unix: handle a case when a buffer is overflowed

Reported-by: syzbot+1aab6800bd14829609b8@syzkaller.appspotmail.com
PiperOrigin-RevId: 394279838

2 files changed, 16 insertions, 1 deletions

diff --git a/pkg/sentry/socket/unix/transport/queue.go b/pkg/sentry/socket/unix/transport/queue.go
index e4de44498..a9cedcf5f 100644
--- a/pkg/sentry/socket/unix/transport/queue.go
+++ b/pkg/sentry/socket/unix/transport/queue.go
@@ -133,7 +133,7 @@ func (q *queue) Enqueue(ctx context.Context, data [][]byte, c ControlMessages, f
 	free := q.limit - q.used
 
 	if l > free && truncate {
-		if free == 0 {
+		if free <= 0 {
 			// Message can't fit right now.
 			q.mu.Unlock()
 			return 0, false, syserr.ErrWouldBlock
diff --git a/test/syscalls/linux/socket_unix_stream.cc b/test/syscalls/linux/socket_unix_stream.cc
index 6e9f70f8c..2f3cfc3f3 100644
--- a/test/syscalls/linux/socket_unix_stream.cc
+++ b/test/syscalls/linux/socket_unix_stream.cc
@@ -181,6 +181,21 @@ TEST_P(StreamUnixSocketPairTest, SetSocketSendBuf) {
   ASSERT_EQ(quarter_sz, val);
 }
 
+TEST_P(StreamUnixSocketPairTest, SendBufferOverflow) {
+  auto sockets = ASSERT_NO_ERRNO_AND_VALUE(NewSocketPair());
+  auto s = sockets->first_fd();
+
+  constexpr int kBufSz = 4096;
+  std::vector<char> buf(kBufSz * 4);
+  ASSERT_THAT(RetryEINTR(send)(s, buf.data(), buf.size(), MSG_DONTWAIT),
+              SyscallSucceeds());
+  // The new buffer size should be smaller that the amount of data in the queue.
+  ASSERT_THAT(setsockopt(s, SOL_SOCKET, SO_SNDBUF, &kBufSz, sizeof(kBufSz)),
+              SyscallSucceeds());
+  ASSERT_THAT(RetryEINTR(send)(s, buf.data(), buf.size(), MSG_DONTWAIT),
+              SyscallFailsWithErrno(EAGAIN));
+}
+
 TEST_P(StreamUnixSocketPairTest, IncreasedSocketSendBufUnblocksWrites) {
   auto sockets = ASSERT_NO_ERRNO_AND_VALUE(NewSocketPair());
   int sock = sockets->first_fd();