We were getting the SIM object for all paths, but only using (and
disposing it) in the AFTER_POWER_UP_STEP_GET_SIM_IDENTIFIER step.
Update the logic to only retrieve, use and dispose the SIM object in
the step that is needed, and therefore avoid leaking it in the
remaining steps.
When transitioning between power-low and power-on modes, Telit modems
switch the SIM off/on, which leads to the emission of #QSS unsolicited not
related to actual SIM swaps.
To handle this #QSS unsolicited, this patch:
* disables reacting on #QSS unsolicited when modem_power_down is received
* implements modem_after_power_up that:
- checks whether the SIM has been changed, matching cached SIM
Identifier with the value in the current SIM. If SIM Identifier,
is different, sim hot swap ports detected is called.
- re-enables reacting on #QSS unsolicited
Currently when the modem is disabled, it releases SIM hot swap ports context,
and is not able to receive any notification about the SIM status.
This patch keeps these ports opened when Modem is disabled and released them
only when SIM swap is detected or when modem is released.
When a USB modem is switching its USB configuration, udev may deliver
the remove events of USB interfaces associated with the old USB
configuration and the add events of USB interfaces associated with the new USB
configuration in an interleaved fashion. An interleaved remove event of USB
interface could trigger the special case handling code in
mm-base-manager.c:device_removed() and incorrectly remove a MMDevice under
probing.
See https://lists.freedesktop.org/archives/modemmanager-devel/2017-August/005626.html
for more details.
This patch adds a check to ensure that only remove events of USB
device (i.e. not interface) can trigger the special handling code.
Instead of having a method that returns the expected length after the
conversion and the amount of input UTF-8 characters that couldn't be
converted to the given charset, simplify the logic and just define a
method that returns a boolean specifying whether the conversion is
possible or not.
Also, include unit tests.
In case mbim-proxy crashes, ModemManager needs to be able to
recognize this and respawn the proxy so we don't lose access
to the modem. Do this by subscribing to the device removal
signal on MbimDevice and reprobing the modem when we lose the
connection to mbim-proxy.
We can't just restart mbim-proxy because the reopened mbim-proxy
will give us a different client ID, and so unsolicitied
notifications will fail and MM gets very confused otherwise.
get_device_ids() in mm-kernel-device-udev.c accepts a NULL 'vendor' or
'product' argument, but the current implementation could result in a
potential NULL dereferences of the 'vendor' argument. Given that
get_device_ids() is a local helper and its only caller provides a
non-NULL 'vendor' and 'product' argument, this patch removes the NULL
checks (i.e. get_device_ids() expects non-NULL 'vendor' and 'product').
This patch also rearranges the code such that the 'vendor' argument is
updated only when the function returns TRUE, just like how the 'product'
argument is handled.
The while loop in mm_charset_get_encoded_len() iterates through each
valid UTF-8 encoded character in the given NULL-terminated UTF-8 string.
It uses g_utf8_find_next_char() to find the position of the next
character. In case, g_utf8_find_next_char() returns NULL, it tries to
find the end (i.e. the NULL character) of the string.
This patch fixes the following issues in the while loop:
1. The loop uses both 'next' and 'end' to track the position of the next
character in the string.
When g_utf8_find_next_char() returns a non-NULL value, 'next' is
essentially the same as 'end'.
When g_utf8_find_next_char() returns NULL, 'next' remains NULL while
'end' is adjusted to track the end of the string (but is done
incorrectly as described in #2). After the 'p = next' assignment, the
'while (*p)' check results in a NULL dereference. 'p' should thus be
set to 'end' instead of 'next'.
'next' is thus redundant and can be removed.
2. When g_utf8_find_next_char() returns NULL and 'end' is adjusted to
track the end of string, the 'while (*end++)' loop stops when finding
the NULL character, but 'end' is advanced past the NULL character.
After the 'p = end' assignment, the 'while (*p)' check results in a
dereference of out-of-bounds pointer.
'while (*++end)' should be used instead given that 'p' doesn't point
to a NULL character when 'end = p' happens. 'end' will be updated to
point to the NULL character. After the 'p = end' assignment (fixed in
#1), the 'while (*p)' check will properly stop the loop.
This patch fixes a bug in apply_post_probing_filters() where it iterates
through `self->priv->forbidden_product_strings' but incorrectly accesses
`self->priv->product_strings[i]' inside the loop.
`self->priv->forbidden_product_strings[i]' should be accessed instead.
This patch fixes a potential NULL referenece issue in
mm_cdma_manual_activation_properties_get_prl() where it accesses
`self->priv->prl->data' when `self->priv->prl' could be potentially
NULL.
This patch fixes a potential NULL referenece issue in
mm_sms_properties_get_data() where it accesses `self->priv->data->data'
when `self->priv->data' could be potentially NULL.
The init-sequence configured for the TTY that is being used as data
port must not be launched during the port reopen() sequence; instead
we must run it manually after the port flashing has finished.
On the modem with firmware revision ALT3100_04_05_06_10_A8_TF
(LTEUSB_02_04_05_10_53), it's observed that port probing doesn't
complete successfully when send-delay=0 is used.
This patch initializes `match_info' in registration_status_check_ready()
to NULL by default, such that `match_info' is always initialized even if
`self->priv->modem_3gpp_registration_regex' contains no elements.
Though `self->priv->modem_3gpp_registration_regex' always contains some
elements in the current implementation, it's better not to rely on that.
There are potential memory leaks in MMLocationGpsNmea:
- When the `trace' string provided to location_gps_nmea_take_trace() isn't
added to the hash table, its ownership is still considered transferred.
It should thus be freed. Similarly, the `trace_type' string isn't
added the hash table and should thus be freed.
- mm_location_gps_nmea_add_trace() duplicates a given trace string and
then passes the trace copy to location_gps_nmea_take_trace(). When
location_gps_nmea_take_trace() returns FALSE, the ownership of the
copy isn't transferred. mm_location_gps_nmea_add_trace() should thus
free the copy.
This patch fixes the above memory leaks by having
location_gps_nmea_take_trace() always take the ownership of the `trace'
string and internally free `trace' and `trace_type' when necessary.
This patch fixes an ineffective `g_assert (equip_id)' in
modem_load_equipment_identifier_finish(). After mm_parse_gsn() succeeds,
`equip_id' is freed but not reset to NULL, so `g_assert (equip_id)' will
never assert even if `imei', `meid', and `esn' are all NULL (though that
shouldn't happen when mm_parse_gsn() succeeds).
This patch fixes some potential use-after-freed issues in
dms_get_ids_ready(). When an invalid ESN / MEID is retrieved,
`ctx->self->priv->esn' / `ctx->self->priv->meid' is freed but not reset
to NULL. If no IMEI is retrieved, `str' can be set to the already freed
`ctx->self->priv->esn' / `ctx->self->priv->meid' and then propagated to
a GSimpleAsyncResult object.
This patch fixes an issue in disconnect_set_ready(). If
mbim_message_connect_response_parse(), `session_id' and `nw_error' are
not set to a valid value, and thus shouldn't be used.
During the CONNECT_3GPP_CONTEXT_STEP_LAST step,
connect_3gpp_context_step() conditionally creates and populates a
MMBearerConnectResult object into the GSimpleAsyncResult object when the
ipv4_config field of the Connect3gppContext struct is set. That assumes
the ipv4_config field is always initialized in
connect_dhcp_check_ready() during the
CONNECT_3GPP_CONTEXT_STEP_IP_CONFIG step. Instead of having such an
assumption, this patch modifies connect_3gpp to always initialize
the ipv4_config field, such that connect_3gpp_context_step() always
populates a MMBearerConnectResult object into the GSimpleAsyncResult
object.
This patch fixes cause_code_to_delivery_state() by adding two missing
break statements for the case ERROR_CLASS_TEMPORARY and
ERROR_CLASS_PERMANENT in the `switch (error_class)` statement. Without
the break statements, the switch always falls through to the default and
returns MM_SMS_DELIVERY_STATE_UNKNOWN for an `error_class' of value
ERROR_CLASS_TEMPORARY or ERROR_CLASS_PERMANENT.
The following checks in mm_modem_firmware_select() and
mm_modem_firmware_select_sync() could result in a NULL pointer
dereference if `unique_id' is NULL:
g_return_if_fail (unique_id != NULL || unique_id[0] == '\0')
g_return_val_if_fail (unique_id != NULL || unique_id[0] == '\0', FALSE)
This patch fixes the checks to properly verify that `unique_id' is
neither NULL nor an empty string.
With some modems, the lock/unlock of the SIM-ME interface with +CSIM=1/0
command is followed by #QSS unsolicited messages. With the current
implementation, this messages are mistaken for SIM swap events and so the
modem is first dropped and then re-probed.
With this patch, the plugin takes into account the SIM-ME lock state when
parsing #QSS unsolicited, so that the QSS handler can correctly
elaborate the messages that are not related to SIM swap events.
Currently, when SIM hot swap fails in either mm-iface or plugin, the
ModemManager still opens ports context and prints a message saying that
SIM hot swap is supported and that it's waiting for SIM insertion,
instead of clearly saying that SIM hot swap is not working.
This patch:
1. introduces a new property MM_IFACE_MODEM_SIM_HOT_SWAP_CONFIGURED
which is FALSE by default and set to TRUE only when
setup_sim_hot_swap_finish() succeded.
2. subordinates the completion of SIM hot swap setup (in
mm-broadband-modem) and the related messages to the the value of
MM_IFACE_MODEM_SIM_HOT_SWAP_CONFIGURED
Finally, this patch replaces the MBIM's sim_hot_swap_on private property
with the new property MM_IFACE_MODEM_SIM_HOT_SWAP_CONFIGURED, since they have the
same meaning.
