From ba0e5f18296f4fe2157426441c555b3a7c5c1384 Mon Sep 17 00:00:00 2001
From: webbeef <me@webbeef.org>
Date: Thu, 19 Sep 2024 17:10:59 -0700
Subject: [PATCH] Fix user after free in MacOS select() (#359)

Update to the loop handling large messages logic in order to not reuse the `message` after it's backing buffer was deallocated.

Signed-off-by: webbeef <me@webbeef.org>
---
 src/platform/macos/mod.rs | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/platform/macos/mod.rs b/src/platform/macos/mod.rs
index 99beef83..ad8eff8e 100644
--- a/src/platform/macos/mod.rs
+++ b/src/platform/macos/mod.rs
@@ -723,11 +723,11 @@ fn select(
             MACH_PORT_NULL,
         ) {
             MACH_RCV_TOO_LARGE => {
+                let max_trailer_size =
+                    mem::size_of::<mach_sys::mach_msg_max_trailer_t>() as mach_sys::mach_msg_size_t;
+                // the actual size gets written into msgh_size by the kernel
+                let mut actual_size = (*message).header.msgh_size + max_trailer_size;
                 loop {
-                    // the actual size gets written into msgh_size by the kernel
-                    let max_trailer_size = mem::size_of::<mach_sys::mach_msg_max_trailer_t>()
-                        as mach_sys::mach_msg_size_t;
-                    let actual_size = (*message).header.msgh_size + max_trailer_size;
                     allocated_buffer = Some(libc::malloc(actual_size as size_t));
                     setup_receive_buffer(
                         slice::from_raw_parts_mut(
@@ -748,6 +748,7 @@ fn select(
                     ) {
                         MACH_MSG_SUCCESS => break,
                         MACH_RCV_TOO_LARGE => {
+                            actual_size = (*message).header.msgh_size + max_trailer_size;
                             libc::free(allocated_buffer.unwrap() as *mut _);
                             continue;
                         },