From 4a2915d52dc4346f8d0361b550ed4d1f5c6ab995 Mon Sep 17 00:00:00 2001
From: Slava Monich <slava.monich@jolla.com>
Date: Thu, 5 Oct 2017 18:36:23 +0300
Subject: [PATCH] atmodem: Fix use after free in sim_state_cb

==2941== Invalid read of size 4
==2941==    at 0x69338: sim_state_cb (sim.c:1301)
==2941==    by 0x71DCB: cpin_check_cb (atutil.c:567)
==2941==    by 0xA602B: at_chat_finish_command (gatchat.c:459)
==2941==    by 0xA6277: at_chat_handle_command_response (gatchat.c:521)
==2941==    by 0xA6587: have_line (gatchat.c:600)
==2941==    by 0xA6BB7: new_bytes (gatchat.c:759)
==2941==    by 0xAAFAF: received_data (gatio.c:124)
==2941==    by 0x4AF606F: g_main_dispatch (gmain.c:3154)
==2941==    by 0x4AF606F: g_main_context_dispatch (gmain.c:3769)
==2941==    by 0x4AF658F: g_main_loop_run (gmain.c:4034)
==2941==    by 0xBDDBB: main (main.c:261)
==2941==  Address 0x519c344 is 4 bytes inside a block of size 12 free'd
==2941==    at 0x4840B28: free (vg_replace_malloc.c:530)
==2941==    by 0x71F33: at_util_sim_state_query_free (atutil.c:613)
==2941==    by 0x6930B: sim_state_cb (sim.c:1297)
==2941==    by 0x71DCB: cpin_check_cb (atutil.c:567)
==2941==    by 0xA602B: at_chat_finish_command (gatchat.c:459)
==2941==    by 0xA6277: at_chat_handle_command_response (gatchat.c:521)
==2941==    by 0xA6587: have_line (gatchat.c:600)
==2941==    by 0xA6BB7: new_bytes (gatchat.c:759)
==2941==    by 0xAAFAF: received_data (gatio.c:124)
==2941==    by 0x4AF606F: g_main_dispatch (gmain.c:3154)
==2941==    by 0x4AF606F: g_main_context_dispatch (gmain.c:3769)
==2941==    by 0x4AF658F: g_main_loop_run (gmain.c:4034)
==2941==    by 0xBDDBB: main (main.c:261)
---
 drivers/atmodem/sim.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/atmodem/sim.c b/drivers/atmodem/sim.c
index 7c33c224..6395a04b 100644
--- a/drivers/atmodem/sim.c
+++ b/drivers/atmodem/sim.c
@@ -1293,14 +1293,15 @@ static void sim_state_cb(gboolean present, gpointer user_data)
 	struct cb_data *cbd = user_data;
 	struct sim_data *sd = cbd->user;
 	ofono_sim_lock_unlock_cb_t cb = cbd->cb;
+	void *data = cbd->data;
 
 	at_util_sim_state_query_free(sd->sim_state_query);
 	sd->sim_state_query = NULL;
 
 	if (present == 1)
-		CALLBACK_WITH_SUCCESS(cb, cbd->data);
+		CALLBACK_WITH_SUCCESS(cb, data);
 	else
-		CALLBACK_WITH_FAILURE(cb, cbd->data);
+		CALLBACK_WITH_FAILURE(cb, data);
 }
 
 static void at_pin_send_cb(gboolean ok, GAtResult *result,