The msm_ipc_router_bind_control_port function in net/ipc_router/ipc_router_core.c in the IPC router kernel module for the Linux kernel 3.x does not verify that a port is a client port. This allows an attacker to gain privileges or cause a denial of service by making many BIND_CONTROL_PORT ioctl calls.


diff --git a/net/ipc_router/ipc_router_core.c b/net/ipc_router/ipc_router_core.c
index 99486e9..3100ebd 100644
--- a/net/ipc_router/ipc_router_core.c
+++ b/net/ipc_router/ipc_router_core.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -3532,7 +3532,7 @@ int msm_ipc_router_get_curr_pkt_size(struct msm_ipc_port *port_ptr)
 int msm_ipc_router_bind_control_port(struct msm_ipc_port *port_ptr)
-   if (!port_ptr)
+   if (unlikely(!port_ptr || port_ptr->type != CLIENT_PORT))
        return -EINVAL;