Unsafety in CMSG_* on invalid buffers

[Demi-Marie]

The CMSG_* code is unsafe if the buffers passed to it are malformed. This is not a problem if they come from the kernel (the usual case), since the kernel only generates valid buffers. It is, however, a problem if they come from any other source.

[camshaft]

The CMSG functions also take a *const and return a *mut. This allows for unsound code that rustc will accept. Luckily, MIRI is able to detect this as UB, but this should ideally be fixed to have two different functions: one for *const and one for *mut.

[tgross35]

What are the proposed solutions here? We can accept a potentially breaking change for 1.0, but I'm not sure what exactly is expected since these functions are already unsafe (the *const -> *mut is more notable iiuc).

[camshaft]

My vote would be to minimally change the signature to take a *mut and return a *mut. But it's possible that there are applications that only have a *const, so I think we'll probably need an additional *const -> *const function.