diff options
author | Dante Russo <drusso@codeaurora.org> | 2019-05-15 15:08:30 -0700 |
---|---|---|
committer | Dante Russo <drusso@codeaurora.org> | 2019-05-15 15:09:39 -0700 |
commit | 61b7ed6bf0718c2b4a93350f130e8b13f980c823 (patch) | |
tree | e4624b234f15f2f16476fe9bec02d98e42a9cff1 | |
parent | 4d6bb2da93570f07d874e2a76519518c6d4b163f (diff) | |
download | gps-61b7ed6bf0718c2b4a93350f130e8b13f980c823.tar.gz |
Fix few ASAN issues reported
- Fix a Use After Free issue in Gnss Update Config
If Engine Capabilities are not known yet at the time
of the MsgGnssUpdateConfig, the ids arrray will be freed
but the ids pointer will be copied into a new
MsgGnssUpdateConfig that will access the ids array again
- Issue in NetworkInfoDataItemBase which will result in
array out of bound access which might result in heap
buffer overflow.
Change-Id: Ib5a6dc29fef9eb6676d4605f92d60f26a47d1d90
CRs-fixed: 2449980
-rw-r--r-- | core/data-items/DataItemConcreteTypesBase.h | 2 | ||||
-rw-r--r-- | gnss/GnssAdapter.cpp | 21 |
2 files changed, 21 insertions, 2 deletions
diff --git a/core/data-items/DataItemConcreteTypesBase.h b/core/data-items/DataItemConcreteTypesBase.h index 552d46a..a6e68f1 100644 --- a/core/data-items/DataItemConcreteTypesBase.h +++ b/core/data-items/DataItemConcreteTypesBase.h @@ -249,7 +249,7 @@ public: mId(NETWORKINFO_DATA_ITEM_ID) { memset (&mAllNetworkHandles, NETWORK_HANDLE_UNKNOWN, sizeof (mAllNetworkHandles)); - mAllNetworkHandles[type] = networkHandle; + mAllNetworkHandles[initialType] = networkHandle; } virtual ~NetworkInfoDataItemBase() {} inline virtual DataItemId getId() { return mId; } diff --git a/gnss/GnssAdapter.cpp b/gnss/GnssAdapter.cpp index e1143fd..6558714 100644 --- a/gnss/GnssAdapter.cpp +++ b/gnss/GnssAdapter.cpp @@ -997,9 +997,18 @@ GnssAdapter::gnssUpdateConfigCommand(GnssConfig config) mConfig(config), mCount(count), mIds(ids) {} + inline MsgGnssUpdateConfig(const MsgGnssUpdateConfig& obj) : + MsgGnssUpdateConfig(obj.mAdapter, obj.mApi, obj.mConfig, + new uint32_t[obj.mCount], obj.mCount) { + if (mIds != nullptr) { + for (int i = 0; i < mCount; ++i) { + mIds[i] = obj.mIds[i]; + } + } + } inline virtual ~MsgGnssUpdateConfig() { - delete [] mIds; + delete[] mIds; } inline virtual void proc() const { @@ -1257,6 +1266,16 @@ GnssAdapter::gnssGetConfigCommand(GnssConfigFlagsMask configMask) { mConfigMask(configMask), mIds(ids), mCount(count) {} + + inline MsgGnssGetConfig(const MsgGnssGetConfig& obj) : + MsgGnssGetConfig(obj.mAdapter, obj.mApi, obj.mConfigMask, + new uint32_t[obj.mCount], obj.mCount) { + if (mIds != nullptr) { + for (int i = 0; i < mCount; ++i) { + mIds[i] = obj.mIds[i]; + } + } + } inline virtual ~MsgGnssGetConfig() { delete[] mIds; |