colin/ModemManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

broadband-modem-qmi: fix potential use-after-freed issues

Browse Source 
This patch fixes some potential use-after-freed issues in
dms_get_ids_ready(). When an invalid ESN / MEID is retrieved,
`ctx->self->priv->esn' / `ctx->self->priv->meid' is freed but not reset
to NULL. If no IMEI is retrieved, `str' can be set to the already freed
`ctx->self->priv->esn' / `ctx->self->priv->meid' and then propagated to
a GSimpleAsyncResult object.
This commit is contained in:
Ben Chan
2017-08-03 14:25:33 -07:00
committed by Aleksander Morgado
parent 625c204761
commit 0d3cca2c6f
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/mm-broadband-modem-qmi.c
View File

@@ -1231,7 +1231,7 @@ dms_get_ids_ready (QmiClientDms *client,
if (qmi_message_dms_get_ids_output_get_esn (output, &str, NULL) && if (qmi_message_dms_get_ids_output_get_esn (output, &str, NULL) &&
str[0] != '\0') { str[0] != '\0') {
g_free (ctx->self->priv->esn); g_clear_pointer (&ctx->self->priv->esn, g_free);
len = strlen (str); len = strlen (str);
if (len == 7) if (len == 7)
ctx->self->priv->esn = g_strdup_printf ("0%s", str); /* zero-pad to 8 chars */ ctx->self->priv->esn = g_strdup_printf ("0%s", str); /* zero-pad to 8 chars */
@@ -1243,7 +1243,7 @@ dms_get_ids_ready (QmiClientDms *client,
if (qmi_message_dms_get_ids_output_get_meid (output, &str, NULL) && if (qmi_message_dms_get_ids_output_get_meid (output, &str, NULL) &&
str[0] != '\0') { str[0] != '\0') {
g_free (ctx->self->priv->meid); g_clear_pointer (&ctx->self->priv->meid, g_free);
len = strlen (str); len = strlen (str);
if (len == 14) if (len == 14)
ctx->self->priv->meid = g_strdup (str); ctx->self->priv->meid = g_strdup (str);