From cdb70b5c4012e8bb87d4fe9008f466fab13ef062 Mon Sep 17 00:00:00 2001 From: Umang Jain Date: Wed, 18 Aug 2021 14:08:41 +0530 Subject: libcamera: ipc_unixsocket: Do not run memcpy with null arguments In IPCUnixSocket, a payload can be sent/received with empty fd vector, which leads to passing a nullptr in memcpy() in both sendData() and recvData(). Add a null check for fd vector's data pointer to avoid invoking memcpy() with nullptr. The issue is noticed by running a test manually testing the vimc IPA code paths in isolated mode. It is only noticed when the test is compiled with -Db_sanitize=address,undefined meson built-in option. ipc_unixsocket.cpp:268:8: runtime error: null pointer passed as argument 2, which is declared to never be null ipc_unixsocket.cpp:312:8: runtime error: null pointer passed as argument 1, which is declared to never be null Signed-off-by: Umang Jain Reviewed-by: Laurent Pinchart Reviewed-by: Paul Elder --- src/libcamera/ipc_unixsocket.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/libcamera/ipc_unixsocket.cpp b/src/libcamera/ipc_unixsocket.cpp index a4ab1a5f..7188cf29 100644 --- a/src/libcamera/ipc_unixsocket.cpp +++ b/src/libcamera/ipc_unixsocket.cpp @@ -260,7 +260,8 @@ int IPCUnixSocket::sendData(const void *buffer, size_t length, msg.msg_control = cmsg; msg.msg_controllen = cmsg->cmsg_len; msg.msg_flags = 0; - memcpy(CMSG_DATA(cmsg), fds, num * sizeof(uint32_t)); + if (fds) + memcpy(CMSG_DATA(cmsg), fds, num * sizeof(uint32_t)); if (sendmsg(fd_, &msg, 0) < 0) { int ret = -errno; @@ -304,7 +305,8 @@ int IPCUnixSocket::recvData(void *buffer, size_t length, return ret; } - memcpy(fds, CMSG_DATA(cmsg), num * sizeof(uint32_t)); + if (fds) + memcpy(fds, CMSG_DATA(cmsg), num * sizeof(uint32_t)); return 0; } -- cgit v1.2.1