Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a1607f42 authored Oct 03, 2017 by Mohammed Javid Committed by Gerrit - the friendly Code Review server Nov 27, 2017

msm: ipa: Fix use after free issue



Added code changes to avoid use after free
by having local copy and
cache it upon successful return.

Change-Id: Iffac9ba89658b986bd8b630d22af619300e0ff5d
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>

parent 16349458

drivers/platform/msm/ipa/ipa_v2/ipa.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -537,6 +537,7 @@ static int ipa_send_wan_msg(unsigned long usr_param, uint8_t msg_type)
		int retval;
		struct ipa_wan_msg *wan_msg;
		struct ipa_msg_meta msg_meta;
		struct ipa_wan_msg cache_wan_msg;

		wan_msg = kzalloc(sizeof(struct ipa_wan_msg), GFP_KERNEL);
		if (!wan_msg) {
		@@ -550,6 +551,8 @@ static int ipa_send_wan_msg(unsigned long usr_param, uint8_t msg_type)
		return -EFAULT;
		}

		memcpy(&cache_wan_msg, wan_msg, sizeof(cache_wan_msg));

		memset(&msg_meta, 0, sizeof(struct ipa_msg_meta));
		msg_meta.msg_type = msg_type;
		msg_meta.msg_len = sizeof(struct ipa_wan_msg);

drivers/platform/msm/ipa/ipa_v3/ipa.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -603,6 +603,7 @@ static int ipa3_send_wan_msg(unsigned long usr_param, uint8_t msg_type)
		int retval;
		struct ipa_wan_msg *wan_msg;
		struct ipa_msg_meta msg_meta;
		struct ipa_wan_msg cache_wan_msg;

		wan_msg = kzalloc(sizeof(struct ipa_wan_msg), GFP_KERNEL);
		if (!wan_msg) {
		@@ -616,6 +617,8 @@ static int ipa3_send_wan_msg(unsigned long usr_param, uint8_t msg_type)
		return -EFAULT;
		}

		memcpy(&cache_wan_msg, wan_msg, sizeof(cache_wan_msg));

		memset(&msg_meta, 0, sizeof(struct ipa_msg_meta));
		msg_meta.msg_type = msg_type;
		msg_meta.msg_len = sizeof(struct ipa_wan_msg);