From c324c50f9290dcae9d7bab05fae887755c2a3f00 Mon Sep 17 00:00:00 2001
From: Vitaliy Cherepanov <v.cherepanov@samsung.com>
Date: Wed, 6 May 2015 17:57:23 +0300
Subject: [PATCH] [FIX] prevent issues

|--------|-------------------------------|--------------------|---------------------------------|
| CID    | Type                          | File               | Function                        |
|--------|-------------------------------|--------------------|---------------------------------|
| 373032 | Uninitialized pointer read    | da_protocol.c      | process_msg_get_process_add_inf |
| 373029 | Wrong sizeof argument         | da_inst.c          | new_lib()                       |
| 373013 | Resource leak                 | da_inst.c          | new_lib()                       |
| 373010 | Resource leak                 | da_inst.c          | new_app()                       |
| 373009 | Resource leak                 | da_protocol_inst.c | parse_us_inst_func              |
| 373004 | Dereference null return value | input_events.c     | deviceEventHandler              |
| 373000 | Dereference null return value | da_protocol.c      | process_msg_binary_info         |
| 372997 | Dereference null return value | da_protocol.c      | write_msg_error                 |
| 372996 | Dereference null return value | da_inst.c          | new_lib                         |
| 372993 | Dereference null return value | da_inst.c          | new_app                         |
|--------|-------------------------------|--------------------|---------------------------------|

Change-Id: Ic02b5e6a4a8fcea6697a5f29416fd7555c8211c9
Signed-off-by: Vitaliy Cherepanov <v.cherepanov@samsung.com>
Signed-off-by: Alexander Aksenov <a.aksenov@samsung.com>
---
 daemon/da_inst.c          | 101 +++++++++++++++++++++++++++++-----------------
 daemon/da_protocol.c      |  68 +++++++++++++++++++++----------
 daemon/da_protocol_inst.c |   2 +-
 daemon/input_events.c     |  13 ++++--
 4 files changed, 121 insertions(+), 63 deletions(-)

diff --git a/daemon/da_inst.c b/daemon/da_inst.c
index 9b3889e..ac462b3 100644
--- a/daemon/da_inst.c
+++ b/daemon/da_inst.c
@@ -83,30 +83,87 @@ static struct data_list_t *new_data(void)
 	return lib;
 }
 
+static void free_probe_element(struct probe_list_t *probe)
+{
+	free(probe->func);
+	free(probe);
+}
+
+static void free_data_element(struct data_list_t *lib)
+{
+	free(lib->data);
+	free(lib);
+}
+
+static void free_probe_list(struct probe_list_t *probe)
+{
+	struct probe_list_t *next;
+	while (probe != NULL) {
+		next = probe->next;
+		free_probe_element(probe);
+		probe = next;
+	}
+}
+
+static void free_data(struct data_list_t *lib)
+{
+	free_probe_list(lib->list);
+	free_data_element(lib);
+}
+
+
 struct lib_list_t *new_lib(void)
 {
-	struct probe_list_t *res = NULL;
-	struct lib_list_t *lib = (struct lib_list_t *)new_data();
-	res = malloc(sizeof(*lib->lib));
-	if (res == NULL) {
+	struct lib_list_t *lib = NULL;
+
+	lib = (struct lib_list_t *)new_data();
+	if (lib == NULL) {
+		LOGE("cannot create lib\n");
+		goto exit_fail;
+	}
+
+	lib->lib = malloc(sizeof(*lib->lib));
+	if (lib->lib == NULL) {
 		LOGE("can not malloc buffer for probe_list_t lib\n");
-		return NULL;
+		goto exit_fail_free_lib;
 	}
-	lib->lib = res;
+
 	memset(lib->lib, 0, sizeof(*lib->lib));
+
+	/* SUCCESS */
 	return lib;
+
+exit_fail_free_lib:
+	free_data(lib);
+exit_fail:
+	return NULL;
 }
 
