Fix for Jira issues IOT-733,739 and 727

Fixed double free corruptions and errors in freeing static memory

If accepted, this changeset should be cherrypicked to 1.0.0-dev.

Change-Id: I5b37f5090b68b45156b5965f715b68daebfe9e37
Signed-off-by: koushik.girijala <g.koushik@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/3191
Reviewed-by: Gabriel Schulhof <gabriel.schulhof@intel.com>
Reviewed-by: Ashok Babu Channa <ashok.channa@samsung.com>
Reviewed-by: Jaehong Jo <jaehong.jo@samsung.com>
Tested-by: jenkins-iotivity <jenkins-iotivity@opendaylight.org>
Reviewed-by: Patrick Lankswert <patrick.lankswert@intel.com>

diff --git a/resource/csdk/stack/src/ocstack.c b/resource/csdk/stack/src/ocstack.c
index f6d2e70..cb3cb12 100644 (file)
--- a/resource/csdk/stack/src/ocstack.c
+++ b/resource/csdk/stack/src/ocstack.c
@@ -1399,7 +1399,16 @@ OCStackResult SendDirectStackResponse(const CAEndpoint_t* endPoint, const uint16
     };
     respInfo.info.messageId = coapID;
     respInfo.info.numOptions = numOptions;
-    respInfo.info.options = (CAHeaderOption_t*)options;
+
+    if (respInfo.info.numOptions)
+    {
+        respInfo.info.options =
+            (CAHeaderOption_t *)OICCalloc(respInfo.info.numOptions, sizeof(CAHeaderOption_t));
+        memcpy (respInfo.info.options, options,
+                sizeof(CAHeaderOption_t) * respInfo.info.numOptions);
+
+    }
+
     respInfo.info.payload = NULL;
     respInfo.info.token = token;
     respInfo.info.tokenLength = tokenLength;
@@ -1424,7 +1433,7 @@ OCStackResult SendDirectStackResponse(const CAEndpoint_t* endPoint, const uint16
     // resourceUri in the info field is cloned in the CA layer and
     // thus ownership is still here.
     OICFree (respInfo.info.resourceUri);
-
+    OICFree (respInfo.info.options);
     if(CA_STATUS_OK != caResult)
     {
         OC_LOG(ERROR, TAG, "CASendResponse error");
@@ -2292,9 +2301,6 @@ OCStackResult OCDoResource(OCDoHandle *handle,
     char *resourceUri = NULL;
     char *resourceType = NULL;
 
-    // To track if memory is allocated for additional header options
-    uint8_t hdrOptionMemAlloc = 0;
-
     // This validation is broken, but doesn't cause harm
     size_t uriLen = strlen(requestUri );
     if ((result = verifyUriQueryLength(requestUri , uriLen)) != OC_STACK_OK)
@@ -2409,13 +2415,15 @@ OCStackResult OCDoResource(OCDoHandle *handle,
         {
             goto exit;
         }
-        hdrOptionMemAlloc = 1;
         requestInfo.info.numOptions = numOptions + 1;
     }
     else
     {
-        requestInfo.info.options = (CAHeaderOption_t*)options;
         requestInfo.info.numOptions = numOptions;
+        requestInfo.info.options =
+            (CAHeaderOption_t*) OICCalloc(numOptions, sizeof(CAHeaderOption_t));
+        memcpy(requestInfo.info.options, (CAHeaderOption_t*)options,
+               numOptions * sizeof(CAHeaderOption_t));
     }
 
     CopyDevAddrToEndpoint(devAddr, &endpoint);
@@ -2505,10 +2513,7 @@ exit:
     OICFree(devAddr);
     OICFree(resourceUri);
     OICFree(resourceType);
-    if (hdrOptionMemAlloc)
-    {
-        OICFree(requestInfo.info.options);
-    }
+    OICFree(requestInfo.info.options);
     return result;
 }