[PATCH v2] broadband-modem-qmi: fix potential use-after-freed issues
Ben Chan
benchan at chromium.org
Thu Aug 3 21:25:33 UTC 2017
This patch fixes some potential use-after-freed issues in
dms_get_ids_ready(). When an invalid ESN / MEID is retrieved,
`ctx->self->priv->esn' / `ctx->self->priv->meid' is freed but not reset
to NULL. If no IMEI is retrieved, `str' can be set to the already freed
`ctx->self->priv->esn' / `ctx->self->priv->meid' and then propagated to
a GSimpleAsyncResult object.
---
src/mm-broadband-modem-qmi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mm-broadband-modem-qmi.c b/src/mm-broadband-modem-qmi.c
index 38356426..3a04e993 100644
--- a/src/mm-broadband-modem-qmi.c
+++ b/src/mm-broadband-modem-qmi.c
@@ -1231,7 +1231,7 @@ dms_get_ids_ready (QmiClientDms *client,
if (qmi_message_dms_get_ids_output_get_esn (output, &str, NULL) &&
str[0] != '\0') {
- g_free (ctx->self->priv->esn);
+ g_clear_pointer (&ctx->self->priv->esn, g_free);
len = strlen (str);
if (len == 7)
ctx->self->priv->esn = g_strdup_printf ("0%s", str); /* zero-pad to 8 chars */
@@ -1243,7 +1243,7 @@ dms_get_ids_ready (QmiClientDms *client,
if (qmi_message_dms_get_ids_output_get_meid (output, &str, NULL) &&
str[0] != '\0') {
- g_free (ctx->self->priv->meid);
+ g_clear_pointer (&ctx->self->priv->meid, g_free);
len = strlen (str);
if (len == 14)
ctx->self->priv->meid = g_strdup (str);
--
2.14.0.rc1.383.gd1ce394fe2-goog
More information about the ModemManager-devel
mailing list