Do not align cmsg access on first header

The implementation of CmsgInterator did not correctly mirror the
way the CMSG_FIRSTHDR and CMSG_NEXTHDR macros work in C. CMSG_FIRSTHDR
does not attempt to align access since the pointer is already aligned
due to being part of the msghdr struct.

CmsgInterator was always aligning access which happened to work on all
platforms except OpenBSD where the use of alignment was adding
unexpected bytes to the expected size and causing the
`cmsg_align(cmsg_len) > self.buf.len()` guard clause to return early.

Author: wezm

src/sys/socket/ffi.rs

@@ -3,7 +3,10 @@
 
 pub use libc::{socket, listen, bind, accept, connect, setsockopt, sendto, recvfrom, getsockname, getpeername, recv, send};
 
-use libc::{c_int, c_void, socklen_t, size_t, ssize_t};
+use libc::{c_int, c_void, socklen_t, ssize_t};
+
+#[cfg(not(target_os = "macos"))]
+use libc::size_t;
 
 #[cfg(not(target_os = "linux"))]
 use libc::c_uint;
@@ -29,8 +32,6 @@ pub type type_of_msg_iovlen = size_t;
 #[cfg(not(target_os = "linux"))]
 pub type type_of_msg_iovlen = c_uint;
 
-
-
 // Private because we don't expose any external functions that operate
 // directly on this type; we just use it internally at FFI boundaries.
 // Note that in some cases we store pointers in *const fields that the

src/sys/socket/mod.rs

@@ -204,11 +204,17 @@ impl<'a> RecvMsg<'a> {
     /// Iterate over the valid control messages pointed to by this
     /// msghdr.
     pub fn cmsgs(&self) -> CmsgIterator {
-        CmsgIterator(self.cmsg_buffer)
+        CmsgIterator {
+            buf: self.cmsg_buffer,
+            next: 0
+        }
     }
 }
 
-pub struct CmsgIterator<'a>(&'a [u8]);
+pub struct CmsgIterator<'a> {
+    buf: &'a [u8],
+    next: usize,
+}
 
 impl<'a> Iterator for CmsgIterator<'a> {
     type Item = ControlMessage<'a>;
@@ -217,12 +223,11 @@ impl<'a> Iterator for CmsgIterator<'a> {
     // although we handle the invariants in slightly different places to
     // get a better iterator interface.
     fn next(&mut self) -> Option<ControlMessage<'a>> {
-        let buf = self.0;
         let sizeof_cmsghdr = mem::size_of::<cmsghdr>();
-        if buf.len() < sizeof_cmsghdr {
+        if self.buf.len() < sizeof_cmsghdr {
             return None;
         }
-        let cmsg: &cmsghdr = unsafe { mem::transmute(buf.as_ptr()) };
+        let cmsg: &cmsghdr = unsafe { mem::transmute(self.buf.as_ptr()) };
 
         // This check is only in the glibc implementation of CMSG_NXTHDR
         // (although it claims the kernel header checks this), but such
@@ -232,13 +237,20 @@ impl<'a> Iterator for CmsgIterator<'a> {
             return None;
         }
         let len = cmsg_len - sizeof_cmsghdr;
+        let aligned_cmsg_len = if self.next == 0 {
+            // CMSG_FIRSTHDR
+            cmsg_len
+        } else {
+            // CMSG_NXTHDR
+            cmsg_align(cmsg_len)
+        };
 
         // Advance our internal pointer.
-        if cmsg_align(cmsg_len) > buf.len() {
-            println!("cmsg_align(cmsg_len) > buf.len(): {} > {}", cmsg_align(cmsg_len), buf.len());
+        if aligned_cmsg_len > self.buf.len() {
             return None;
         }
-        self.0 = &buf[cmsg_align(cmsg_len)..];
+        self.buf = &self.buf[aligned_cmsg_len..];
+        self.next += 1;
 
         match (cmsg.cmsg_level, cmsg.cmsg_type) {
             (libc::SOL_SOCKET, libc::SCM_RIGHTS) => unsafe {