Use pru_send function to check socket splicing compatibility. Only

checking socket type is not sufficient as it could splice together
unix and inet sockets resulting in crashes.  As splicing is about
sending, the same send function looks like a good criteria.
Reported-by: syzbot+fc6901d63d858d5dd00a@syzkaller.appspotmail.com
Reported-by: syzbot+0e026f1bf8b259c6395e@syzkaller.appspotmail.com
OK gnezdo@

diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index d2b75a3..52a3fda 100644 (file)
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: uipc_socket.c,v 1.287 2022/09/03 13:29:33 mvs Exp $   */
+/*     $OpenBSD: uipc_socket.c,v 1.288 2022/09/04 09:04:27 bluhm Exp $ */
 /*     $NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $        */
 
 /*
@@ -1293,7 +1293,8 @@ sosplice(struct socket *so, int fd, off_t max, struct timeval *tv)
        if ((error = getsock(curproc, fd, &fp)) != 0)
                return (error);
        sosp = fp->f_data;
-       if (sosp->so_proto->pr_type != so->so_proto->pr_type) {
+       if (sosp->so_proto->pr_usrreqs->pru_send !=
+           so->so_proto->pr_usrreqs->pru_send) {
                error = EPROTONOSUPPORT;
                goto frele;
        }