 struct app_list_t *new_app(void)
 {
-	struct app_list_t *app = (struct app_list_t *)new_data();
+	struct app_list_t *app = NULL;
+
+	app = (struct app_list_t *)new_data();
+	if (app = NULL) {
+		LOGE("cannot create app\n");
+		goto exit_fail;
+	}
+
 	app->app = malloc(sizeof(*app->app));
 	if (app->app == NULL) {
 		LOGE("can not malloc buffer for app_info_t app\n");
-		return NULL;
+		goto exit_fail_free_app;
 	}
+
 	memset(app->app, 0, sizeof(*app->app));
+
+	/* SUCCESS */
 	return app;
+
+exit_fail_free_app:
+	free(app);
+exit_fail:
+	return NULL;
 }
 
 struct probe_list_t *new_probe(void)
@@ -122,34 +179,6 @@ struct probe_list_t *new_probe(void)
 	return probe;
 }
 
-static void free_probe_element(struct probe_list_t *probe)
-{
-	free(probe->func);
-	free(probe);
-}
-
-static void free_data_element(struct data_list_t *lib)
-{
-	free(lib->data);
-	free(lib);
-}
-
-static void free_probe_list(struct probe_list_t *probe)
-{
-	struct probe_list_t *next;
-	while (probe != NULL) {
-		next = probe->next;
-		free_probe_element(probe);
-		probe = next;
-	}
-}
-
-static void free_data(struct data_list_t *lib)
-{
-	free_probe_list(lib->list);
-	free_data_element(lib);
-}
-
 void free_data_list(struct data_list_t **data)
 {
 	struct data_list_t *next;
diff --git a/daemon/da_protocol.c b/daemon/da_protocol.c
index 7718cfc..ba282d6 100644
--- a/daemon/da_protocol.c
+++ b/daemon/da_protocol.c
@@ -587,7 +587,14 @@ static int send_reply(struct msg_t *msg)
 
 static void write_msg_error(const char *err_str)
 {
-	struct msg_data_t *err_msg = gen_message_error(err_str);
+	struct msg_data_t *err_msg = NULL;
+
+	err_msg = gen_message_error(err_str);
+	if (err_msg == NULL) {
+		LOGE("cannot generate error message\n");
+		return;
+	}
+
 	if (write_to_buf(err_msg) != 0)
 		LOGE("write to buf fail\n");
 	free_msg_data(err_msg);
@@ -858,34 +865,39 @@ static struct binary_ack* binary_ack_alloc(const char *filename)
 	binpath[0]='\0';
 
 	ba = malloc(sizeof(*ba));
-	if (ba != NULL) {
-		if (stat(filename, &decoy) == 0) {
-			ba->type = get_binary_type(filename);
+	if (ba == NULL) {
+		LOGE("Cannot allocates memory for binary ack struct\n");
+		goto exit_fail;
+	}
 
-			if (ba->type != BINARY_TYPE_UNKNOWN)
-				get_build_dir(builddir, filename);
+	if (stat(filename, &decoy) == 0) {
+		ba->type = get_binary_type(filename);
 
-			if (builddir[0] != '\0')
-				snprintf(binpath, sizeof(binpath), check_windows_path(builddir) ?
-					 "%s\\%s" : "%s/%s", builddir, basename(filename) ?: "");
+		if (ba->type != BINARY_TYPE_UNKNOWN)
+			get_build_dir(builddir, filename);
 
-			ba->binpath = strdup(binpath);
-			get_file_md5sum(ba->digest, filename);
-		} else {
-			ba->type = BINARY_TYPE_FILE_NOT_EXIST;
-			ba->binpath = strdup(filename);
-			memset(ba->digest, 0x00, sizeof(ba->digest));
-		}
+		if (builddir[0] != '\0')
+			snprintf(binpath, sizeof(binpath), check_windows_path(builddir) ?
+				 "%s\\%s" : "%s/%s", builddir, basename(filename) ?: "");
+
+		ba->binpath = strdup(binpath);
+		get_file_md5sum(ba->digest, filename);
 	} else {
-		LOGE("Cannot allocates memory for ba\n");
+		ba->type = BINARY_TYPE_FILE_NOT_EXIST;
+		ba->binpath = strdup(filename);
+		memset(ba->digest, 0x00, sizeof(ba->digest));
 	}
 
