connection: ensure that if cookie_reply was provided then there is a pending request

If a cookie_reply was provided, then we must ensure that it is a real
reply message to a previously pending request. Currently we don't do
that correctly, if there are no pending request from origin then we
fallback to kdbus_conn_policy_talk() access check. Fix this by making
sure that if cookie_reply is set then the origin must have a pending
request in its queue. Its userspace responsability to sync its logic.

Signed-off-by: Djalal Harouni <tixxdz@opendz.org>

diff --git a/connection.c b/connection.c
index a197f50b99fb30b0d3d6ed6fff3973eba30bbcad..974ae88770ca3263cd57cf822f8252e57f542a7d 100644 (file)
--- a/connection.c
+++ b/connection.c
@@ -446,11 +446,19 @@ static int kdbus_conn_check_access(struct kdbus_conn *conn_src,
         * of the connection's expected replies. Otherwise, access to send the
         * message will be denied.
         */
-       if (reply_wake && msg->cookie_reply > 0 &&
-           atomic_read(&conn_dst->request_count) > 0) {
+       if (reply_wake && msg->cookie_reply > 0) {
                struct kdbus_conn_reply *r;
                bool allowed = false;
 
+               /*
+                * The connection that we are replying to has not
+                * issued any request or perhaps we have already
+                * replied, in anycase the supplied cookie_reply is
+                * no more valid, so fail.
+                */
+               if (atomic_read(&conn_dst->request_count) == 0)
+                       return -EPERM;
+
                mutex_lock(&conn_src->lock);
                r = kdbus_conn_reply_find(conn_src, conn_dst,
                                          msg->cookie_reply);