From 3793cba736c43fb81d6de22c72f5d1d745b50edc Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Wed, 14 Oct 2015 03:27:02 +0000
Subject: [PATCH] sendmsg() is allowed to pass cmsg's which are not CMSG_RIGHTS
 - last refactoring inverted the checks; spotted by sthen in ping6.

---
 sys/kern/kern_pledge.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index a65899277b5..8da95a63f25 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_pledge.c,v 1.22 2015/10/13 20:00:49 deraadt Exp $	*/
+/*	$OpenBSD: kern_pledge.c,v 1.23 2015/10/14 03:27:02 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -786,9 +786,6 @@ pledge_cmsg_send(struct proc *p, struct mbuf *control)
 	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
 
-	if ((p->p_p->ps_pledge & PLEDGE_SENDFD) == 0)
-		return pledge_fail(p, EPERM, PLEDGE_SENDFD);
-
 	/* Scan the cmsg */
 	cmsg = mtod(control, struct cmsghdr *);
 
@@ -797,6 +794,9 @@ pledge_cmsg_send(struct proc *p, struct mbuf *control)
 	    cmsg->cmsg_type == SCM_RIGHTS))
 		return (0);
 
+	if ((p->p_p->ps_pledge & PLEDGE_SENDFD) == 0)
+		return pledge_fail(p, EPERM, PLEDGE_SENDFD);
+
 	/* In OpenBSD, a CMSG only contains one SCM_RIGHTS.  Check it. */
 	fdp = (int *)CMSG_DATA(cmsg);
 	nfds = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(*cmsg))) /
-- 
2.20.1