[PATCH obexd] PBAP: Fix possible invalid memory access

[PATCH obexd] PBAP: Fix possible invalid memory access

[Sunil Kumar Behera]

Issue: As reported by static code analyzer (Coverity), if
buffer is NULL and aparams is not NULL, then buffer gets
dereferenced in string_read function.
Fix: Application parameter is allocated only if maxlistcount
is zero during phonebooksize request and buffer is allocated
in case of pull phonebook request, hence modify logic to avoid
application parameter check, as it is tightly coupled with
maxlistcount.
---
 plugins/pbap.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/plugins/pbap.c b/plugins/pbap.c
index 0f07c46..eb2bc9c 100644
--- a/plugins/pbap.c
+++ b/plugins/pbap.c
@@ -996,11 +996,12 @@ static ssize_t vobject_pull_read(void *object, void *buf, size_t count)
 	DBG("buffer %p maxlistcount %d", obj->buffer,
 						pbap->params->maxlistcount);
 
-	if (!obj->buffer && !obj->aparams)
-		return -EAGAIN;
+	if (!obj->buffer) {
+		if (pbap->params->maxlistcount == 0)
+			return -ENOSTR;
 
-	if (pbap->params->maxlistcount == 0)
-		return -ENOSTR;
+		return -EAGAIN;
+	}
 
 	len = string_read(obj->buffer, buf, count);
 	if (len == 0 && !obj->lastpart) {
-- 
1.7.4.1

Re: [PATCH obexd] PBAP: Fix possible invalid memory access

[Johan Hedberg]

Hi Sunil,

On Tue, Jan 10, 2012, Sunil Kumar Behera wrote:
> Issue: As reported by static code analyzer (Coverity), if
> buffer is NULL and aparams is not NULL, then buffer gets
> dereferenced in string_read function.
> Fix: Application parameter is allocated only if maxlistcount
> is zero during phonebooksize request and buffer is allocated
> in case of pull phonebook request, hence modify logic to avoid
> application parameter check, as it is tightly coupled with
> maxlistcount.
> ---
>  plugins/pbap.c |    9 +++++----
>  1 files changed, 5 insertions(+), 4 deletions(-)

Applied. Thanks.

Johan