conn_info is used to connect the local port with destination port
address and is freed only for remote server cleanup in SSR case
which leads memory leak for other remote ports which valid conn_info.
Free the conn_info structure for all remote ports during the SSR and
while handling remove client message.
CRs-Fixed: 1057219
Change-Id: I164a9eb308f5779d545766b18bb41184c49bbb3d
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
IPC Router assigns NULL to write_space callback for all sockets in its
family by defaults. The setsockopt operation with SO_SNDBUF option
accesses write_space callback without checking its validity. This may
lead to a NULL pointer dereferencing when that operation is performed.
Assign a dummy write_space callback operation by default to all IPC Router
sockets.
CRs-Fixed: 1025150
Change-Id: Id2454683116c948b7bb4fa3c50a91a5a9585a491
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
In local client and local service communication, getting the reference
count for local xport_info pointer fails with -ENODEV and returns
without sending the resume tx message which blocks the communication.
Check and remove the reference get logic for local xprt_info.
CRs-Fixed: 1009471
Change-Id: If11cd577d30c22d79544f4668e08ccf269237236
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
In SSR case the xprt_info pointer is freed without considering the users of
the pointer in TX path will leads to use after free of the pointer.
Use the reference count to keep track of the xprt_info structure and wait
for the all user to complete the task before free the xprt_info pointer.
CRs-Fixed: 999123
Change-Id: I894a877346ff1d395c6f1b06267dfec333cb1024
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
IPC Router binds any port as a control port and moves it from the client
port list to control port list. Misbehaving clients can exploit this
incorrect behavior.
IPC Router to check if the port is a client port before binding it as a
control port.
CRs-Fixed: 974577
Change-Id: I9f189b76967d5f85750218a7cb6537d187a69663
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
The service info structure is allocated with uninitialized memory for the
max number of services and returns the complete structure to the usersapce
resulting in the information leak if lookup operation finds less number of
services than the requested number.
Check the minimum of requested and available services and copy the minimum
information to the user-space.
CRs-Fixed: 965934
Change-Id: Ic97f875855fdc6440c1db1d8d0338ee8b03a9d0a
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
Currently, IPC Router statically associates the version of the
protocol to be used with each link. Thus, dynamic version negotiation
is not possible.
Add support for version negotiation that sets IPC Router version
after a successful negotiation.
Change-Id: Iea04742ef30443c1e36760561e7f20175c4fbaa6
Signed-off-by: Atish Kumar Patra <apatra@codeaurora.org>
The networking module uses iov_iter library to manage the vector buffers
from user-space. Use iov_iter accessor functions to copy the data from/to
the user-space vector buffers.
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Update the function signature of sendmsg and recvmsg operations.
Pass the kernel socket flag to the updated socket object allocation
function.
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
qmi_encdec.h header file is no longer required in IPC Router. Remove
including that header file.
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
This snapshot is taken as of msm-3.18 commit e70ad0cd (Promotion of
kernel.lnx.3.18-151201.)
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
