From 022b4d2c959f29dad6bb8ec648b42dd323cf7fb9 Mon Sep 17 00:00:00 2001
From: Narate Taerat <narate@ogc.us>
Date: Fri, 6 Oct 2023 11:58:49 -0500
Subject: [PATCH] Fix zap_ugni buffer race in accept path

---
 lib/src/zap/ugni/zap_ugni.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/src/zap/ugni/zap_ugni.c b/lib/src/zap/ugni/zap_ugni.c
index da368e3f1..f87660736 100644
--- a/lib/src/zap/ugni/zap_ugni.c
+++ b/lib/src/zap/ugni/zap_ugni.c
@@ -1457,13 +1457,22 @@ static void process_uep_msg_connect(struct z_ugni_ep *uep)
 	CONN_LOG("%p sock-recv conn_msg: pe_addr: %#x, inst_id: %#x\n",
 			uep, msg->ep_desc.pe_addr, msg->ep_desc.inst_id);
 
+	void *data = NULL;
+	if (msg->data_len) {
+		data = malloc(msg->data_len);
+		if (!data)
+			return;
+		memcpy(data, msg->data, msg->data_len);
+	}
+
 	struct zap_event ev = {
 		.ep = &uep->ep,
 		.type = ZAP_EVENT_CONNECT_REQUEST,
 		.data_len = msg->data_len,
-		.data = (msg->data_len)?((void*)msg->data):(NULL)
+		.data = data
 	};
 	uep->ep.cb(&uep->ep, &ev);
+	free(data);
 
 	return;