Fix null pointer dereference 77/73477/1 accepted/tizen/ivi/20160609.090147 accepted/tizen/mobile/20160609.090117 accepted/tizen/tv/20160609.090221 accepted/tizen/wearable/20160609.090136 submit/tizen/20160608.045259
authorHyunho Kang <hhstark.kang@samsung.com>
Wed, 8 Jun 2016 08:23:25 +0000 (17:23 +0900)
committerHyunho Kang <hhstark.kang@samsung.com>
Wed, 8 Jun 2016 08:27:46 +0000 (17:27 +0900)
- self send logic is not send fd list and it cause null pointer dereference

Change-Id: Ib3b46504a8d9bb64017b616ad99fb3a324d485e4
Signed-off-by: Hyunho Kang <hhstark.kang@samsung.com>
src/message-port.c

index ad809689b9e6c42455c7934b04818e5324022461..0e37dd80dec6a748f838a5c54ff1538c8e04bc5a 100755 (executable)
@@ -780,27 +780,36 @@ static bool send_message(GVariant *parameters, GDBusMethodInvocation *invocation
 
        msg = g_dbus_method_invocation_get_message(invocation);
        fd_list = g_dbus_message_get_unix_fd_list(msg);
-       returned_fds = g_unix_fd_list_steal_fds(fd_list, &fd_len);
-       fd = returned_fds[0];
 
-       LOGI("g_unix_fd_list_get %d fd: [%d]", fd_len, fd);
-       if (fd > 0) {
-
-               callback_info->gio_read = g_io_channel_unix_new(fd);
-               if (!callback_info->gio_read) {
-                       _LOGE("Error is %s\n", strerror_r(errno, buf, sizeof(buf)));
+       /* When application send message to self fd_list is NULL */
+       if (fd_list != NULL) {
+               returned_fds = g_unix_fd_list_steal_fds(fd_list, &fd_len);
+               if (returned_fds == NULL) {
+                       _LOGE("fail to get fds");
                        __callback_info_free(callback_info);
                        return -1;
                }
+               fd = returned_fds[0];
 
-               callback_info->g_src_id = g_io_add_watch(callback_info->gio_read, G_IO_IN | G_IO_HUP,
-                               __socket_request_handler, (gpointer)callback_info);
-               if (callback_info->g_src_id == 0) {
-                       _LOGE("fail to add watch on socket");
-                       __callback_info_free(callback_info);
-                       return -1;
-               }
+               LOGI("g_unix_fd_list_get %d fd: [%d]", fd_len, fd);
+               if (fd > 0) {
 
+                       callback_info->gio_read = g_io_channel_unix_new(fd);
+                       if (!callback_info->gio_read) {
+                               _LOGE("Error is %s\n", strerror_r(errno, buf, sizeof(buf)));
+                               __callback_info_free(callback_info);
+                               return -1;
+                       }
+
+                       callback_info->g_src_id = g_io_add_watch(callback_info->gio_read, G_IO_IN | G_IO_HUP,
+                                       __socket_request_handler, (gpointer)callback_info);
+                       if (callback_info->g_src_id == 0) {
+                               _LOGE("fail to add watch on socket");
+                               __callback_info_free(callback_info);
+                               return -1;
+                       }
+
+               }
        }
 
        data = bundle_decode(raw, len);