net: ipc_router: fix NULL pointer de-reference issue

Fail cases of accept() system call on AF_MSM_IPC socket family causes NULL pointer de-reference of sock structure variable in release operation. Validate the sock structure pointer before using it in release operation. CRs-Fixed: 1068888 Change-Id: I5637e52be59ea9504ea6ae317394bef0c28c7865 Signed-off-by: Arun Kumar Neelakantam <[email protected]> mh0rst: Backport Fixes: CVE-2016-5870 Signed-off-by: Joel Stanley <[email protected]> Signed-off-by: Francisco Franco <[email protected]>
franciscofranco · Dec 9, 2017 · 1959830 · 1959830
1 parent 890cadd
commit 1959830
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/arch/arm/mach-msm/ipc_socket.c b/arch/arm/mach-msm/ipc_socket.c
@@ -591,11 +591,19 @@ static unsigned int msm_ipc_router_poll(struct file *file,
 static int msm_ipc_router_close(struct socket *sock)
 {
 	struct sock *sk = sock->sk;
-	struct msm_ipc_port *port_ptr = msm_ipc_sk_port(sk);
+	struct msm_ipc_port *port_ptr;
 	void *pil = msm_ipc_sk(sk)->default_pil;
 	int ret;
 
+	if (!sk)
+		return -EINVAL;
+
 	lock_sock(sk);
+	port_ptr = msm_ipc_sk_port(sk);
+	if (!port_ptr) {
+		release_sock(sk);
+		return -EINVAL;
+	}
 	ret = msm_ipc_router_close_port(port_ptr);
 	if (pil)
 		msm_ipc_unload_default_node(pil);