Fixing Iotivity crash in catcpserver

- Memory was being freed in function CADisconnectTCPSession without checking NULL condition
- This caused crash in IoTivity, fix is patched
- Also, a potential dangling pointer issue fized in uqeue.c

https://github.sec.samsung.net/RS7-IOTIVITY/IoTivity/commit/ced81117e624a1f416df3f5ff226427b2d070515
(cherry-picked from ced81117e624a1f416df3f5ff226427b2d070515)

Change-Id: Ic6ede9df63aa8e5590c253f9430eeba401231347
Signed-off-by: samanway-dey <samanway.dey@samsung.com>
Signed-off-by: Sudipto <sudipto.bal@samsung.com>

diff --git a/resource/csdk/connectivity/common/src/uqueue.c b/resource/csdk/connectivity/common/src/uqueue.c
index 312423482b2a773018e1f801c7b81e07129ea030..17d8298bf5fcdfa015aea4f47e7759404e82c869 100644 (file)
--- a/resource/csdk/connectivity/common/src/uqueue.c
+++ b/resource/csdk/connectivity/common/src/uqueue.c
@@ -101,7 +101,8 @@ CAResult_t u_queue_add_element(u_queue_t *queue, u_queue_message_t *message)
 
             /* error in queue, free the allocated memory*/
             OICFree(element);
-            return CA_STATUS_FAILED;
+            element = NULL;
+           return CA_STATUS_FAILED;
         }
 
         queue->element = element;

diff --git a/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c b/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c
index 2eb798c0b981e54227a8a29823de9d76f1d4c91a..3bfd8076efb8cba9a19c2b8616d5b2a2a13cc918 100755 (executable)
--- a/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c
+++ b/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c
@@ -1539,13 +1539,15 @@ CASocketFd_t CAConnectTCPSession(const CAEndpoint_t *endpoint)
 
 CAResult_t CADisconnectTCPSession(size_t index)
 {
+    oc_mutex_lock(g_mutexObjectList);
     CATCPSessionInfo_t *removedData = u_arraylist_remove(caglobals.tcp.svrlist, index);
     if (!removedData)
     {
         OIC_LOG(DEBUG, TAG, "there is no data to be removed");
+        oc_mutex_unlock(g_mutexObjectList);
         return CA_STATUS_OK;
     }
-
+    oc_mutex_unlock(g_mutexObjectList);
     // close the socket and remove session info in list.
     if (removedData->fd >= 0)
     {
@@ -1561,15 +1563,23 @@ CAResult_t CADisconnectTCPSession(size_t index)
             g_connectionCallback(&(removedData->sep.endpoint), false, removedData->isClient);
         }
     }
-    OICFree(removedData->data);
-    removedData->data = NULL;
-
-    OICFree(removedData->tlsdata);
-    removedData->tlsdata = NULL;
+    if (removedData->data)
+    {
+        OICFree(removedData->data);
+        removedData->data = NULL;
+    }
 
-    OICFree(removedData);
-    removedData = NULL;
+    if (removedData->tlsdata)
+    {
+        OICFree(removedData->tlsdata);
+        removedData->tlsdata = NULL;
+    }
 
+    if (removedData)
+    {
+        OICFree(removedData);
+        removedData = NULL;
+    }
     OIC_LOG(DEBUG, TAG, "data is removed from session list");
 
 #ifndef DISABLE_TCP_SERVER