diff options
author | samanway <samanway@linux-samanway.sa.corp.samsungelectronics.net> | 2019-12-19 18:14:45 +0530 |
---|---|---|
committer | Sudipto Bal <sudipto.bal@samsung.com> | 2020-01-06 05:44:14 +0000 |
commit | 4db7d3ff6a992015da414aaf11b9b05fceaa5b90 (patch) | |
tree | 421d7a3d6cd6234a4b7545158c0ad7cbed8b898a | |
parent | 0b3468590b08bfb8d617b4e207988dd27ddc7ad1 (diff) | |
download | iotivity-4db7d3ff6a992015da414aaf11b9b05fceaa5b90.tar.gz iotivity-4db7d3ff6a992015da414aaf11b9b05fceaa5b90.tar.bz2 iotivity-4db7d3ff6a992015da414aaf11b9b05fceaa5b90.zip |
Fixing Iotivity crash in catcpserver
- Memory was being freed in function CADisconnectTCPSession without checking NULL condition
- This caused crash in IoTivity, fix is patched
- Also, a potential dangling pointer issue fized in uqeue.c
https://github.sec.samsung.net/RS7-IOTIVITY/IoTivity/commit/ced81117e624a1f416df3f5ff226427b2d070515
(cherry-picked from ced81117e624a1f416df3f5ff226427b2d070515)
Change-Id: Ic6ede9df63aa8e5590c253f9430eeba401231347
Signed-off-by: samanway-dey <samanway.dey@samsung.com>
Signed-off-by: Sudipto <sudipto.bal@samsung.com>
-rw-r--r-- | resource/csdk/connectivity/common/src/uqueue.c | 3 | ||||
-rwxr-xr-x | resource/csdk/connectivity/src/tcp_adapter/catcpserver.c | 26 |
2 files changed, 20 insertions, 9 deletions
diff --git a/resource/csdk/connectivity/common/src/uqueue.c b/resource/csdk/connectivity/common/src/uqueue.c index 312423482..17d8298bf 100644 --- a/resource/csdk/connectivity/common/src/uqueue.c +++ b/resource/csdk/connectivity/common/src/uqueue.c @@ -101,7 +101,8 @@ CAResult_t u_queue_add_element(u_queue_t *queue, u_queue_message_t *message) /* error in queue, free the allocated memory*/ OICFree(element); - return CA_STATUS_FAILED; + element = NULL; + return CA_STATUS_FAILED; } queue->element = element; diff --git a/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c b/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c index 2eb798c0b..3bfd8076e 100755 --- a/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c +++ b/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c @@ -1539,13 +1539,15 @@ CASocketFd_t CAConnectTCPSession(const CAEndpoint_t *endpoint) CAResult_t CADisconnectTCPSession(size_t index) { + oc_mutex_lock(g_mutexObjectList); CATCPSessionInfo_t *removedData = u_arraylist_remove(caglobals.tcp.svrlist, index); if (!removedData) { OIC_LOG(DEBUG, TAG, "there is no data to be removed"); + oc_mutex_unlock(g_mutexObjectList); return CA_STATUS_OK; } - + oc_mutex_unlock(g_mutexObjectList); // close the socket and remove session info in list. if (removedData->fd >= 0) { @@ -1561,15 +1563,23 @@ CAResult_t CADisconnectTCPSession(size_t index) g_connectionCallback(&(removedData->sep.endpoint), false, removedData->isClient); } } - OICFree(removedData->data); - removedData->data = NULL; - - OICFree(removedData->tlsdata); - removedData->tlsdata = NULL; + if (removedData->data) + { + OICFree(removedData->data); + removedData->data = NULL; + } - OICFree(removedData); - removedData = NULL; + if (removedData->tlsdata) + { + OICFree(removedData->tlsdata); + removedData->tlsdata = NULL; + } + if (removedData) + { + OICFree(removedData); + removedData = NULL; + } OIC_LOG(DEBUG, TAG, "data is removed from session list"); #ifndef DISABLE_TCP_SERVER |