diff options
author | Andrei Emeltchenko <andrei.emeltchenko@intel.com> | 2013-11-07 17:25:35 +0200 |
---|---|---|
committer | Johan Hedberg <johan.hedberg@intel.com> | 2013-11-08 11:00:49 +0200 |
commit | 79e90ad1b5a1104114ff54a42186e416bb04f668 (patch) | |
tree | 46b43b1bacfc2ad8d69b3ee28c7f68514f8d5303 /android/ipc.c | |
parent | b3e4587f258ceffcb7a65a48e0baa24559d32791 (diff) | |
download | bluez-79e90ad1b5a1104114ff54a42186e416bb04f668.tar.gz |
android/ipc: Fix crash when sending file descriptor
Since CMSG_FIRSTHDR is defined as shown below:
((size_t) (mhdr)->msg_controllen >= sizeof (struct cmsghdr) \
? (struct cmsghdr *) (mhdr)->msg_control : (struct cmsghdr *) 0)
it return NULL if msg_controllen is not defined. Accessing
that pointer result in daemon crash.
Diffstat (limited to 'android/ipc.c')
-rw-r--r-- | android/ipc.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/android/ipc.c b/android/ipc.c index 9a8657d44..729f15771 100644 --- a/android/ipc.c +++ b/android/ipc.c @@ -62,6 +62,9 @@ void ipc_send(int sk, uint8_t service_id, uint8_t opcode, uint16_t len, msg.msg_iovlen = 2; if (fd >= 0) { + msg.msg_control = cmsgbuf; + msg.msg_controllen = sizeof(cmsgbuf); + cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_level = SOL_SOCKET; cmsg->cmsg_type = SCM_RIGHTS; @@ -69,9 +72,6 @@ void ipc_send(int sk, uint8_t service_id, uint8_t opcode, uint16_t len, /* Initialize the payload */ memcpy(CMSG_DATA(cmsg), &fd, sizeof(int)); - - msg.msg_control = cmsgbuf; - msg.msg_controllen = sizeof(cmsgbuf); } if (sendmsg(sk, &msg, 0) < 0) { |