CMSG_NXTHDR() checks for cmsg->cmsg_len *after* it increased the pointer.
While this makes sense for parsing received messages, that's a pitfall
for code crafting messages with this macro.
Wipe out the allocated memory to fix this.
(n_fds > 0 ? CMSG_SPACE(sizeof(int) * n_fds) : 0) +
(have_pid ? CMSG_SPACE(sizeof(struct ucred)) : 0);
- msghdr.msg_control = alloca(msghdr.msg_controllen);
+ msghdr.msg_control = alloca0(msghdr.msg_controllen);
cmsg = CMSG_FIRSTHDR(&msghdr);
if (n_fds > 0) {