From a6dcabd2efa52e38f724f5da80eee728507737b3 Mon Sep 17 00:00:00 2001 From: Avichal Date: Thu, 25 Apr 2019 17:10:41 +0530 Subject: [PATCH] Rectifyng this poniter deletion from member function Asan Issues 1. heap-use-after-free in enlightenment 2. heap-use-after-free in amd THis issue reported on termination of sensord Change-Id: I6452081621d6d5aa6c64636f7a99a9e77c071799 Signed-off-by: Avichal --- src/server/sensor_handler.cpp | 6 ++++-- src/shared/channel.cpp | 7 ++++++- src/shared/channel_event_handler.cpp | 2 -- src/shared/event_loop.cpp | 13 ++++++++++--- src/shared/message.cpp | 6 +++--- 5 files changed, 23 insertions(+), 11 deletions(-) diff --git a/src/server/sensor_handler.cpp b/src/server/sensor_handler.cpp index fcfef69..b9cdfca 100644 --- a/src/server/sensor_handler.cpp +++ b/src/server/sensor_handler.cpp @@ -83,8 +83,10 @@ int sensor_handler::notify(const char *uri, sensor_data_t *data, int len) for (auto it = m_observers.begin(); it != m_observers.end(); ++it) (*it)->update(uri, msg); - if (msg->ref_count() == 0) - msg->unref(); + if (msg->ref_count() == 0) { + delete msg; + msg = NULL; + } set_cache(data, len); diff --git a/src/shared/channel.cpp b/src/shared/channel.cpp index 446c881..639e9c1 100644 --- a/src/shared/channel.cpp +++ b/src/shared/channel.cpp @@ -49,8 +49,13 @@ public: if (!m_ch->send_sync(m_msg)) return false; - if (m_msg) + if (m_msg) { m_msg->unref(); + if(m_msg->ref_count() <= 0) { + delete m_msg; + m_msg = NULL; + } + } return false; } diff --git a/src/shared/channel_event_handler.cpp b/src/shared/channel_event_handler.cpp index cc8a2bb..8a6b64b 100644 --- a/src/shared/channel_event_handler.cpp +++ b/src/shared/channel_event_handler.cpp @@ -46,13 +46,11 @@ bool channel_event_handler::handle(int fd, event_condition condition) if (condition & (EVENT_HUP)) { m_ch->disconnect(); - m_ch = NULL; return false; } if (!m_ch->read_sync(msg, false)) { m_ch->disconnect(); - m_ch = NULL; return false; } diff --git a/src/shared/event_loop.cpp b/src/shared/event_loop.cpp index 4f9e7ed..05ea57c 100644 --- a/src/shared/event_loop.cpp +++ b/src/shared/event_loop.cpp @@ -38,6 +38,9 @@ static gboolean g_io_handler(GIOChannel *ch, GIOCondition condition, gpointer da uint64_t id; int fd; bool term; + bool ret; + event_loop *loop; + event_handler *handler; unsigned int cond; cond = (unsigned int)condition; @@ -46,17 +49,21 @@ static gboolean g_io_handler(GIOChannel *ch, GIOCondition condition, gpointer da cond &= ~(G_IO_IN | G_IO_OUT); handler_info *info = (handler_info *)data; + loop = info->loop; + handler = info->handler; + retvm_if(!loop || !handler, FALSE, "Invalid event info"); + id = info->id; fd = info->fd; - term = info->loop->is_terminator(fd); + term = loop->is_terminator(fd); if (cond & G_IO_NVAL) return FALSE; - bool ret = info->handler->handle(fd, (event_condition)cond); + ret = handler->handle(fd, (event_condition)cond); if (!ret && !term) { - info->loop->remove_event(id); + loop->remove_event(id); return FALSE; } diff --git a/src/shared/message.cpp b/src/shared/message.cpp index e8fd460..aa08d10 100755 --- a/src/shared/message.cpp +++ b/src/shared/message.cpp @@ -87,7 +87,7 @@ message::message(int error) message::~message() { - if (m_msg && ref_cnt == 0) { + if (m_msg) { delete [] m_msg; m_msg = NULL; } @@ -146,12 +146,12 @@ void message::unref(void) { ref_cnt--; - if (ref_cnt > 0 || !m_msg) + /*if (ref_cnt > 0 || !m_msg) return; delete [] m_msg; m_msg = NULL; - delete this; + delete this;*/ } int message::ref_count(void) -- 2.7.4