Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d157b545 authored by Karthikeyan Ramasubramanian's avatar Karthikeyan Ramasubramanian
Browse files

net: ipc_router: Add a dummy write_space callback 



IPC Router assigns NULL to write_space callback for all sockets in its
family by defaults. The setsockopt operation with SO_SNDBUF option
accesses write_space callback without checking its validity. This may
lead to a NULL pointer dereferencing when that operation is performed.

Assign a dummy write_space callback operation by default to all IPC Router
sockets.

CRs-Fixed: 1025150
Change-Id: Id2454683116c948b7bb4fa3c50a91a5a9585a491
Signed-off-by: default avatarKarthikeyan Ramasubramanian <kramasub@codeaurora.org>
parent 20b1a290

net/ipc_router/ipc_router_core.c

+12 −3
Original line number Diff line number Diff line
@@ -1524,6 +1524,14 @@ static int msm_ipc_router_lookup_resume_tx_port( 
	return 0;

}



/**

 * ipc_router_dummy_write_space() - Dummy write space available callback

 * @sk:	Socket pointer for which the callback is called.

 */

void ipc_router_dummy_write_space(struct sock *sk)

{

}



/**

 * post_resume_tx() - Post the resume_tx event

 * @rport_ptr: Pointer to the remote port
@@ -1560,10 +1568,11 @@ static void post_resume_tx(struct msm_ipc_router_remote_port *rport_ptr, 
				read_lock(&sk->sk_callback_lock);

				write_space = sk->sk_write_space;

				read_unlock(&sk->sk_callback_lock);

				if (write_space)

					write_space(sk);

			}

			if (!write_space)

			if (write_space &&

			    write_space != ipc_router_dummy_write_space)

				write_space(sk);

			else

				post_pkt_to_port(local_port, pkt, 1);

		} else {

			IPC_RTR_ERR("%s: Local Port %d not Found",

net/ipc_router/ipc_router_private.h

+7 −1
Original line number Diff line number Diff line 
/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.

/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -141,4 +141,10 @@ void *msm_ipc_load_default_node(void); 


void msm_ipc_unload_default_node(void *pil);



/**

 * ipc_router_dummy_write_space() - Dummy write space available callback

 * @sk:	Socket pointer for which the callback is called.

 */

void ipc_router_dummy_write_space(struct sock *sk);



#endif

net/ipc_router/ipc_router_socket.c

+1 −1
Original line number Diff line number Diff line
@@ -210,7 +210,7 @@ static int msm_ipc_router_create(struct net *net, 
	sock->ops = &msm_ipc_proto_ops;

	sock_init_data(sock, sk);

	sk->sk_data_ready = NULL;

	sk->sk_write_space = NULL;

	sk->sk_write_space = ipc_router_dummy_write_space;

	sk->sk_rcvtimeo = DEFAULT_RCV_TIMEO;

	sk->sk_sndtimeo = DEFAULT_SND_TIMEO;