diag: Add protection while accessing diag client map
There is a possibility of use-after-free while accessing diag client map table since list can be reallocated due to exceeding max client limit. The patch adds protection while accessing client map list. Change-Id: Ibc33d9d90b7e22394c82265b0fa80a89cc2a3122 Signed-off-by: Hardik Arya <harya@codeaurora.org>
This commit is contained in:
parent
912e807881
commit
b9530d435e
@ -1,4 +1,4 @@
|
||||
/* Copyright (c) 2008-2019, The Linux Foundation. All rights reserved.
|
||||
/* Copyright (c) 2008-2021, The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 and
|
||||
@ -548,6 +548,7 @@ static int diag_remove_client_entry(struct file *file)
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
mutex_lock(&driver->diagchar_mutex);
|
||||
diagpriv_data = file->private_data;
|
||||
for (i = 0; i < driver->num_clients; i++)
|
||||
if (diagpriv_data && diagpriv_data->pid ==
|
||||
@ -557,11 +558,13 @@ static int diag_remove_client_entry(struct file *file)
|
||||
DIAG_LOG(DIAG_DEBUG_USERSPACE,
|
||||
"pid %d, not present in client map\n",
|
||||
diagpriv_data->pid);
|
||||
mutex_unlock(&driver->diagchar_mutex);
|
||||
mutex_unlock(&driver->diag_file_mutex);
|
||||
return -EINVAL;
|
||||
}
|
||||
DIAG_LOG(DIAG_DEBUG_USERSPACE, "diag: %s process exit with pid = %d\n",
|
||||
driver->client_map[i].name, diagpriv_data->pid);
|
||||
mutex_unlock(&driver->diagchar_mutex);
|
||||
/*
|
||||
* clean up any DCI registrations, if this is a DCI client
|
||||
* This will specially help in case of ungraceful exit of any DCI client
|
||||
|
Loading…
Reference in New Issue
Block a user