sendmsg() is allowed to pass cmsg's which are not CMSG_RIGHTS - last

refactoring inverted the checks; spotted by sthen in ping6.

diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index a658992..8da95a6 100644 (file)
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_pledge.c,v 1.22 2015/10/13 20:00:49 deraadt Exp $        */
+/*     $OpenBSD: kern_pledge.c,v 1.23 2015/10/14 03:27:02 deraadt Exp $        */
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -786,9 +786,6 @@ pledge_cmsg_send(struct proc *p, struct mbuf *control)
        if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
                return (0);
 
-       if ((p->p_p->ps_pledge & PLEDGE_SENDFD) == 0)
-               return pledge_fail(p, EPERM, PLEDGE_SENDFD);
-
        /* Scan the cmsg */
        cmsg = mtod(control, struct cmsghdr *);
 
@@ -797,6 +794,9 @@ pledge_cmsg_send(struct proc *p, struct mbuf *control)
            cmsg->cmsg_type == SCM_RIGHTS))
                return (0);
 
+       if ((p->p_p->ps_pledge & PLEDGE_SENDFD) == 0)
+               return pledge_fail(p, EPERM, PLEDGE_SENDFD);
+
        /* In OpenBSD, a CMSG only contains one SCM_RIGHTS.  Check it. */
        fdp = (int *)CMSG_DATA(cmsg);
        nfds = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(*cmsg))) /