Hmm, I think there is a sneaky bug here, also present in the old version.

Note that on LP64 platforms, CMSG_SPACE(0) > sizeof(struct cmsghdr), since message data is aligned to 8 bytes and sizeof(struct cmsghdr) == 12. So it's possible to have data - (char *)cm > cm->cmsg_len. That means that the calculation of datalen can underflow.

For example, set msg_controllen = CMSG_SPACE(0) and msg_control = &(struct cmsghdr){.cmsg_len = sizeof(struct cmsghdr), .cmsg_level = SOL_SOCKET, .cmsg_type = SCM_foo}.

I think in this case it's mostly harmless because the test CMSG_SPACE(newlen) > MCLBYTES below will fail, and for non SCM_RIGHTS messages, CMSG_SPACE(datalen) will equal CMSG_SPACE(0) due to 32-bit integer truncation, so the loop will break (though we do not signal an error). But we should definitely fix this.

Can't it be part of the for loop condition?

This comment is too specific now, probably the second sentence can just be deleted.

CMSG_LEN(0) is exactly equal to sizeof(struct cmsghdr).

Rather than having an ifdef LP64 (I believe this is discouraged in new code since at least on CHERI, sizeof(long) != sizeof(void *)), we could use the predicate CMSG_SPACE(0) != CMSG_LEN(0) or CMSG_SPACE(0) != sizeof(struct cmsghdr).

Nope:

(kgdb) p sizeof(struct cmsghdr)
$1 = 12
(kgdb) p (((__uintptr_t)(sizeof(struct cmsghdr)) + 7) & ~7)
$2 = 16

Oops, sorry, I forgot that CMSG_LEN includes alignment for the header.

Unfortunately we can't use sizeof() in preprocessor. Do you want me to code the check in C?

Yeah, I think checking in C is fine...

Then, I think, this is final version.