic.c:126)
Looking at the code, the report seems accurate, but also harmless:
do_sendmsg passes an ancillary data buffer of size CMSG_SPACE(sizeof(int))1 to sendmsg, which is CMSG_ALIGN(sizeof(int)) + CMSG_ALIGN(sizeof(struct cmsghdr)), where CMSG_ALIGN rounds the data size up to sizeof(size_t) (8) bytes.
Only first sizeof(uint16_t) (2) bytes of the cmsg data are explicitly set in do_sendmsg, leaving the remaining 6 bytes uninitialized. We expect the kernel to read a single u16, though, so the only harm in this code is that it offends valgrind.
Consider zero-initializing the whole msg_ctrl buffer, or at least all the part reserved for CMSG_DATA`.
I expected the following
No response
curl/libcurl version
curl 8.17.0 (x86_64-redhat-linux-gnu) libcurl/8.17.0 OpenSSL/3.5.4 zlib/1.3.1.zlib-ng brotli/1.1.0 libidn2/2.3.8 libpsl/0.21.5 libssh/0.11.3/openssl/zlib nghttp2/1.68.0 ngtcp2/1.18.0 nghttp3/1.13.1 mit-krb5/1.21.3 OpenLDAP/2.6.10
Release-Date: 2025-11-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets
operating system
Fedora rawhide (44)
Footnotes
-
Should likely be
CMSG_SPACE(sizeof(uint16_t)), but that doesn't change the result. ↩