Fix unlimited recursion caused by local outbound bcast/mcast packet

sent via spliced socket.

Reported-by: syzbot+2f9616f39d3f3b281cfb@syzkaller.appspotmail.com

OK bluhm@

1 files changed, 9 insertions, 3 deletions

diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index 0caeaae743e..1669cbf9121 100644
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_socket.c,v 1.241 2020/02/20 16:56:52 visa Exp $	*/
+/*	$OpenBSD: uipc_socket.c,v 1.242 2020/03/11 22:21:28 sashan Exp $	*/
 /*	$NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $	*/
 
 /*
@@ -1430,9 +1430,15 @@ somove(struct socket *so, int wait)
 	/*
 	 * By splicing sockets connected to localhost, userland might create a
 	 * loop.  Dissolve splicing with error if loop is detected by counter.
+	 *
+	 * If we deal with looped broadcast/multicast packet we bail out with
+	 * no error to suppress splice termination.
 	 */
-	if ((m->m_flags & M_PKTHDR) && m->m_pkthdr.ph_loopcnt++ >= M_MAXLOOP) {
-		error = ELOOP;
+	if ((m->m_flags & M_PKTHDR) &&
+	    ((m->m_pkthdr.ph_loopcnt++ >= M_MAXLOOP) ||
+	    ((m->m_flags & M_LOOP) && (m->m_flags & (M_BCAST|M_MCAST))))) {
+		if (m->m_pkthdr.ph_loopcnt >= M_MAXLOOP)
+			error = ELOOP;
 		goto release;
 	}