 	return ba;
+
+exit_fail:
+	return NULL;
 }
 
 static int process_msg_binary_info(struct msg_buf_t *msg)
 {
-	uint32_t i, bincount;
+	int err;
+	uint32_t i, j, bincount;
 	enum ErrorCode error_code = ERR_NO;
 
 	printBuf(msg->cur_pos, msg->len);
@@ -906,7 +918,10 @@ static int process_msg_binary_info(struct msg_buf_t *msg)
 		}
 		new = binary_ack_alloc(str);
 		/* check for errors */
-		if (new->type == BINARY_TYPE_FILE_NOT_EXIST) {
+		if (new == NULL) {
+			LOGE("cannot create bin info structure\n");
+			goto exit_fail_free_ack;
+		} else if (new->type == BINARY_TYPE_FILE_NOT_EXIST) {
 			error_code = ERR_WRONG_MESSAGE_DATA;
 			LOGW("binary file not exists <%s>\n", str);
 		} else if (new->type == BINARY_TYPE_UNKNOWN) {
@@ -945,9 +960,16 @@ static int process_msg_binary_info(struct msg_buf_t *msg)
 	}
 
 	printBuf(msg_reply, msg_reply->len + sizeof(*msg_reply));
-	int err = send_reply(msg_reply);
+	err = send_reply(msg_reply);
 	free(msg_reply);
+
 	return err;
+
+exit_fail_free_ack:
+	for (j = 0; j < i; j++)
+		binary_ack_free(acks[j]);
+exit_fail:
+	return -1;
 }
 
 static void get_serialized_time(uint32_t dst[2])
@@ -1116,10 +1138,12 @@ static char *get_process_cmd_line(uint32_t pid)
 
 static int process_msg_get_process_add_info(struct msg_buf_t *msg)
 {
-	uint32_t i, count, total_len;
+	uint32_t i, count;
+	uint32_t total_len = 0;
 	uint32_t *pidarr = NULL;
 	char **cmd_line_arr = NULL;
-	char *payload, *p;
+	char *payload = NULL;
+	char *p;
 	struct msg_target_t sendlog;
 	enum ErrorCode err_code = ERR_UNKNOWN;
 
diff --git a/daemon/da_protocol_inst.c b/daemon/da_protocol_inst.c
index 4f4c9d7..a612b09 100644
--- a/daemon/da_protocol_inst.c
+++ b/daemon/da_protocol_inst.c
@@ -107,7 +107,7 @@ static int parse_us_inst_func(struct msg_buf_t *msg, struct probe_list_t **dest)
 	*dest = new_probe();
 	if (*dest == NULL) {
 		LOGE("alloc new_probe error\n");
-		goto err_ret;
+		goto err_free;
 	}
 	(*dest)->size = size;
 	(*dest)->func = func;
diff --git a/daemon/input_events.c b/daemon/input_events.c
index 9efab5e..734fe14 100644
--- a/daemon/input_events.c
+++ b/daemon/input_events.c
@@ -207,10 +207,15 @@ static int deviceEventHandler(input_dev *dev, int input_type)
 			     count,
 			     input_type == INPUT_ID_KEY ? STR_KEY : STR_TOUCH);
 			log = gen_message_event(in_ev, count, input_type);
-			printBuf((char *)log, MSG_DATA_HDR_LEN + log->len);
-			if (write_to_buf(log) != 0)
-				LOGE("write to buf fail\n");
-			free_msg_data(log);
+			if (log != NULL) {
+				printBuf((char *)log, MSG_DATA_HDR_LEN + log->len);
+				if (write_to_buf(log) != 0)
+					LOGE("write to buf fail\n");
+				free_msg_data(log);
+			} else {
+				LOGE("cannot generate message event."
+				     "message missed\n");
+			}
 		}
 	} else {
 		LOGW("unknown input_type\n");
-- 
2.7.4