android_device_samsung_msm8.../ril/libril/RilSapSocket.cpp
Gohulan Balachandran 7113220c88
msm8974-common: libril: Fix double freeing of memory in SAP service and add null-checks.
The payload of a SAP request could be freed twice in certain scenarios.
Also, add null-checks to prevent dereferencing of null pointers.

Bug: 64729356
Test: Manually run the fuzz tests and ensure that there is no crash in
      rild

Change-Id: Ib7ae269fa5297d6acea267337b220b8858c82bae
2018-10-09 06:25:53 -06:00

295 lines
8.5 KiB
C++

/*
* Copyright (C) 2014 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define __STDC_LIMIT_MACROS
#include <stdint.h>
#define RIL_SHLIB
#include "telephony/ril.h"
#include "RilSapSocket.h"
#include "pb_decode.h"
#include "pb_encode.h"
#undef LOG_TAG
#define LOG_TAG "RIL_UIM_SOCKET"
#include <utils/Log.h>
#include <arpa/inet.h>
#include <errno.h>
#include <sap_service.h>
static RilSapSocket::RilSapSocketList *head = NULL;
extern "C" void
RIL_requestTimedCallback (RIL_TimedCallback callback, void *param,
const struct timeval *relativeTime);
struct RIL_Env RilSapSocket::uimRilEnv = {
.OnRequestComplete = RilSapSocket::sOnRequestComplete,
.OnUnsolicitedResponse = RilSapSocket::sOnUnsolicitedResponse,
.RequestTimedCallback = RIL_requestTimedCallback
};
void RilSapSocket::sOnRequestComplete (RIL_Token t,
RIL_Errno e,
void *response,
size_t responselen) {
RilSapSocket *sap_socket;
SapSocketRequest *request = (SapSocketRequest*) t;
RLOGD("Socket id:%d", request->socketId);
sap_socket = getSocketById(request->socketId);
if (sap_socket) {
sap_socket->onRequestComplete(t,e,response,responselen);
} else {
RLOGE("Invalid socket id");
if (request->curr) {
free(request->curr);
}
free(request);
}
}
#if defined(ANDROID_MULTI_SIM)
void RilSapSocket::sOnUnsolicitedResponse(int unsolResponse,
const void *data,
size_t datalen,
RIL_SOCKET_ID socketId) {
RilSapSocket *sap_socket = getSocketById(socketId);
if (sap_socket) {
sap_socket->onUnsolicitedResponse(unsolResponse, (void *)data, datalen);
}
}
#else
void RilSapSocket::sOnUnsolicitedResponse(int unsolResponse,
const void *data,
size_t datalen) {
RilSapSocket *sap_socket = getSocketById(RIL_SOCKET_1);
if(sap_socket){
sap_socket->onUnsolicitedResponse(unsolResponse, (void *)data, datalen);
}
}
#endif
void RilSapSocket::printList() {
RilSapSocketList *current = head;
RLOGD("Printing socket list");
while(NULL != current) {
RLOGD("SocketName:%s",current->socket->name);
RLOGD("Socket id:%d",current->socket->id);
current = current->next;
}
}
RilSapSocket *RilSapSocket::getSocketById(RIL_SOCKET_ID socketId) {
RilSapSocket *sap_socket;
RilSapSocketList *current = head;
RLOGD("Entered getSocketById");
printList();
while(NULL != current) {
if(socketId == current->socket->id) {
sap_socket = current->socket;
return sap_socket;
}
current = current->next;
}
return NULL;
}
void RilSapSocket::initSapSocket(const char *socketName,
const RIL_RadioFunctions *uimFuncs) {
if (strcmp(socketName, RIL1_SERVICE_NAME) == 0) {
if(!SocketExists(socketName)) {
addSocketToList(socketName, RIL_SOCKET_1, uimFuncs);
}
}
#if (SIM_COUNT >= 2)
if (strcmp(socketName, RIL2_SERVICE_NAME) == 0) {
if(!SocketExists(socketName)) {
addSocketToList(socketName, RIL_SOCKET_2, uimFuncs);
}
}
#endif
#if (SIM_COUNT >= 3)
if (strcmp(socketName, RIL3_SERVICE_NAME) == 0) {
if(!SocketExists(socketName)) {
addSocketToList(socketName, RIL_SOCKET_3, uimFuncs);
}
}
#endif
#if (SIM_COUNT >= 4)
if (strcmp(socketName, RIL4_SERVICE_NAME) == 0) {
if(!SocketExists(socketName)) {
addSocketToList(socketName, RIL_SOCKET_4, uimFuncs);
}
}
#endif
}
