DivestOS/Patches/Linux_CVEs/CVE-2016-5870/0.patch

45 lines
1.4 KiB
Diff

From 71fe5361cbef34e2d606b79e8936a910a3e95566 Mon Sep 17 00:00:00 2001
From: Arun Kumar Neelakantam <aneela@codeaurora.org>
Date: Wed, 21 Sep 2016 18:34:01 +0530
Subject: net: ipc_router: fix NULL pointer de-reference issue
Fail cases of accept() system call on AF_MSM_IPC socket family causes
NULL pointer de-reference of sock structure variable in release operation.
Validate the sock structure pointer before using it in release operation.
CRs-Fixed: 1068888
Change-Id: I5637e52be59ea9504ea6ae317394bef0c28c7865
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
---
net/ipc_router/ipc_router_socket.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/ipc_router/ipc_router_socket.c b/net/ipc_router/ipc_router_socket.c
index 828797b..652531a 100644
--- a/net/ipc_router/ipc_router_socket.c
+++ b/net/ipc_router/ipc_router_socket.c
@@ -555,10 +555,18 @@ static unsigned int msm_ipc_router_poll(struct file *file,
static int msm_ipc_router_close(struct socket *sock)
{
struct sock *sk = sock->sk;
- struct msm_ipc_port *port_ptr = msm_ipc_sk_port(sk);
+ struct msm_ipc_port *port_ptr;
int ret;
+ if (!sk)
+ return -EINVAL;
+
lock_sock(sk);
+ port_ptr = msm_ipc_sk_port(sk);
+ if (!port_ptr) {
+ release_sock(sk);
+ return -EINVAL;
+ }
ret = msm_ipc_router_close_port(port_ptr);
msm_ipc_unload_default_node(msm_ipc_sk(sk)->default_node_vote_info);
release_sock(sk);
--
cgit v1.1