sysmocom
/
ofono
mirror of git://git.sysmocom.de/ofono
11
0
Fork 0
Code Issues Releases Activity

atmodem: Fix use after free in sim_state_cb 

==2941== Invalid read of size 4
==2941==    at 0x69338: sim_state_cb (sim.c:1301)
==2941==    by 0x71DCB: cpin_check_cb (atutil.c:567)
==2941==    by 0xA602B: at_chat_finish_command (gatchat.c:459)
==2941==    by 0xA6277: at_chat_handle_command_response (gatchat.c:521)
==2941==    by 0xA6587: have_line (gatchat.c:600)
==2941==    by 0xA6BB7: new_bytes (gatchat.c:759)
==2941==    by 0xAAFAF: received_data (gatio.c:124)
==2941==    by 0x4AF606F: g_main_dispatch (gmain.c:3154)
==2941==    by 0x4AF606F: g_main_context_dispatch (gmain.c:3769)
==2941==    by 0x4AF658F: g_main_loop_run (gmain.c:4034)
==2941==    by 0xBDDBB: main (main.c:261)
==2941==  Address 0x519c344 is 4 bytes inside a block of size 12 free'd
==2941==    at 0x4840B28: free (vg_replace_malloc.c:530)
==2941==    by 0x71F33: at_util_sim_state_query_free (atutil.c:613)
==2941==    by 0x6930B: sim_state_cb (sim.c:1297)
==2941==    by 0x71DCB: cpin_check_cb (atutil.c:567)
==2941==    by 0xA602B: at_chat_finish_command (gatchat.c:459)
==2941==    by 0xA6277: at_chat_handle_command_response (gatchat.c:521)
==2941==    by 0xA6587: have_line (gatchat.c:600)
==2941==    by 0xA6BB7: new_bytes (gatchat.c:759)
==2941==    by 0xAAFAF: received_data (gatio.c:124)
==2941==    by 0x4AF606F: g_main_dispatch (gmain.c:3154)
==2941==    by 0x4AF606F: g_main_context_dispatch (gmain.c:3769)
==2941==    by 0x4AF658F: g_main_loop_run (gmain.c:4034)
==2941==    by 0xBDDBB: main (main.c:261)
This commit is contained in:
Slava Monich 2017-10-05 18:36:23 +03:00 committed by Denis Kenzior
parent 94cefc7cff
commit 4a2915d52d
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/atmodem/sim.c
View File

@ -1293,14 +1293,15 @@ static void sim_state_cb(gboolean present, gpointer user_data)
struct cb_data *cbd = user_data;
struct sim_data *sd = cbd->user;
ofono_sim_lock_unlock_cb_t cb = cbd->cb;
void *data = cbd->data;
at_util_sim_state_query_free(sd->sim_state_query);
sd->sim_state_query = NULL;
if (present == 1)
CALLBACK_WITH_SUCCESS(cb, cbd->data);
CALLBACK_WITH_SUCCESS(cb, data);
else
CALLBACK_WITH_FAILURE(cb, cbd->data);
CALLBACK_WITH_FAILURE(cb, data);
}
static void at_pin_send_cb(gboolean ok, GAtResult *result,