libril: Fix double freeing of memory in SAP

service and add null-checks.

The payload of a SAP request could be freed twice in certain scenarios.
Also, add null-checks to prevent dereferencing of null pointers.

Bug: 64729356
Test: Manually run the fuzz tests and ensure that there is no crash in
      rild

Change-Id: Ib7ae269fa5297d6acea267337b220b8858c82bae
tirimbino
Gohulan Balachandran 7 years ago committed by Stricted
parent 4d60c2dbcf
commit 60a4e9d295
No known key found for this signature in database
GPG Key ID: 3E45BB95F7AD33DA
  1. 11
      ril/libril/RilSapSocket.cpp
  2. 8
      ril/libril/sap_service.cpp

@ -55,10 +55,9 @@ void RilSapSocket::sOnRequestComplete (RIL_Token t,
sap_socket->onRequestComplete(t,e,response,responselen);
} else {
RLOGE("Invalid socket id");
if (request->curr->payload) {
free(request->curr->payload);
if (request->curr) {
free(request->curr);
}
free(request->curr);
free(request);
}
}
@ -234,6 +233,12 @@ void RilSapSocket::dispatchRequest(MsgHeader *req) {
void RilSapSocket::onRequestComplete(RIL_Token t, RIL_Errno e, void *response,
size_t response_len) {
SapSocketRequest* request= (SapSocketRequest*)t;
if (!request || !request->curr) {
RLOGE("RilSapSocket::onRequestComplete: request/request->curr is NULL");
return;
}
MsgHeader *hdr = request->curr;
MsgHeader rsp;

@ -106,11 +106,13 @@ MsgHeader* SapImpl::createMsgHeader(MsgId msgId, int32_t token) {
Return<void> SapImpl::addPayloadAndDispatchRequest(MsgHeader *msg, uint16_t reqLen,
uint8_t *reqPtr) {
msg->payload = (pb_bytes_array_t *)malloc(sizeof(pb_bytes_array_t) - 1 + reqLen);
if (msg->payload == NULL) {
pb_bytes_array_t *payload = (pb_bytes_array_t *) malloc(sizeof(pb_bytes_array_t) - 1 + reqLen);
if (payload == NULL) {
sendFailedResponse(msg->id, msg->token, 2, reqPtr, msg);
return Void();
}
msg->payload = payload;
msg->payload->size = reqLen;
memcpy(msg->payload->bytes, reqPtr, reqLen);
@ -120,7 +122,7 @@ Return<void> SapImpl::addPayloadAndDispatchRequest(MsgHeader *msg, uint16_t reqL
sapSocket->dispatchRequest(msg);
} else {
RLOGE("SapImpl::addPayloadAndDispatchRequest: sapSocket is null");
sendFailedResponse(msg->id, msg->token, 3, msg->payload, reqPtr, msg);
sendFailedResponse(msg->id, msg->token, 3, payload, reqPtr, msg);
return Void();
}
free(msg->payload);

Loading…
Cancel
Save