libcamera: ipc_unixsocket: Do not run memcpy with null arguments

In IPCUnixSocket, a payload can be sent/received with empty fd vector,
which leads to passing a nullptr in memcpy() in both sendData()
and recvData(). Add a null check for fd vector's data pointer
to avoid invoking memcpy() with nullptr.

The issue is noticed by running a test manually testing the vimc
IPA code paths in isolated mode. It is only noticed when the test
is compiled with -Db_sanitize=address,undefined meson built-in option.

ipc_unixsocket.cpp:268:8: runtime error: null pointer passed as argument 2, which is declared to never be null
ipc_unixsocket.cpp:312:8: runtime error: null pointer passed as argument 1, which is declared to never be null

Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Paul Elder <paul.elder@ideasonboard.com>
This commit is contained in:
Umang Jain 2021-08-18 14:08:41 +05:30
parent 31078711d6
commit cdb70b5c40

View file

@ -260,7 +260,8 @@ int IPCUnixSocket::sendData(const void *buffer, size_t length,
msg.msg_control = cmsg;
msg.msg_controllen = cmsg->cmsg_len;
msg.msg_flags = 0;
memcpy(CMSG_DATA(cmsg), fds, num * sizeof(uint32_t));
if (fds)
memcpy(CMSG_DATA(cmsg), fds, num * sizeof(uint32_t));
if (sendmsg(fd_, &msg, 0) < 0) {
int ret = -errno;
@ -304,7 +305,8 @@ int IPCUnixSocket::recvData(void *buffer, size_t length,
return ret;
}
memcpy(fds, CMSG_DATA(cmsg), num * sizeof(uint32_t));
if (fds)
memcpy(fds, CMSG_DATA(cmsg), num * sizeof(uint32_t));
return 0;
}