android/ipc: Fix crash when sending file descriptor

Since CMSG_FIRSTHDR is defined as shown below: ((size_t) (mhdr)->msg_controllen >= sizeof (struct cmsghdr) \ ? (struct cmsghdr *) (mhdr)->msg_control : (struct cmsghdr *) 0) it return NULL if msg_controllen is not defined. Accessing that pointer result in daemon crash.
author: Andrei Emeltchenko <andrei.emeltchenko@intel.com> 2013-11-07 17:25:35 +0200
committer: Johan Hedberg <johan.hedberg@intel.com> 2013-11-08 11:00:49 +0200
commit: 79e90ad1b5a1104114ff54a42186e416bb04f668 (patch)
tree: 46b43b1bacfc2ad8d69b3ee28c7f68514f8d5303 /android/ipc.c
parent: b3e4587f258ceffcb7a65a48e0baa24559d32791 (diff)
download: bluez-79e90ad1b5a1104114ff54a42186e416bb04f668.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/android/ipc.c b/android/ipc.c
index 9a8657d44..729f15771 100644
--- a/android/ipc.c
+++ b/android/ipc.c
@@ -62,6 +62,9 @@ void ipc_send(int sk, uint8_t service_id, uint8_t opcode, uint16_t len,
 	msg.msg_iovlen = 2;
 
 	if (fd >= 0) {
+		msg.msg_control = cmsgbuf;
+		msg.msg_controllen = sizeof(cmsgbuf);
+
 		cmsg = CMSG_FIRSTHDR(&msg);
 		cmsg->cmsg_level = SOL_SOCKET;
 		cmsg->cmsg_type = SCM_RIGHTS;
@@ -69,9 +72,6 @@ void ipc_send(int sk, uint8_t service_id, uint8_t opcode, uint16_t len,
 
 		/* Initialize the payload */
 		memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
-
-		msg.msg_control = cmsgbuf;
-		msg.msg_controllen = sizeof(cmsgbuf);
 	}
 
 	if (sendmsg(sk, &msg, 0) < 0) {
author	Andrei Emeltchenko <andrei.emeltchenko@intel.com>	2013-11-07 17:25:35 +0200
committer	Johan Hedberg <johan.hedberg@intel.com>	2013-11-08 11:00:49 +0200
commit	79e90ad1b5a1104114ff54a42186e416bb04f668 (patch)
tree	46b43b1bacfc2ad8d69b3ee28c7f68514f8d5303 /android/ipc.c
parent	b3e4587f258ceffcb7a65a48e0baa24559d32791 (diff)
download	bluez-79e90ad1b5a1104114ff54a42186e416bb04f668.tar.gz