On 03/08/17 23:25, Ben Chan wrote:
> This patch fixes some potential use-after-freed issues in
> dms_get_ids_ready(). When an invalid ESN / MEID is retrieved,
> `ctx->self->priv->esn' / `ctx->self->priv->meid' is freed but not reset
> to NULL. If no IMEI is retrieved, `str' can be set to the already freed
> `ctx->self->priv->esn' / `ctx->self->priv->meid' and then propagated to
> a GSimpleAsyncResult object.
Pushed to git master and mm-1-6, and backported to mm-1-4 and mm-1-2 (which may
not have g_clear_pointer()), thanks!
> ---
> src/mm-broadband-modem-qmi.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/mm-broadband-modem-qmi.c b/src/mm-broadband-modem-qmi.c
> index 38356426..3a04e993 100644
> --- a/src/mm-broadband-modem-qmi.c
> +++ b/src/mm-broadband-modem-qmi.c
> @@ -1231,7 +1231,7 @@ dms_get_ids_ready (QmiClientDms *client,
>
> if (qmi_message_dms_get_ids_output_get_esn (output, , NULL) &&
> str[0] != '\0') {
> -g_free (ctx->self->priv->esn);
> +g_clear_pointer (>self->priv->esn, g_free);
> len = strlen (str);
> if (len == 7)
> ctx->self->priv->esn = g_strdup_printf ("0%s", str); /*
> zero-pad to 8 chars */
> @@ -1243,7 +1243,7 @@ dms_get_ids_ready (QmiClientDms *client,
>
> if (qmi_message_dms_get_ids_output_get_meid (output, , NULL) &&
> str[0] != '\0') {
> -g_free (ctx->self->priv->meid);
> +g_clear_pointer (>self->priv->meid, g_free);
> len = strlen (str);
> if (len == 14)
> ctx->self->priv->meid = g_strdup (str);
>
--
Aleksander
https://aleksander.es
___
ModemManager-devel mailing list
ModemManager-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/modemmanager-devel
