Rectifyng this poniter deletion from member function

Asan Issues

1. heap-use-after-free in enlightenment
2. heap-use-after-free in amd
THis issue  reported  on termination of sensord

Change-Id: I6452081621d6d5aa6c64636f7a99a9e77c071799
Signed-off-by: Avichal <avichal.a@samsung.com>

diff --git a/src/server/sensor_handler.cpp b/src/server/sensor_handler.cpp
index fcfef69..b9cdfca 100644 (file)
--- a/src/server/sensor_handler.cpp
+++ b/src/server/sensor_handler.cpp
@@ -83,8 +83,10 @@ int sensor_handler::notify(const char *uri, sensor_data_t *data, int len)
        for (auto it = m_observers.begin(); it != m_observers.end(); ++it)
                (*it)->update(uri, msg);
 
-       if (msg->ref_count() == 0)
-               msg->unref();
+       if (msg->ref_count() == 0) {
+               delete msg;
+               msg = NULL;
+       }
 
        set_cache(data, len);
 

diff --git a/src/shared/channel.cpp b/src/shared/channel.cpp
index 446c881..639e9c1 100644 (file)
--- a/src/shared/channel.cpp
+++ b/src/shared/channel.cpp
@@ -49,8 +49,13 @@ public:
                if (!m_ch->send_sync(m_msg))
                        return false;
 
-               if (m_msg)
+               if (m_msg) {
                        m_msg->unref();
+                       if(m_msg->ref_count() <= 0) {
+                               delete m_msg;
+                               m_msg = NULL;
+                       }
+               }
 
                return false;
        }

diff --git a/src/shared/channel_event_handler.cpp b/src/shared/channel_event_handler.cpp
index cc8a2bb..8a6b64b 100644 (file)
--- a/src/shared/channel_event_handler.cpp
+++ b/src/shared/channel_event_handler.cpp
@@ -46,13 +46,11 @@ bool channel_event_handler::handle(int fd, event_condition condition)
 
        if (condition & (EVENT_HUP)) {
                m_ch->disconnect();
-               m_ch = NULL;
                return false;
        }
 
        if (!m_ch->read_sync(msg, false)) {
                m_ch->disconnect();
-               m_ch = NULL;
                return false;
        }
 

diff --git a/src/shared/event_loop.cpp b/src/shared/event_loop.cpp
index 4f9e7ed..05ea57c 100644 (file)
--- a/src/shared/event_loop.cpp
+++ b/src/shared/event_loop.cpp
@@ -38,6 +38,9 @@ static gboolean g_io_handler(GIOChannel *ch, GIOCondition condition, gpointer da
        uint64_t id;
        int fd;
        bool term;
+       bool ret;
+       event_loop *loop;
+       event_handler *handler;
        unsigned int cond;
 
        cond = (unsigned int)condition;
@@ -46,17 +49,21 @@ static gboolean g_io_handler(GIOChannel *ch, GIOCondition condition, gpointer da
                cond &= ~(G_IO_IN | G_IO_OUT);
 
        handler_info *info = (handler_info *)data;
+       loop = info->loop;
+       handler = info->handler;
+       retvm_if(!loop || !handler, FALSE, "Invalid event info");
+
        id = info->id;
        fd = info->fd;
-       term = info->loop->is_terminator(fd);
+       term = loop->is_terminator(fd);
 
        if (cond & G_IO_NVAL)
                return FALSE;
 
-       bool ret = info->handler->handle(fd, (event_condition)cond);
+       ret = handler->handle(fd, (event_condition)cond);
 
        if (!ret && !term) {
-               info->loop->remove_event(id);
+               loop->remove_event(id);
                return FALSE;
        }
 

diff --git a/src/shared/message.cpp b/src/shared/message.cpp
index e8fd460..aa08d10 100755 (executable)
--- a/src/shared/message.cpp
+++ b/src/shared/message.cpp
@@ -87,7 +87,7 @@ message::message(int error)
 
 message::~message()
 {
-       if (m_msg && ref_cnt == 0) {
+       if (m_msg) {
                delete [] m_msg;
                m_msg = NULL;
        }
@@ -146,12 +146,12 @@ void message::unref(void)
 {
        ref_cnt--;
 
-       if (ref_cnt > 0 || !m_msg)
+       /*if (ref_cnt > 0 || !m_msg)
                return;
 
        delete [] m_msg;
        m_msg = NULL;
-       delete this;
+       delete this;*/
 }
 
 int message::ref_count(void)