From bdd46d40d96c4da6f2b98d4e1b2aa04ba5f5848e Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Thu, 23 Apr 2015 01:42:49 +0200
Subject: Avoid accessing ip_protected_payload without the lock.

* ipc/ipc_kmsg.c (ipc_kmsg_copyout_header): Avoid accessing
dest->ip_protected_payload without the lock.
* ipc/mach_msg.c (ipc/mach_msg.c): Avoid accessing
dest_port->ip_protected_payload without the lock.
---
 ipc/mach_msg.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'ipc/mach_msg.c')

diff --git a/ipc/mach_msg.c b/ipc/mach_msg.c
index 1e122c7..aecfcd4 100644
--- a/ipc/mach_msg.c
+++ b/ipc/mach_msg.c
@@ -1041,6 +1041,7 @@ mach_msg_trap(
 			ipc_port_t reply_port =
 				(ipc_port_t) kmsg->ikm_header.msgh_local_port;
 			mach_port_t dest_name, reply_name;
+			unsigned long payload;
 
 			/* receiving a request message */
 
@@ -1115,6 +1116,7 @@ mach_msg_trap(
 				dest_name = dest_port->ip_receiver_name;
 			else
 				dest_name = MACH_PORT_NULL;
+			payload = dest_port->ip_protected_payload;
 
 			if ((--dest_port->ip_srights == 0) &&
 			    (dest_port->ip_nsrequest != IP_NULL)) {
@@ -1142,7 +1144,7 @@ mach_msg_trap(
 					MACH_MSG_TYPE_PORT_SEND_ONCE,
 					MACH_MSG_TYPE_PROTECTED_PAYLOAD);
 				kmsg->ikm_header.msgh_protected_payload =
-					dest_port->ip_protected_payload;
+					payload;
 			}
 			kmsg->ikm_header.msgh_remote_port = reply_name;
 			goto fast_put;
@@ -1155,6 +1157,7 @@ mach_msg_trap(
 
 		    case MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE, 0): {
 			mach_port_t dest_name;
+			unsigned long payload;
 
 			/* receiving a reply message */
 
@@ -1166,6 +1169,8 @@ mach_msg_trap(
 
 			assert(dest_port->ip_sorights > 0);
 
+			payload = dest_port->ip_protected_payload;
+
 			if (dest_port->ip_receiver == space) {
 				ip_release(dest_port);
 				dest_port->ip_sorights--;
@@ -1188,7 +1193,7 @@ mach_msg_trap(
 					0,
 					MACH_MSG_TYPE_PROTECTED_PAYLOAD);
 				kmsg->ikm_header.msgh_protected_payload =
-					dest_port->ip_protected_payload;
+					payload;
 			}
 			kmsg->ikm_header.msgh_remote_port = MACH_PORT_NULL;
 			goto fast_put;
@@ -1197,6 +1202,7 @@ mach_msg_trap(
 		    case MACH_MSGH_BITS_COMPLEX|
 			 MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE, 0): {
 			mach_port_t dest_name;
+			unsigned long payload;
 
 			/* receiving a complex reply message */
 
@@ -1208,6 +1214,8 @@ mach_msg_trap(
 
 			assert(dest_port->ip_sorights > 0);
 
+			payload = dest_port->ip_protected_payload;
+
 			if (dest_port->ip_receiver == space) {
 				ip_release(dest_port);
 				dest_port->ip_sorights--;
@@ -1234,7 +1242,7 @@ mach_msg_trap(
 					    0,
 					    MACH_MSG_TYPE_PROTECTED_PAYLOAD);
 				kmsg->ikm_header.msgh_protected_payload =
-					dest_port->ip_protected_payload;
+					payload;
 			}
 			kmsg->ikm_header.msgh_remote_port = MACH_PORT_NULL;
 
-- 
cgit v1.2.3