fix(udp/fast-apple): ignore empty cmsghdr

On MacOS < 14, with `fast-apple-datapath` feature, calls to `libc::CMSG_NXTHDR` might continuously return empty (i.e. all zero) `libc::cmsghdr` instead of a null pointer. This results in a busy loop in `decode_recv`: ``` rust let cmsg_iter = unsafe { cmsg::Iter::new(hdr) }; for cmsg in cmsg_iter { match (cmsg.cmsg_level, cmsg.cmsg_type) { ``` https://github.com/quinn-rs/quinn/blob/b4378bb39dab4b58a1e6a3fea4fff9f87033dab6/quinn-udp/src/unix.rs#L685C1-L687C50 This commit fixes the above, returning a `null_mut()` pointer on an empty `libc::cmsgdhr`, thus terminating the `cmsg_iter`. See also mozilla/neqo#2427 for details.
mxinden · Feb 12, 2025 · f984112 · f984112
1 parent b4378bb
commit f984112
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/quinn-udp/src/cmsg/unix.rs b/quinn-udp/src/cmsg/unix.rs
@@ -43,7 +43,15 @@ impl MsgHdr for crate::imp::msghdr_x {
 
     fn cmsg_nxt_hdr(&self, cmsg: &Self::ControlMessage) -> *mut Self::ControlMessage {
         let selfp = self as *const _ as *mut libc::msghdr;
-        unsafe { libc::CMSG_NXTHDR(selfp, cmsg) }
+        let next = unsafe { libc::CMSG_NXTHDR(selfp, cmsg) };
+
+        if next.is_null()
+            || unsafe { (*next).cmsg_len as usize } < std::mem::size_of::<libc::cmsghdr>()
+        {
+            return std::ptr::null_mut();
+        }
+
+        next
     }
 
     fn set_control_len(&mut self, len: usize) {