libril: Fix double freeing of memory in SAP

service and add null-checks. The payload of a SAP request could be freed twice in certain scenarios. Also, add null-checks to prevent dereferencing of null pointers. Bug: 64729356 Test: Manually run the fuzz tests and ensure that there is no crash in rild Change-Id: Ib7ae269fa5297d6acea267337b220b8858c82bae
7 years ago · 60a4e9d295
parent 4d60c2dbcf
commit 60a4e9d295
2 changed files with 13 additions and 6 deletions
--- a/ril/libril/RilSapSocket.cpp
+++ b/ril/libril/RilSapSocket.cpp
@ -55,10 +55,9 @@ void RilSapSocket::sOnRequestComplete (RIL_Token t,
        sap_socket->onRequestComplete(t,e,response,responselen);
    } else {
        RLOGE("Invalid socket id");
-        if (request->curr->payload) {
-            free(request->curr->payload);
+        if (request->curr) {
+            free(request->curr);
        }
-        free(request->curr);
        free(request);
    }
 }
@ -234,6 +233,12 @@ void RilSapSocket::dispatchRequest(MsgHeader *req) {
 void RilSapSocket::onRequestComplete(RIL_Token t, RIL_Errno e, void *response,
        size_t response_len) {
    SapSocketRequest* request= (SapSocketRequest*)t;
+
+    if (!request || !request->curr) {
+        RLOGE("RilSapSocket::onRequestComplete: request/request->curr is NULL");
+        return;
+    }
+
    MsgHeader *hdr = request->curr;

    MsgHeader rsp;
--- a/ril/libril/sap_service.cpp
+++ b/ril/libril/sap_service.cpp
@ -106,11 +106,13 @@ MsgHeader* SapImpl::createMsgHeader(MsgId msgId, int32_t token) {

 Return<void> SapImpl::addPayloadAndDispatchRequest(MsgHeader *msg, uint16_t reqLen,
        uint8_t *reqPtr) {
-    msg->payload = (pb_bytes_array_t *)malloc(sizeof(pb_bytes_array_t) - 1 + reqLen);
-    if (msg->payload == NULL) {
+    pb_bytes_array_t *payload = (pb_bytes_array_t *) malloc(sizeof(pb_bytes_array_t) - 1 + reqLen);
+    if (payload == NULL) {
        sendFailedResponse(msg->id, msg->token, 2, reqPtr, msg);
        return Void();
    }
+
+    msg->payload = payload;
    msg->payload->size = reqLen;
    memcpy(msg->payload->bytes, reqPtr, reqLen);

@ -120,7 +122,7 @@ Return<void> SapImpl::addPayloadAndDispatchRequest(MsgHeader *msg, uint16_t reqL
        sapSocket->dispatchRequest(msg);
    } else {
        RLOGE("SapImpl::addPayloadAndDispatchRequest: sapSocket is null");
-        sendFailedResponse(msg->id, msg->token, 3, msg->payload, reqPtr, msg);
+        sendFailedResponse(msg->id, msg->token, 3, payload, reqPtr, msg);
        return Void();
    }
    free(msg->payload);