app: Raw socket restrictions on PDN CID

trantanen · trantanen · commit a2f45c64880f · 2025-11-17T15:06:33.000+02:00
RAW socket cannot share the same PDN with any other socket.
PPP is in practice a RAW socket.
Prevent socket creation if same PDN already has PPP or raw socket.
Prevent PPP connection if same PDN already has another socket.

Signed-off-by: Tommi Rantanen &lt;tommi.rantanen@nordicsemi.no&gt;
diff --git a/app/src/sm_at_socket.c b/app/src/sm_at_socket.c
@@ -17,6 +17,7 @@
 #include "sm_at_host.h"
 #include "sm_at_socket.h"
 #include "sm_sockopt.h"
+#include "sm_ppp.h"
 
 LOG_MODULE_REGISTER(sm_sock, CONFIG_SM_LOG_LEVEL);
 
@@ -155,7 +156,7 @@ static int bind_to_pdn(struct sm_socket *sock)
 		ret = nrf_setsockopt(sock->fd, NRF_SOL_SOCKET, NRF_SO_BINDTOPDN, &cid_int,
 				     sizeof(int));
 		if (ret < 0) {
-			LOG_ERR("nrf_setsockopt(%d) error: %d", NRF_SO_BINDTOPDN, -errno);
+			LOG_ERR("nrf_setsockopt(NRF_SO_BINDTOPDN) error: %d", -errno);
 			ret = -errno;
 		}
 	}
@@ -1104,6 +1105,37 @@ static int socket_datamode_callback(uint8_t op, const uint8_t *data, int len, ui
 	return ret;
 }
 
+/* Two RAW sockets cannot share the same CID. PPP is in practice a RAW socket.
+ * This function checks if a new socket can be created on the given CID.
+ * The CID cannot have a RAW sockets already, and if the new socket is RAW,
+ * the CID cannot have any other sockets already.
+ */
+static bool cid_validity_raw_socket_check(uint16_t cid, int type)
+{
+	/* PPP is raw socket so new socket cannot be created on the same CID */
+	if (sm_ppp_is_running_on_cid(cid)) {
+		return false;
+	}
+
+	for (int i = 0; i < SM_MAX_SOCKET_COUNT; i++) {
+		if (socks[i].cid == cid) {
+			/* If the CID is used for RAW sockets*/
+			if (type == NRF_SOCK_RAW) {
+				LOG_ERR("Raw socket creation not allowed on CID which already has another socket");
+				return false;
+			}
+
+			/* If the CID is used for a RAW socket */
+			if (socks[i].type == NRF_SOCK_RAW) {
+				LOG_ERR("Socket creation not allowed on CID which already has RAW socket");
+				return false;
+			}
+		}
+	}
+
+	return true;
+}
+
 SM_AT_CMD_CUSTOM(xsocket, "AT#XSOCKET", handle_at_socket);
 static int handle_at_socket(enum at_parser_cmd_type cmd_type, struct at_parser *parser,
 			    uint32_t param_count)
@@ -1145,6 +1177,10 @@ static int handle_at_socket(enum at_parser_cmd_type cmd_type, struct at_parser *
 					goto error;
 				}
 			}
+			if (!cid_validity_raw_socket_check(sock->cid, sock->type)) {
+				err = -EINVAL;
+				goto error;
+			}
 			err = do_socket_open(sock);
 			if (err) {
 				LOG_ERR("do_socket_open() failed: %d", err);
@@ -1255,6 +1291,10 @@ static int handle_at_secure_socket(enum at_parser_cmd_type cmd_type,
 					goto error;
 				}
 			}
+			if (!cid_validity_raw_socket_check(sock->cid, sock->type)) {
+				err = -EINVAL;
+				goto error;
+			}
 			err = do_secure_socket_open(sock, peer_verify);
 			if (err) {
 				LOG_ERR("do_secure_socket_open() failed: %d", err);
diff --git a/app/src/sm_ppp.c b/app/src/sm_ppp.c
@@ -381,6 +381,15 @@ bool sm_ppp_is_stopped(void)
 	return (ppp_state == PPP_STATE_STOPPED);
 }
 
+bool sm_ppp_is_running_on_cid(uint16_t cid)
+{
+	if (!sm_ppp_is_stopped() && cid == ppp_pdn_cid) {
+		LOG_ERR("Socket creation not allowed on PPP CID (%d) when PPP is not stopped (%d)", cid, ppp_state);
+		return true;
+	}
+	return false;
+}
+
 static int ppp_stop(enum ppp_reason reason)
 {
 	if (ppp_state == PPP_STATE_STOPPED) {
diff --git a/app/src/sm_ppp.h b/app/src/sm_ppp.h
@@ -7,6 +7,7 @@
 #define SM_PPP_
 
 #include <stdbool.h>
+#include <zephyr/kernel.h>
 
 /* Whether to forward CGEV notifications to the Serial Modem UART. */
 extern bool sm_fwd_cgev_notifs;
@@ -16,4 +17,6 @@ int sm_ppp_init(void);
 
 bool sm_ppp_is_stopped(void);
 
+bool sm_ppp_is_running_on_cid(uint16_t cid);
+
 #endif