void RilSapSocket::addSocketToList(const char *socketName, RIL_SOCKET_ID socketid,
const RIL_RadioFunctions *uimFuncs) {
RilSapSocket* socket = NULL;
RilSapSocketList *current;
if(!SocketExists(socketName)) {
socket = new RilSapSocket(socketName, socketid, uimFuncs);
RilSapSocketList* listItem = (RilSapSocketList*)malloc(sizeof(RilSapSocketList));
if (!listItem) {
RLOGE("addSocketToList: OOM");
delete socket;
return;
}
listItem->socket = socket;
listItem->next = NULL;
RLOGD("Adding socket with id: %d", socket->id);
if(NULL == head) {
head = listItem;
head->next = NULL;
}
else {
current = head;
while(NULL != current->next) {
current = current->next;
}
current->next = listItem;
}
}
}
bool RilSapSocket::SocketExists(const char *socketName) {
RilSapSocketList* current = head;
while(NULL != current) {
if(strcmp(current->socket->name, socketName) == 0) {
return true;
}
current = current->next;
}
return false;
}
RilSapSocket::RilSapSocket(const char *socketName,
RIL_SOCKET_ID socketId,
const RIL_RadioFunctions *inputUimFuncs):
RilSocket(socketName, socketId) {
if (inputUimFuncs) {
uimFuncs = inputUimFuncs;
}
}
void RilSapSocket::dispatchRequest(MsgHeader *req) {
// SapSocketRequest will be deallocated in onRequestComplete()
SapSocketRequest* currRequest=(SapSocketRequest*)malloc(sizeof(SapSocketRequest));
if (!currRequest) {
RLOGE("dispatchRequest: OOM");
// Free MsgHeader allocated in pushRecord()
free(req);
return;
}
currRequest->token = req->token;
currRequest->curr = req;
currRequest->p_next = NULL;
currRequest->socketId = id;
pendingResponseQueue.enqueue(currRequest);
if (uimFuncs) {
RLOGI("RilSapSocket::dispatchRequest [%d] > SAP REQUEST type: %d. id: %d. error: %d, \
token 0x%p",
req->token,
req->type,
req->id,
req->error,
currRequest );
#if defined(ANDROID_MULTI_SIM)
uimFuncs->onRequest(req->id, req->payload->bytes, req->payload->size, currRequest, id);
#else
uimFuncs->onRequest(req->id, req->payload->bytes, req->payload->size, currRequest);
#endif
}
}
void RilSapSocket::onRequestComplete(RIL_Token t, RIL_Errno e, void *response,
size_t response_len) {
SapSocketRequest* request= (SapSocketRequest*)t;
if (!request || !request->curr) {
RLOGE("RilSapSocket::onRequestComplete: request/request->curr is NULL");
return;
}
MsgHeader *hdr = request->curr;
MsgHeader rsp;
rsp.token = request->curr->token;
rsp.type = MsgType_RESPONSE;
rsp.id = request->curr->id;
rsp.error = (Error)e;
rsp.payload = (pb_bytes_array_t *)calloc(1, sizeof(pb_bytes_array_t) + response_len);
if (!rsp.payload) {
RLOGE("onRequestComplete: OOM");
} else {
if (response && response_len > 0) {
memcpy(rsp.payload->bytes, response, response_len);
rsp.payload->size = response_len;
} else {
rsp.payload->size = 0;
}
RLOGE("RilSapSocket::onRequestComplete: Token:%d, MessageId:%d ril token 0x%p",
hdr->token, hdr->id, t);
sap::processResponse(&rsp, this);
free(rsp.payload);
}
// Deallocate SapSocketRequest
if(!pendingResponseQueue.checkAndDequeue(hdr->id, hdr->token)) {
RLOGE("Token:%d, MessageId:%d", hdr->token, hdr->id);
RLOGE ("RilSapSocket::onRequestComplete: invalid Token or Message Id");
}
// Deallocate MsgHeader
free(hdr);
}
void RilSapSocket::onUnsolicitedResponse(int unsolResponse, void *data, size_t datalen) {
if (data && datalen > 0) {
pb_bytes_array_t *payload = (pb_bytes_array_t *)calloc(1,
sizeof(pb_bytes_array_t) + datalen);
if (!payload) {
RLOGE("onUnsolicitedResponse: OOM");
return;
}
memcpy(payload->bytes, data, datalen);
payload->size = datalen;
MsgHeader rsp;
rsp.payload = payload;
rsp.type = MsgType_UNSOL_RESPONSE;
rsp.id = (MsgId)unsolResponse;
rsp.error = Error_RIL_E_SUCCESS;
sap::processUnsolResponse(&rsp, this);
free(payload);
}
}