fix(quinn-udp): move cmsg-len check to Iterator

thomaseizinger · gretchenfrage · commit 19a625de606e · 2025-04-18T23:36:37.000Z
In #2154, we added a piece of logic to `cmsg_nxt_hdr` that - within the `apple-fast-datapath` code - inspects the `cmsg_len` property and checks if we can actually fit another `cmsghdr` into it. This however only makes sense when we are _reading_ a buffer of cmsgs that has been initialised by the kernel. When we are _sending_ datagrams, the cmsg buffer is initialised with all zeros and for every cmsg we want to attach to a datagram, we advance the buffer using CMSG_NXTHDR. In this case, all the fields within `cmsghdr` are 0 initialised and it doesn't make sense to check their length. In fact, doing so results in a false-positive panic triggered by `Encoder::push` because it thinks that the cmsg buffer is too short to accomodate the message it wants to write. To fix this issue, we move the check to the `Iterator` implementation, guarded by the `apple_fast` cfg. This allows us to use the `cmsg_nxt_hdr` function for both reading and writing cmsgs.
diff --git a/quinn-udp/src/cmsg/mod.rs b/quinn-udp/src/cmsg/mod.rs
@@ -112,6 +112,17 @@ impl<'a, M: MsgHdr> Iterator for Iter<'a, M> {
     fn next(&mut self) -> Option<Self::Item> {
         let current = self.cmsg.take()?;
         self.cmsg = unsafe { self.hdr.cmsg_nxt_hdr(current).as_ref() };
+
+        #[cfg(apple_fast)]
+        {
+            // On MacOS < 14 CMSG_NXTHDR might continuously return a zeroed cmsg. In
+            // such case, return `None` instead, thus indicating the end of
+            // the cmsghdr chain.
+            if current.len() < mem::size_of::<M::ControlMessage>() {
+                return None;
+            }
+        }
+
         Some(current)
     }
 }
diff --git a/quinn-udp/src/cmsg/unix.rs b/quinn-udp/src/cmsg/unix.rs
@@ -43,18 +43,7 @@ impl MsgHdr for crate::imp::msghdr_x {
 
     fn cmsg_nxt_hdr(&self, cmsg: &Self::ControlMessage) -> *mut Self::ControlMessage {
         let selfp = self as *const _ as *mut libc::msghdr;
-        let next = unsafe { libc::CMSG_NXTHDR(selfp, cmsg) };
-
-        // On MacOS < 14 CMSG_NXTHDR might continuously return a zeroed cmsg. In
-        // such case, return a null pointer instead, thus indicating the end of
-        // the cmsghdr chain.
-        if unsafe { next.as_ref() }
-            .is_some_and(|n| (n.cmsg_len as usize) < std::mem::size_of::<libc::cmsghdr>())
-        {
-            return std::ptr::null_mut();
-        }
-
-        next
+        unsafe { libc::CMSG_NXTHDR(selfp, cmsg) }
     }
 
     fn set_control_len(&mut self, len: usize) {
diff --git a/quinn-udp/tests/tests.rs b/quinn-udp/tests/tests.rs
@@ -31,6 +31,29 @@ fn basic() {
     );
 }
 
+#[test]
+fn basic_src_ip() {
+    let send = UdpSocket::bind((Ipv6Addr::LOCALHOST, 0))
+        .or_else(|_| UdpSocket::bind((Ipv4Addr::LOCALHOST, 0)))
+        .unwrap();
+    let recv = UdpSocket::bind((Ipv6Addr::LOCALHOST, 0))
+        .or_else(|_| UdpSocket::bind((Ipv4Addr::LOCALHOST, 0)))
+        .unwrap();
+    let src_ip = send.local_addr().unwrap().ip();
+    let dst_addr = recv.local_addr().unwrap();
+    test_send_recv(
+        &send.into(),
+        &recv.into(),
+        Transmit {
+            destination: dst_addr,
+            ecn: None,
+            contents: b"hello",
+            segment_size: None,
+            src_ip: Some(src_ip),
+        },
+    );
+}
+
 #[test]
 fn ecn_v6() {
     let send = Socket::from(UdpSocket::bind((Ipv6Addr::LOCALHOST, 0)).unwrap());
