> I included this test deliberately, because msg_controllen may be 
> of signed type [...] POSIX allows socklen_t to be signed

http://pubs.opengroup.org/onlinepubs/007908799/xns/syssocket.h.html
"""
<sys/socket.h> makes available a type, socklen_t, which is an unsigned opaque integral type of length of at least 32 bits. To forestall portability problems, it is recommended that applications should not use values larger than 2**32 - 1.
"""

It seems pretty clear to me.
Did you actually encounter this problem on any OS?
Furthermore, even if it was the case, I don't see how we could end up with a negative value for msg_controllen (it's a buffer length), since it's set by the kernel.
Also, I'm not convinced by this:

   /* Check for empty ancillary data as old CMSG_FIRSTHDR()
       implementations didn't do so. */
    for (cmsgh = ((msg.msg_controllen > 0) ? CMSG_FIRSTHDR(&msg) : NULL);
         cmsgh != NULL; cmsgh = CMSG_NXTHDR(&msg, cmsgh)) {

Did you really have reports of CMSG_NXTHDR not returning NULL upon empty ancillary data (it's also raquired by POSIX)?