msm: ipa: Fix use after free issue

author Mohammed Javid <mjavid@codeaurora.org>

Tue, 3 Oct 2017 07:40:05 +0000 (13:10 +0530)

committer Gerrit - the friendly Code Review server <code-review@localhost>

Fri, 6 Oct 2017 03:24:29 +0000 (20:24 -0700)
author Mohammed Javid <mjavid@codeaurora.org>
Tue, 3 Oct 2017 07:40:05 +0000 (13:10 +0530)
committer Gerrit - the friendly Code Review server <code-review@localhost>
Fri, 6 Oct 2017 03:24:29 +0000 (20:24 -0700)
diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa.c b/drivers/platform/msm/ipa/ipa_v2/ipa.c

index df741c1..9e19fa6 100644 (file)
--- a/drivers/platform/msm/ipa/ipa_v2/ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v2/ipa.c
@@ -536,6 +536,7 @@ static int ipa_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_c
         int retval;
         struct ipa_wan_msg *wan_msg;
         struct ipa_msg_meta msg_meta;
+       struct ipa_wan_msg cache_wan_msg;
  
         wan_msg = kzalloc(sizeof(struct ipa_wan_msg), GFP_KERNEL);
         if (!wan_msg) {
@@ -549,6 +550,8 @@ static int ipa_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_c
                 return -EFAULT;
         }
  
+       memcpy(&cache_wan_msg, wan_msg, sizeof(cache_wan_msg));
+
         memset(&msg_meta, 0, sizeof(struct ipa_msg_meta));
         msg_meta.msg_type = msg_type;
         msg_meta.msg_len = sizeof(struct ipa_wan_msg);
@@ -565,8 +568,8 @@ static int ipa_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_c
                 /* cache the cne event */
                 memcpy(&ipa_ctx->ipa_cne_evt_req_cache[
                         ipa_ctx->num_ipa_cne_evt_req].wan_msg,
-                       wan_msg,
-                       sizeof(struct ipa_wan_msg));
+                       &cache_wan_msg,
+                       sizeof(cache_wan_msg));
  
                 memcpy(&ipa_ctx->ipa_cne_evt_req_cache[
                         ipa_ctx->num_ipa_cne_evt_req].msg_meta,
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa.c b/drivers/platform/msm/ipa/ipa_v3/ipa.c

index fd503f4..ecd532c 100644 (file)
--- a/drivers/platform/msm/ipa/ipa_v3/ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa.c
@@ -603,6 +603,7 @@ static int ipa3_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_
         int retval;
         struct ipa_wan_msg *wan_msg;
         struct ipa_msg_meta msg_meta;
+       struct ipa_wan_msg cache_wan_msg;
  
         wan_msg = kzalloc(sizeof(struct ipa_wan_msg), GFP_KERNEL);
         if (!wan_msg) {
@@ -616,6 +617,8 @@ static int ipa3_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_
                 return -EFAULT;
         }
  
+       memcpy(&cache_wan_msg, wan_msg, sizeof(cache_wan_msg));
+
         memset(&msg_meta, 0, sizeof(struct ipa_msg_meta));
         msg_meta.msg_type = msg_type;
         msg_meta.msg_len = sizeof(struct ipa_wan_msg);
@@ -632,8 +635,8 @@ static int ipa3_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_
                 /* cache the cne event */
                 memcpy(&ipa3_ctx->ipa_cne_evt_req_cache[
                         ipa3_ctx->num_ipa_cne_evt_req].wan_msg,
-                       wan_msg,
-                       sizeof(struct ipa_wan_msg));
+                       &cache_wan_msg,
+                       sizeof(cache_wan_msg));
  
                 memcpy(&ipa3_ctx->ipa_cne_evt_req_cache[
                         ipa3_ctx->num_ipa_cne_evt_req].msg_meta,
author	Mohammed Javid <mjavid@codeaurora.org>
	Tue, 3 Oct 2017 07:40:05 +0000 (13:10 +0530)
committer	Gerrit - the friendly Code Review server <code-review@localhost>
	Fri, 6 Oct 2017 03:24:29 +0000 (20:24 -0700)
drivers/platform/msm/ipa/ipa_v2/ipa.c		patch \| blob \| history
drivers/platform/msm/ipa/ipa_v3/ipa.c		patch \| blob \| history