From 1e54faa620018a0c55148fb91d431c5b672ee026 Mon Sep 17 00:00:00 2001 From: Wootak Jung Date: Wed, 21 Aug 2019 14:26:59 +0900 Subject: [PATCH] Fix the crash dump in FHUB efl TCT Add the type check logic to avoid crash Should not be freed in case of getting a string as '&s'. https://people.gnome.org/~ryanl/glib-docs/gvariant-format-strings.html#gvariant-format-strings-pointers Change-Id: I7fead708e1349a832bc6b19a3b5987631bd0d1ca --- bt-oal/bluez_hal/src/bt-hal-event-receiver.c | 22 ++++++++------- .../services/obex/bt-service-obex-event-receiver.c | 26 ++++++++---------- bt-service/bt-service-event-receiver.c | 31 +++++++++------------- 3 files changed, 35 insertions(+), 44 deletions(-) diff --git a/bt-oal/bluez_hal/src/bt-hal-event-receiver.c b/bt-oal/bluez_hal/src/bt-hal-event-receiver.c index 643a086..6e6a1d6 100644 --- a/bt-oal/bluez_hal/src/bt-hal-event-receiver.c +++ b/bt-oal/bluez_hal/src/bt-hal-event-receiver.c @@ -163,7 +163,7 @@ static int __bt_hal_parse_event(GVariant *msg) static int __bt_hal_get_owner_info(GVariant *msg, char **name, char **previous, char **current) { - g_variant_get(msg, "(sss)", name, previous, current); + g_variant_get(msg, "(&s&s&s)", name, previous, current); return BT_HAL_ERROR_NONE; } @@ -1027,17 +1027,23 @@ static gboolean __bt_hal_event_manager(gpointer data) char *previous = NULL; char *current = NULL; + if (g_strcmp0(g_variant_get_type_string(param->parameters), "(sss)") != 0) { + ERR("Invalid variant format"); + return FALSE; + } + /* TODO: Handle Name Owener changed Signal */ if (__bt_hal_get_owner_info(param->parameters, &name, &previous, ¤t)) { DBG("Fail to get the owner info"); return FALSE; } - if (current && *current != '\0') { - g_free(name); - g_free(previous); - g_free(current); + + if (*current != '\0') return FALSE; - } + + if (name == NULL) + return FALSE; + if (strcasecmp(name, BT_HAL_BLUEZ_NAME) == 0) { DBG("Bluetoothd is terminated"); @@ -1045,10 +1051,6 @@ static gboolean __bt_hal_event_manager(gpointer data) _bt_hal_le_deinit(); } INFO("Name Owner changed [%s]", name); - g_free(name); - g_free(previous); - g_free(current); - } else if (g_strcmp0(param->interface_name, BT_HAL_PROPERTIES_INTERFACE) == 0) { DBG("Manager Event: Interface Name: BT_HAL_PROPERTIES_INTERFACE"); __bt_hal_handle_property_changed_event(param->parameters, param->object_path); diff --git a/bt-service-adaptation/services/obex/bt-service-obex-event-receiver.c b/bt-service-adaptation/services/obex/bt-service-obex-event-receiver.c index b0db797..d91c48c 100644 --- a/bt-service-adaptation/services/obex/bt-service-obex-event-receiver.c +++ b/bt-service-adaptation/services/obex/bt-service-obex-event-receiver.c @@ -128,7 +128,7 @@ bt_status_t _bt_adapter_get_status_for_Obex(void) static int __bt_get_owner_info(GVariant *msg, char **name, char **previous, char **current) { - g_variant_get(msg, "(sss)", name, previous, current); + g_variant_get(msg, "(&s&s&s)", name, previous, current); return BLUETOOTH_ERROR_NONE; } @@ -379,13 +379,11 @@ void _bt_handle_agent_event(GVariant *msg, const char *member) if (strcasecmp(member, "ObexAuthorize") == 0) { __bt_get_agent_signal_info(msg, &address, &name, &uuid); - param = g_variant_new("(iss)", result, address, name); + param = g_variant_new("(i&s&s)", result, address, name); _bt_send_event(BT_OPP_SERVER_EVENT, BLUETOOTH_EVENT_OBEX_SERVER_CONNECTION_AUTHORIZE, param); /* TODO: MAP? see above */ - g_free(address); - g_free(name); } } @@ -507,19 +505,21 @@ static void __bt_manager_event_filter(GDBusConnection *connection, char *previous = NULL; char *current = NULL; + if (g_strcmp0(g_variant_get_type_string(parameters), "(sss)") != 0) { + BT_ERR("Invalid variant format"); + return; + } + if (__bt_get_owner_info(parameters, &name, &previous, ¤t)) { BT_ERR("Fail to get the owner info"); return; } - if (*current != '\0') { - g_free(current); - if (name) - g_free(name); - if (previous) - g_free(previous); + if (*current != '\0') + return; + + if (name == NULL) return; - } if (strcasecmp(name, BT_BLUEZ_NAME) == 0) { BT_INFO_C("### Bluetoothd is terminated"); @@ -535,10 +535,6 @@ static void __bt_manager_event_filter(GDBusConnection *connection, /* Check if the obex server was terminated abnormally */ _bt_obex_server_check_termination(name); } - - g_free(name); - g_free(previous); - g_free(current); } else if (g_strcmp0(interface_name, BT_AGENT_INTERFACE) == 0) { _bt_handle_agent_event(parameters, signal_name); } else if (g_strcmp0(interface_name, BT_DEVICE_INTERFACE) == 0) { diff --git a/bt-service/bt-service-event-receiver.c b/bt-service/bt-service-event-receiver.c index ed3bb9c..0fbe2b1 100644 --- a/bt-service/bt-service-event-receiver.c +++ b/bt-service/bt-service-event-receiver.c @@ -294,7 +294,7 @@ static gboolean __bt_parse_interface(GVariant *msg, static int __bt_get_owner_info(GVariant *msg, char **name, char **previous, char **current) { - g_variant_get(msg, "(sss)", name, previous, current); + g_variant_get(msg, "(&s&s&s)", name, previous, current); return BLUETOOTH_ERROR_NONE; } @@ -2570,12 +2570,10 @@ void _bt_handle_agent_event(GVariant *msg, const char *member) if (strcasecmp(member, "ObexAuthorize") == 0) { __bt_get_agent_signal_info(msg, &address, &name, &uuid); - param = g_variant_new("(iss)", result, address, name); + param = g_variant_new("(i&s&s)", result, address, name); _bt_send_event(BT_OPP_SERVER_EVENT, BLUETOOTH_EVENT_OBEX_SERVER_CONNECTION_AUTHORIZE, param); - g_free(address); - g_free(name); } else if (strcasecmp(member, "RfcommAuthorize") == 0) { bt_rfcomm_server_info_t *server_info; @@ -2584,14 +2582,11 @@ void _bt_handle_agent_event(GVariant *msg, const char *member) server_info = _bt_rfcomm_get_server_info_using_uuid(uuid); ret_if(server_info == NULL); ret_if(server_info->server_type != BT_CUSTOM_SERVER); - param = g_variant_new("(isssn)", result, address, uuid, name, + param = g_variant_new("(i&s&s&sn)", result, address, uuid, name, server_info->control_fd); _bt_send_event(BT_RFCOMM_SERVER_EVENT, BLUETOOTH_EVENT_RFCOMM_AUTHORIZE, param); - g_free(address); - g_free(uuid); - g_free(name); } } @@ -2797,19 +2792,21 @@ static void __bt_manager_event_filter(GDBusConnection *connection, char *previous = NULL; char *current = NULL; + if (g_strcmp0(g_variant_get_type_string(parameters), "(sss)") != 0) { + BT_ERR("Invalid variant format"); + return; + } + if (__bt_get_owner_info(parameters, &name, &previous, ¤t)) { BT_ERR("Fail to get the owner info"); return; } - if (*current != '\0') { - g_free(current); - if (name) - g_free(name); - if (previous) - g_free(previous); + if (*current != '\0') + return; + + if (name == NULL) return; - } if (strcasecmp(name, BT_BLUEZ_NAME) == 0) { BT_INFO_C("### Bluetoothd is terminated"); @@ -2843,10 +2840,6 @@ static void __bt_manager_event_filter(GDBusConnection *connection, /* Stop LE Scan */ _bt_stop_le_scan(name); - - g_free(name); - g_free(previous); - g_free(current); } else if (g_strcmp0(interface_name, BT_PROPERTIES_INTERFACE) == 0) { const char *path = object_path; -- 2.7.4