[PATCH] atmodem: Fix use after free in sim_state

Open Source Telephony
 help / color / mirror / Atom feed

* [PATCH] atmodem: Fix use after free in sim_state_cb
@ 2017-10-05 15:36 Slava Monich
  2017-10-05 16:11 ` Denis Kenzior
  0 siblings, 1 reply; 2+ messages in thread
From: Slava Monich @ 2017-10-05 15:36 UTC (permalink / raw)
  To: ofono

[-- Attachment #1: Type: text/plain, Size: 2308 bytes --]

==2941== Invalid read of size 4
==2941==    at 0x69338: sim_state_cb (sim.c:1301)
==2941==    by 0x71DCB: cpin_check_cb (atutil.c:567)
==2941==    by 0xA602B: at_chat_finish_command (gatchat.c:459)
==2941==    by 0xA6277: at_chat_handle_command_response (gatchat.c:521)
==2941==    by 0xA6587: have_line (gatchat.c:600)
==2941==    by 0xA6BB7: new_bytes (gatchat.c:759)
==2941==    by 0xAAFAF: received_data (gatio.c:124)
==2941==    by 0x4AF606F: g_main_dispatch (gmain.c:3154)
==2941==    by 0x4AF606F: g_main_context_dispatch (gmain.c:3769)
==2941==    by 0x4AF658F: g_main_loop_run (gmain.c:4034)
==2941==    by 0xBDDBB: main (main.c:261)
==2941==  Address 0x519c344 is 4 bytes inside a block of size 12 free'd
==2941==    at 0x4840B28: free (vg_replace_malloc.c:530)
==2941==    by 0x71F33: at_util_sim_state_query_free (atutil.c:613)
==2941==    by 0x6930B: sim_state_cb (sim.c:1297)
==2941==    by 0x71DCB: cpin_check_cb (atutil.c:567)
==2941==    by 0xA602B: at_chat_finish_command (gatchat.c:459)
==2941==    by 0xA6277: at_chat_handle_command_response (gatchat.c:521)
==2941==    by 0xA6587: have_line (gatchat.c:600)
==2941==    by 0xA6BB7: new_bytes (gatchat.c:759)
==2941==    by 0xAAFAF: received_data (gatio.c:124)
==2941==    by 0x4AF606F: g_main_dispatch (gmain.c:3154)
==2941==    by 0x4AF606F: g_main_context_dispatch (gmain.c:3769)
==2941==    by 0x4AF658F: g_main_loop_run (gmain.c:4034)
==2941==    by 0xBDDBB: main (main.c:261)
---
 drivers/atmodem/sim.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/atmodem/sim.c b/drivers/atmodem/sim.c
index 7c33c22..6395a04 100644
--- a/drivers/atmodem/sim.c
+++ b/drivers/atmodem/sim.c
@@ -1293,14 +1293,15 @@ static void sim_state_cb(gboolean present, gpointer user_data)
 	struct cb_data *cbd = user_data;
 	struct sim_data *sd = cbd->user;
 	ofono_sim_lock_unlock_cb_t cb = cbd->cb;
+	void *data = cbd->data;
 
 	at_util_sim_state_query_free(sd->sim_state_query);
 	sd->sim_state_query = NULL;
 
 	if (present == 1)
-		CALLBACK_WITH_SUCCESS(cb, cbd->data);
+		CALLBACK_WITH_SUCCESS(cb, data);
 	else
-		CALLBACK_WITH_FAILURE(cb, cbd->data);
+		CALLBACK_WITH_FAILURE(cb, data);
 }
 
 static void at_pin_send_cb(gboolean ok, GAtResult *result,
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] atmodem: Fix use after free in sim_state_cb
  2017-10-05 15:36 [PATCH] atmodem: Fix use after free in sim_state_cb Slava Monich
@ 2017-10-05 16:11 ` Denis Kenzior
  0 siblings, 0 replies; 2+ messages in thread
From: Denis Kenzior @ 2017-10-05 16:11 UTC (permalink / raw)
  To: ofono

[-- Attachment #1: Type: text/plain, Size: 1730 bytes --]

Hi Slava,

On 10/05/2017 10:36 AM, Slava Monich wrote:
> ==2941== Invalid read of size 4
> ==2941==    at 0x69338: sim_state_cb (sim.c:1301)
> ==2941==    by 0x71DCB: cpin_check_cb (atutil.c:567)
> ==2941==    by 0xA602B: at_chat_finish_command (gatchat.c:459)
> ==2941==    by 0xA6277: at_chat_handle_command_response (gatchat.c:521)
> ==2941==    by 0xA6587: have_line (gatchat.c:600)
> ==2941==    by 0xA6BB7: new_bytes (gatchat.c:759)
> ==2941==    by 0xAAFAF: received_data (gatio.c:124)
> ==2941==    by 0x4AF606F: g_main_dispatch (gmain.c:3154)
> ==2941==    by 0x4AF606F: g_main_context_dispatch (gmain.c:3769)
> ==2941==    by 0x4AF658F: g_main_loop_run (gmain.c:4034)
> ==2941==    by 0xBDDBB: main (main.c:261)
> ==2941==  Address 0x519c344 is 4 bytes inside a block of size 12 free'd
> ==2941==    at 0x4840B28: free (vg_replace_malloc.c:530)
> ==2941==    by 0x71F33: at_util_sim_state_query_free (atutil.c:613)
> ==2941==    by 0x6930B: sim_state_cb (sim.c:1297)
> ==2941==    by 0x71DCB: cpin_check_cb (atutil.c:567)
> ==2941==    by 0xA602B: at_chat_finish_command (gatchat.c:459)
> ==2941==    by 0xA6277: at_chat_handle_command_response (gatchat.c:521)
> ==2941==    by 0xA6587: have_line (gatchat.c:600)
> ==2941==    by 0xA6BB7: new_bytes (gatchat.c:759)
> ==2941==    by 0xAAFAF: received_data (gatio.c:124)
> ==2941==    by 0x4AF606F: g_main_dispatch (gmain.c:3154)
> ==2941==    by 0x4AF606F: g_main_context_dispatch (gmain.c:3769)
> ==2941==    by 0x4AF658F: g_main_loop_run (gmain.c:4034)
> ==2941==    by 0xBDDBB: main (main.c:261)
> ---
>   drivers/atmodem/sim.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
> 

Applied, thanks.

Regards,
-Denis


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-10-05 16:11 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-05 15:36 [PATCH] atmodem: Fix use after free in sim_state_cb Slava Monich
2017-10-05 16:11 ` Denis Kenzior

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox