[PATCH] broadband-modem-qmi: fix potential use-after-freed issues
Ben Chan
benchan at chromium.org
Thu Aug 3 20:25:01 UTC 2017
This patch fixes some potential use-after-freed issues in
dms_get_ids_ready(). When an invalid ESN / MEID is retrieved,
`ctx->self->priv->esn' / `ctx->self->priv->meid' is freed but not reset
to NULL. If no IMEI is retrieved, `str' can be set to the already freed
`ctx->self->priv->esn' / `ctx->self->priv->meid' and then propagated to
a GSimpleAsyncResult object.
---
src/mm-broadband-modem-qmi.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/mm-broadband-modem-qmi.c b/src/mm-broadband-modem-qmi.c
index 38356426..bd4d2b6c 100644
--- a/src/mm-broadband-modem-qmi.c
+++ b/src/mm-broadband-modem-qmi.c
@@ -1237,8 +1237,10 @@ dms_get_ids_ready (QmiClientDms *client,
ctx->self->priv->esn = g_strdup_printf ("0%s", str); /* zero-pad to 8 chars */
else if (len == 8)
ctx->self->priv->esn = g_strdup (str);
- else
+ else {
mm_dbg ("Invalid ESN reported: '%s' (unexpected length)", str);
+ ctx->self->priv->esn = NULL;
+ }
}
if (qmi_message_dms_get_ids_output_get_meid (output, &str, NULL) &&
@@ -1247,8 +1249,10 @@ dms_get_ids_ready (QmiClientDms *client,
len = strlen (str);
if (len == 14)
ctx->self->priv->meid = g_strdup (str);
- else
+ else {
mm_dbg ("Invalid MEID reported: '%s' (unexpected length)", str);
+ ctx->self->priv->meid = NULL;
+ }
}
if (ctx->self->priv->imei)
--
2.14.0.rc1.383.gd1ce394fe2-goog
More information about the ModemManager-devel
mailing list