libril: Fix double freeing of memory in SAP
service and add null-checks.
The payload of a SAP request could be freed twice in certain scenarios.
Also, add null-checks to prevent dereferencing of null pointers.
Bug: 64729356
Test: Manually run the fuzz tests and ensure that there is no crash in
rild
Change-Id: Ib7ae269fa5297d6acea267337b220b8858c82bae
diff --git a/ril/libril/sap_service.cpp b/ril/libril/sap_service.cpp
index abfbfef..962d564 100644
--- a/ril/libril/sap_service.cpp
+++ b/ril/libril/sap_service.cpp
@@ -106,11 +106,13 @@
Return<void> SapImpl::addPayloadAndDispatchRequest(MsgHeader *msg, uint16_t reqLen,
uint8_t *reqPtr) {
- msg->payload = (pb_bytes_array_t *)malloc(sizeof(pb_bytes_array_t) - 1 + reqLen);
- if (msg->payload == NULL) {
+ pb_bytes_array_t *payload = (pb_bytes_array_t *) malloc(sizeof(pb_bytes_array_t) - 1 + reqLen);
+ if (payload == NULL) {
sendFailedResponse(msg->id, msg->token, 2, reqPtr, msg);
return Void();
}
+
+ msg->payload = payload;
msg->payload->size = reqLen;
memcpy(msg->payload->bytes, reqPtr, reqLen);
@@ -120,7 +122,7 @@
sapSocket->dispatchRequest(msg);
} else {
RLOGE("SapImpl::addPayloadAndDispatchRequest: sapSocket is null");
- sendFailedResponse(msg->id, msg->token, 3, msg->payload, reqPtr, msg);
+ sendFailedResponse(msg->id, msg->token, 3, payload, reqPtr, msg);
return Void();
}
free(msg->payload);