diff options
| author | Chris Lew <clew@codeaurora.org> | 2017-10-04 15:58:16 -0700 |
|---|---|---|
| committer | Dhoat Harpal <hdhoat@codeaurora.org> | 2018-03-20 18:16:10 +0530 |
| commit | ebea2d97751223282c37ad18937f372331796278 (patch) | |
| tree | 8209fdcfdf908d5497190e48a3f1636edf70a373 /net | |
| parent | 8e181ea4e865a2245124116afee0d9f71ccd43aa (diff) | |
net: ipc_router: Validate return from skb_peek
The skb_peek and skb_peek_tail functions can return NULL if the skb
list is empty. Check the return value before using the skb.
CRs-Fixed: 2121368
Change-Id: If14320104ec37b8b7504e930ed8fd06e72d08724
Signed-off-by: Chris Lew <clew@codeaurora.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipc_router/ipc_router_core.c | 14 | ||||
| -rw-r--r-- | net/ipc_router/ipc_router_socket.c | 6 |
2 files changed, 17 insertions, 3 deletions
diff --git a/net/ipc_router/ipc_router_core.c b/net/ipc_router/ipc_router_core.c index 5cb309a11f82..b4506280e3e4 100644 --- a/net/ipc_router/ipc_router_core.c +++ b/net/ipc_router/ipc_router_core.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2011-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -2936,6 +2936,10 @@ static int loopback_data(struct msm_ipc_port *src, } temp_skb = skb_peek_tail(pkt->pkt_fragment_q); + if (!temp_skb) { + IPC_RTR_ERR("%s: Empty skb\n", __func__); + return -EINVAL; + } align_size = ALIGN_SIZE(pkt->length); skb_put(temp_skb, align_size); pkt->length += align_size; @@ -3097,6 +3101,11 @@ static int msm_ipc_router_write_pkt(struct msm_ipc_port *src, } temp_skb = skb_peek_tail(pkt->pkt_fragment_q); + if (!temp_skb) { + IPC_RTR_ERR("%s: Abort invalid pkt\n", __func__); + ret = -EINVAL; + goto out_write_pkt; + } align_size = ALIGN_SIZE(pkt->length); skb_put(temp_skb, align_size); pkt->length += align_size; @@ -3424,7 +3433,8 @@ int msm_ipc_router_recv_from(struct msm_ipc_port *port_ptr, align_size = ALIGN_SIZE(data_len); if (align_size) { temp_skb = skb_peek_tail((*pkt)->pkt_fragment_q); - skb_trim(temp_skb, (temp_skb->len - align_size)); + if (temp_skb) + skb_trim(temp_skb, (temp_skb->len - align_size)); } return data_len; } diff --git a/net/ipc_router/ipc_router_socket.c b/net/ipc_router/ipc_router_socket.c index b15356ae26fc..23e4443fc1b2 100644 --- a/net/ipc_router/ipc_router_socket.c +++ b/net/ipc_router/ipc_router_socket.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2011-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -138,6 +138,10 @@ static int msm_ipc_router_extract_msg(struct msghdr *m, hdr = &(pkt->hdr); if (addr && (hdr->type == IPC_ROUTER_CTRL_CMD_RESUME_TX)) { temp = skb_peek(pkt->pkt_fragment_q); + if (!temp || !temp->data) { + IPC_RTR_ERR("%s: Invalid skb\n", __func__); + return -EINVAL; + } ctl_msg = (union rr_control_msg *)(temp->data); addr->family = AF_MSM_IPC; addr->address.addrtype = MSM_IPC_ADDR_ID; |