net: ipc_router: Bind only a client port as control portandroid-7.0.0_r0.18

IPC Router binds any port as a control port and moves it from the client port list to control port list. Misbehaving clients can exploit this incorrect behavior. IPC Router to check if the port is a client port before binding it as a control port. Bug: 27045580 CRs-Fixed: 974577 Change-Id: I9f189b76967d5f85750218a7cb6537d187a69663 Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
author: Karthikeyan Ramasubramanian <kramasub@codeaurora.org> 2016-02-22 16:30:40 -0700
committer: Mekala Natarajan <mnatarajan@google.com> 2016-08-08 17:10:08 -0700
commit: de1f2005544097ca29df5878156d6cb9abeee512 (patch)
tree: cf7eca5cb7d4e7fc7a9d54f89d00f76991a7a95a
parent: 55a5cbc9dbfad5d8cb256702ca9e9566b81d138a (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/net/ipc_router/ipc_router_core.c b/net/ipc_router/ipc_router_core.c
index 7106ba2bce4c..12f264a00d86 100644
--- a/net/ipc_router/ipc_router_core.c
+++ b/net/ipc_router/ipc_router_core.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -3279,7 +3279,7 @@ int msm_ipc_router_get_curr_pkt_size(struct msm_ipc_port *port_ptr)
 
 int msm_ipc_router_bind_control_port(struct msm_ipc_port *port_ptr)
 {
-	if (!port_ptr)
+	if (unlikely(!port_ptr || port_ptr->type != CLIENT_PORT))
 		return -EINVAL;
 
 	down_write(&local_ports_lock_lhc2);
author	Karthikeyan Ramasubramanian <kramasub@codeaurora.org>	2016-02-22 16:30:40 -0700
committer	Mekala Natarajan <mnatarajan@google.com>	2016-08-08 17:10:08 -0700
commit	de1f2005544097ca29df5878156d6cb9abeee512 (patch)
tree	cf7eca5cb7d4e7fc7a9d54f89d00f76991a7a95a
parent	55a5cbc9dbfad5d8cb256702ca9e9566b81d138a (diff)