lineage/android_device_samsung_msm8974-common
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

msm8974-common: libril: Fix double freeing of memory in SAP service and add null-checks.

Browse Source 
The payload of a SAP request could be freed twice in certain scenarios.
Also, add null-checks to prevent dereferencing of null pointers.

Bug: 64729356
Test: Manually run the fuzz tests and ensure that there is no crash in
      rild

Change-Id: Ib7ae269fa5297d6acea267337b220b8858c82bae
This commit is contained in:
Gohulan Balachandran 2017-10-20 09:37:52 -07:00 committed by Kevin F. Haggerty
parent 7d4e0308a2
commit 7113220c88
No known key found for this signature in database
GPG Key ID: 6D95512933112729
2 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ril/libril/RilSapSocket.cpp
View File

@ -55,10 +55,9 @@ void RilSapSocket::sOnRequestComplete (RIL_Token t,
sap_socket->onRequestComplete(t,e,response,responselen);
} else {
RLOGE("Invalid socket id");
if (request->curr->payload) {
free(request->curr->payload);
if (request->curr) {
free(request->curr);
}
free(request->curr);
free(request);
}
}
@ -234,6 +233,12 @@ void RilSapSocket::dispatchRequest(MsgHeader *req) {
void RilSapSocket::onRequestComplete(RIL_Token t, RIL_Errno e, void *response,
size_t response_len) {
SapSocketRequest* request= (SapSocketRequest*)t;
if (!request || !request->curr) {
RLOGE("RilSapSocket::onRequestComplete: request/request->curr is NULL");
return;
}
MsgHeader *hdr = request->curr;
MsgHeader rsp;

7
ril/libril/sap_service.cpp
View File

@ -107,11 +107,12 @@ MsgHeader* SapImpl::createMsgHeader(MsgId msgId, int32_t token) {
Return<void> SapImpl::addPayloadAndDispatchRequest(MsgHeader *msg, uint16_t reqLen,
uint8_t *reqPtr) {
pb_bytes_array_t *payload = (pb_bytes_array_t *) malloc(sizeof(pb_bytes_array_t) - 1 + reqLen);
msg->payload = payload;
if (msg->payload == NULL) {
if (payload == NULL) {
sendFailedResponse(msg->id, msg->token, 2, reqPtr, msg);
return Void();
}
msg->payload = payload;
msg->payload->size = reqLen;
memcpy(msg->payload->bytes, reqPtr, reqLen);
@ -121,7 +122,7 @@ Return<void> SapImpl::addPayloadAndDispatchRequest(MsgHeader *msg, uint16_t reqL
sapSocket->dispatchRequest(msg);
} else {
RLOGE("SapImpl::addPayloadAndDispatchRequest: sapSocket is null");
sendFailedResponse(msg->id, msg->token, 3, msg->payload, reqPtr, msg);
sendFailedResponse(msg->id, msg->token, 3, payload, reqPtr, msg);
return Void();
}
free(payload);