From 4db7d3ff6a992015da414aaf11b9b05fceaa5b90 Mon Sep 17 00:00:00 2001
From: samanway <samanway@linux-samanway.sa.corp.samsungelectronics.net>
Date: Thu, 19 Dec 2019 18:14:45 +0530
Subject: [PATCH] Fixing Iotivity crash in catcpserver

- Memory was being freed in function CADisconnectTCPSession without checking NULL condition
- This caused crash in IoTivity, fix is patched
- Also, a potential dangling pointer issue fized in uqeue.c

https://github.sec.samsung.net/RS7-IOTIVITY/IoTivity/commit/ced81117e624a1f416df3f5ff226427b2d070515
(cherry-picked from ced81117e624a1f416df3f5ff226427b2d070515)

Change-Id: Ic6ede9df63aa8e5590c253f9430eeba401231347
Signed-off-by: samanway-dey <samanway.dey@samsung.com>
Signed-off-by: Sudipto <sudipto.bal@samsung.com>
---
 resource/csdk/connectivity/common/src/uqueue.c     |  3 ++-
 .../connectivity/src/tcp_adapter/catcpserver.c     | 26 +++++++++++++++-------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/resource/csdk/connectivity/common/src/uqueue.c b/resource/csdk/connectivity/common/src/uqueue.c
index 3124234..17d8298 100644
--- a/resource/csdk/connectivity/common/src/uqueue.c
+++ b/resource/csdk/connectivity/common/src/uqueue.c
@@ -101,7 +101,8 @@ CAResult_t u_queue_add_element(u_queue_t *queue, u_queue_message_t *message)
 
             /* error in queue, free the allocated memory*/
             OICFree(element);
-            return CA_STATUS_FAILED;
+            element = NULL;
+	    return CA_STATUS_FAILED;
         }
 
         queue->element = element;
diff --git a/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c b/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c
index 2eb798c..3bfd807 100755
--- a/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c
+++ b/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c
@@ -1539,13 +1539,15 @@ CASocketFd_t CAConnectTCPSession(const CAEndpoint_t *endpoint)
 
 CAResult_t CADisconnectTCPSession(size_t index)
 {
+    oc_mutex_lock(g_mutexObjectList);
     CATCPSessionInfo_t *removedData = u_arraylist_remove(caglobals.tcp.svrlist, index);
     if (!removedData)
     {
         OIC_LOG(DEBUG, TAG, "there is no data to be removed");
+        oc_mutex_unlock(g_mutexObjectList);
         return CA_STATUS_OK;
     }
-
+    oc_mutex_unlock(g_mutexObjectList);
     // close the socket and remove session info in list.
     if (removedData->fd >= 0)
     {
@@ -1561,15 +1563,23 @@ CAResult_t CADisconnectTCPSession(size_t index)
             g_connectionCallback(&(removedData->sep.endpoint), false, removedData->isClient);
         }
     }
-    OICFree(removedData->data);
-    removedData->data = NULL;
-
-    OICFree(removedData->tlsdata);
-    removedData->tlsdata = NULL;
+    if (removedData->data)
+    {
+        OICFree(removedData->data);
+        removedData->data = NULL;
+    }
 
-    OICFree(removedData);
-    removedData = NULL;
+    if (removedData->tlsdata)
+    {
+        OICFree(removedData->tlsdata);
+        removedData->tlsdata = NULL;
+    }
 
+    if (removedData)
+    {
+        OICFree(removedData);
+        removedData = NULL;
+    }
     OIC_LOG(DEBUG, TAG, "data is removed from session list");
 
 #ifndef DISABLE_TCP_SERVER
-- 
2.7.4