diff options
| author | Arron Wang <arron.wang@intel.com> | 2014-05-21 00:59:06 +0200 |
|---|---|---|
| committer | Samuel Ortiz <sameo@linux.intel.com> | 2014-05-21 00:59:06 +0200 |
| commit | 31530130e0da64910f12f1ab640d31a2c6f48141 (patch) | |
| tree | 492fabc8832418932d54da9b0417343ccfd7dcc7 | |
| parent | 5a607b4e78e447ecb479021686e7ff0b9f1d773b (diff) | |
| download | neard-31530130e0da64910f12f1ab640d31a2c6f48141.tar.gz neard-31530130e0da64910f12f1ab640d31a2c6f48141.tar.bz2 neard-31530130e0da64910f12f1ab640d31a2c6f48141.zip | |
se: Fix APDU double free when transceive fails
The APDU command will be freed in send_io even when transceive fails.
| -rw-r--r-- | se/ace.c | 12 | ||||
| -rw-r--r-- | se/channel.c | 1 | ||||
| -rw-r--r-- | se/se.c | 7 |
3 files changed, 8 insertions, 12 deletions
@@ -480,11 +480,12 @@ static void get_next_gp_data(struct seel_ace *ace) err = __seel_se_queue_io(ace->se, get_next_gp_data, get_next_gp_data_cb, ace); if (err < 0) { - DBG("GET NEXT ALL err %d", err); + near_error("GET NEXT ALL err %d", err); g_free(ace->rules_payload); - __seel_apdu_free(get_next_gp_data); return; } + + return; } static void get_all_gp_data_cb(void *context, @@ -571,8 +572,7 @@ static void get_refresh_gp_data_cb(void *context, err = __seel_se_queue_io(se, get_all_gp_data, get_all_gp_data_cb, ace); if (err < 0) { - DBG("GET DATA ALL err %d", err); - __seel_apdu_free(get_all_gp_data); + near_error("GET DATA ALL err %d", err); return; } @@ -597,8 +597,7 @@ static void select_gp_aid_cb(void *context, err = __seel_se_queue_io(se, get_refresh_gp_data, get_refresh_gp_data_cb, se); if (err < 0) { - DBG("GET REFRESH DATA err %d", err); - __seel_apdu_free(get_refresh_gp_data); + near_error("GET REFRESH DATA err %d", err); return; } @@ -620,7 +619,6 @@ int __seel_ace_add(struct seel_se *se) err = __seel_se_queue_io(se, select_gp_aid, select_gp_aid_cb, se); if (err < 0) { near_error("GP AID err %d", err); - __seel_apdu_free(select_gp_aid); return err; } diff --git a/se/channel.c b/se/channel.c index 5625d35..79e60a7 100644 --- a/se/channel.c +++ b/se/channel.c @@ -145,7 +145,6 @@ send_data: if (err < 0) { near_error("error %d", err); - __seel_apdu_free(send_apdu); dbus_message_unref(pending_msg); return __near_error_failed(msg, -err); @@ -178,8 +178,10 @@ int __seel_se_queue_io(struct seel_se *se, struct seel_apdu *apdu, DBG("Pending req %d", se->ioreq_pending); req = g_try_malloc0(sizeof(struct seel_se_ioreq)); - if (req == NULL) + if (req == NULL) { + __seel_apdu_free(apdu); return -ENOMEM; + } req->se = se; req->apdu = apdu; @@ -507,7 +509,6 @@ static void open_channel_cb(void *context, err = __seel_se_queue_io(ctx->se, select_aid, select_aid_cb, ctx); if (err < 0) { DBG("AID err %d", err); - __seel_apdu_free(select_aid); return open_channel_error(ctx, err); } @@ -552,7 +553,6 @@ static DBusMessage *open_channel(DBusConnection *conn, if (err < 0) { near_error("error %d", err); - __seel_apdu_free(open_channel); dbus_message_unref(ctx->msg); g_free(ctx); @@ -658,7 +658,6 @@ static DBusMessage *close_channel(DBusConnection *conn, if (err < 0) { near_error("error %d", err); - __seel_apdu_free(close_channel); dbus_message_unref(ctx->msg); g_free(ctx); |