Skip to content
Snippets Groups Projects
Commit e1b554fb authored by Arun Kumar Neelakantam's avatar Arun Kumar Neelakantam Committed by Allen Huang
Browse files

net: ipc_router: fix leak of kernel memory to userspace


The service info structure is allocated with uninitialized memory for the
max number of services and returns the complete structure to the usersapce
resulting in the information leak if lookup operation finds less number of
services than the requested number.

Check the minimum of requested and available services and copy the minimum
information to the user-space.

CRs-Fixed: 965934
Change-Id: Ic97f875855fdc6440c1db1d8d0338ee8b03a9d0a
Signed-off-by: default avatarArun Kumar Neelakantam <aneela@codeaurora.org>
Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/229017


Reviewed-by: default avatarallen1_huang <allen1_huang@asus.com>
Tested-by: default avatarallen1_huang <allen1_huang@asus.com>
parent 0374db72
No related merge requests found
/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
......@@ -519,13 +519,18 @@ static int msm_ipc_router_ioctl(struct socket *sock,
ret = copy_to_user((void *)arg, &server_arg,
sizeof(server_arg));
if (srv_info_sz) {
n = min(server_arg.num_entries_found,
server_arg.num_entries_in_array);
if (ret == 0 && n) {
ret = copy_to_user((void *)(arg + sizeof(server_arg)),
srv_info, srv_info_sz);
if (ret)
ret = -EFAULT;
kfree(srv_info);
srv_info, n * sizeof(*srv_info));
}
if (ret)
ret = -EFAULT;
kfree(srv_info);
break;
case IPC_ROUTER_IOCTL_BIND_CONTROL_PORT:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment