Fix a buffer overflow in sys::socket::recvfrom

IPv4 and stream sockets are unaffected, but for datagram sockets of
other address types libc::recvfrom might overwrite part of the stack.

Fixes #1762

Author: asomers

CHANGELOG.md

@@ -8,6 +8,8 @@ This project adheres to [Semantic Versioning](https://semver.org/).
 ### Changed
 ### Fixed
 
+- Fixed buffer overflow in nix::sys::socket::recvfrom.
+  (#[1763](https://github.com/nix-rust/nix/pull/1763))
 - Enabled `SockaddrStorage::{as_link_addr, as_link_addr_mut}` for Linux-like
   operating systems.
   (#[1729](https://github.com/nix-rust/nix/pull/1729))

src/sys/socket/mod.rs

@@ -1910,8 +1910,8 @@ pub fn recvfrom<T:SockaddrLike>(sockfd: RawFd, buf: &mut [u8])
     -> Result<(usize, Option<T>)>
 {
     unsafe {
-        let mut addr = mem::MaybeUninit::uninit();
-        let mut len = mem::size_of::<T>() as socklen_t;
+        let mut addr = mem::MaybeUninit::<T>::uninit();
+        let mut len = mem::size_of_val(&addr) as socklen_t;
 
         let ret = Errno::result(libc::recvfrom(
             sockfd,
@@ -1921,7 +1921,10 @@ pub fn recvfrom<T:SockaddrLike>(sockfd: RawFd, buf: &mut [u8])
             addr.as_mut_ptr() as *mut libc::sockaddr,
             &mut len as *mut socklen_t))? as usize;
 
-        Ok((ret, T::from_raw(&addr.assume_init(), Some(len))))
+        Ok((ret, T::from_raw(
+            addr.assume_init().as_ptr() as *const libc::sockaddr,
+            Some(len))
+        ))
     }
 }
 

test/sys/test_socket.rs

@@ -258,8 +258,8 @@ pub fn test_socketpair() {
 }
 
 mod recvfrom {
-    use nix::Result;
     use nix::sys::socket::*;
+    use nix::{errno::Errno, Result};
     use std::thread;
     use super::*;
 
@@ -602,6 +602,51 @@ mod recvfrom {
             assert_eq!(&buf[..DATA.len()], DATA);
         }
     }
+
+    #[test]
+    pub fn udp_inet6() {
+        let addr = std::net::Ipv6Addr::from_str("::1").unwrap();
+        let rport = 6789;
+        let rstd_sa = SocketAddrV6::new(addr, rport, 0, 0);
+        let raddr = SockaddrIn6::from(rstd_sa);
+        let sport = 6790;
+        let sstd_sa = SocketAddrV6::new(addr, sport, 0, 0);
+        let saddr = SockaddrIn6::from(sstd_sa);
+        let rsock = socket(
+            AddressFamily::Inet6,
+            SockType::Datagram,
+            SockFlag::empty(),
+            None,
+        )
+        .expect("receive socket failed");
+        match bind(rsock, &raddr) {
+            Err(Errno::EADDRNOTAVAIL) => {
+                println!("IPv6 not available, skipping test.");
+                return;
+            }
+            Err(e) => panic!("bind: {}", e),
+            Ok(()) => (),
+        }
+        let ssock = socket(
+            AddressFamily::Inet6,
+            SockType::Datagram,
+            SockFlag::empty(),
+            None,
+        )
+        .expect("send socket failed");
+        bind(ssock, &saddr).unwrap();
+        let from = sendrecv(
+            rsock,
+            ssock,
+            move |s, m, flags| sendto(s, m, &raddr, flags),
+            |_, _| {},
+        );
+        assert_eq!(AddressFamily::Inet6, from.unwrap().family().unwrap());
+        let osent_addr = from.unwrap();
+        let sent_addr = osent_addr.as_sockaddr_in6().unwrap();
+        assert_eq!(sent_addr.ip(), addr);
+        assert_eq!(sent_addr.port(), sport);
+    }
 }
 
 // Test error handling of our recvmsg wrapper
@@ -1505,8 +1550,10 @@ pub fn test_recv_ipv6pktinfo() {
 
     let lo_ifaddr = loopback_address(AddressFamily::Inet6);
     let (lo_name, lo) = match lo_ifaddr {
-        Some(ifaddr) => (ifaddr.interface_name,
-                         ifaddr.address.expect("Expect IPv4 address on interface")),
+        Some(ifaddr) => (
+            ifaddr.interface_name,
+            ifaddr.address.expect("Expect IPv6 address on interface"),
+        ),
         None => return,
     };
     let receive = socket(