diff options
| author | Dante Russo <quic_drusso@quicinc.com> | 2019-05-15 15:26:10 -0700 |
|---|---|---|
| committer | Wayne Lin <waynewhlin@google.com> | 2019-06-14 11:21:01 +0800 |
| commit | 411f8f46d3b20b5e8ae583ae5ae95e5432ff4d53 (patch) | |
| tree | dc5bdf9693afbb6b3a431a65efa97ad9b294348a | |
| parent | 46f556a2cd59cf12a9a43bb0f7bfd591f01eeffd (diff) | |
| download | gps-411f8f46d3b20b5e8ae583ae5ae95e5432ff4d53.tar.gz | |
Fix few ASAN issues reported
- Fix a Use After Free issue in Gnss Update Config
If Engine Capabilities are not known yet at the time
of the MsgGnssUpdateConfig, the ids arrray will be freed
but the ids pointer will be copied into a new
MsgGnssUpdateConfig that will access the ids array again
- Issue in NetworkInfoDataItemBase which will result in
array out of bound access which might result in heap
buffer overflow.
Test: GNSS sanity test
Bug: 134993377
Change-Id: Ib5a6dc29fef9eb6676d4605f92d60f26a47d1d90
CRs-fixed: 2449980
| -rw-r--r-- | core/data-items/DataItemConcreteTypesBase.h | 2 | ||||
| -rw-r--r-- | gnss/GnssAdapter.cpp | 21 |
2 files changed, 21 insertions, 2 deletions
diff --git a/core/data-items/DataItemConcreteTypesBase.h b/core/data-items/DataItemConcreteTypesBase.h index 552d46a..a6e68f1 100644 --- a/core/data-items/DataItemConcreteTypesBase.h +++ b/core/data-items/DataItemConcreteTypesBase.h @@ -249,7 +249,7 @@ public: mId(NETWORKINFO_DATA_ITEM_ID) { memset (&mAllNetworkHandles, NETWORK_HANDLE_UNKNOWN, sizeof (mAllNetworkHandles)); - mAllNetworkHandles[type] = networkHandle; + mAllNetworkHandles[initialType] = networkHandle; } virtual ~NetworkInfoDataItemBase() {} inline virtual DataItemId getId() { return mId; } diff --git a/gnss/GnssAdapter.cpp b/gnss/GnssAdapter.cpp index 3563ed0..c3afbf7 100644 --- a/gnss/GnssAdapter.cpp +++ b/gnss/GnssAdapter.cpp @@ -995,9 +995,18 @@ GnssAdapter::gnssUpdateConfigCommand(GnssConfig config) mConfig(config), mCount(count), mIds(ids) {} + inline MsgGnssUpdateConfig(const MsgGnssUpdateConfig& obj) : + MsgGnssUpdateConfig(obj.mAdapter, obj.mApi, obj.mConfig, + new uint32_t[obj.mCount], obj.mCount) { + if (mIds != nullptr) { + for (int i = 0; i < mCount; ++i) { + mIds[i] = obj.mIds[i]; + } + } + } inline virtual ~MsgGnssUpdateConfig() { - delete [] mIds; + delete[] mIds; } inline virtual void proc() const { @@ -1255,6 +1264,16 @@ GnssAdapter::gnssGetConfigCommand(GnssConfigFlagsMask configMask) { mConfigMask(configMask), mIds(ids), mCount(count) {} + + inline MsgGnssGetConfig(const MsgGnssGetConfig& obj) : + MsgGnssGetConfig(obj.mAdapter, obj.mApi, obj.mConfigMask, + new uint32_t[obj.mCount], obj.mCount) { + if (mIds != nullptr) { + for (int i = 0; i < mCount; ++i) { + mIds[i] = obj.mIds[i]; + } + } + } inline virtual ~MsgGnssGetConfig() { delete[] mIds; |