libril: Fix double freeing of memory in SAP
service and add null-checks.
The payload of a SAP request could be freed twice in certain scenarios.
Also, add null-checks to prevent dereferencing of null pointers.
Bug: 64729356
Test: Manually run the fuzz tests and ensure that there is no crash in
rild
Change-Id: Ib7ae269fa5297d6acea267337b220b8858c82bae
diff --git a/ril/libril/RilSapSocket.cpp b/ril/libril/RilSapSocket.cpp
index f58d327..8276de9 100644
--- a/ril/libril/RilSapSocket.cpp
+++ b/ril/libril/RilSapSocket.cpp
@@ -55,10 +55,9 @@
sap_socket->onRequestComplete(t,e,response,responselen);
} else {
RLOGE("Invalid socket id");
- if (request->curr->payload) {
- free(request->curr->payload);
+ if (request->curr) {
+ free(request->curr);
}
- free(request->curr);
free(request);
}
}
@@ -234,6 +233,12 @@
void RilSapSocket::onRequestComplete(RIL_Token t, RIL_Errno e, void *response,
size_t response_len) {
SapSocketRequest* request= (SapSocketRequest*)t;
+
+ if (!request || !request->curr) {
+ RLOGE("RilSapSocket::onRequestComplete: request/request->curr is NULL");
+ return;
+ }
+
MsgHeader *hdr = request->curr;
MsgHeader rsp;