From 31aa7aa6c88ca932a61968025c2dab354d8c14d1 Mon Sep 17 00:00:00 2001
From: xshu <xshu@google.com>
Date: Fri, 29 Sep 2017 14:05:32 -0700
Subject: Fix memory corruption by changing refs to Objects

The memory corruption is caused by temporary Objects which where
binding to references getting destroyed before they were expected
to. This caused the references to point to corrupted memory.
This fix make the temporary Objects be assigned to Objects instead.

Bug: 66968282
Test: run ./system/connectivity/wifilogd/runtests.sh
Change-Id: If7a14326a663df554a5de9a812422e21b888edf6
---
 byte_buffer.h                        |  2 +-
 command_processor.cpp                |  4 ++--
 tests/command_processor_unittest.cpp | 16 ++++++++--------
 tests/protocol_unittest.cpp          | 21 +++++++++++++++++++++
 4 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/byte_buffer.h b/byte_buffer.h
index 2fdff62..1d79b6d 100644
--- a/byte_buffer.h
+++ b/byte_buffer.h
@@ -32,7 +32,7 @@ namespace wifilogd {
 // memory allocation.
 //
 // Usage could be as follows:
-//     const auto& buffer = ByteBuffer<1024>()
+//     const auto buffer = ByteBuffer<1024>()
 //         .AppendOrDie(header.data(), header.size())
 //         .AppendOrDie(body.data(), body.size());
 //     write(fd, buffer.data(), buffer.size());
diff --git a/command_processor.cpp b/command_processor.cpp
index b969bb4..ea223af 100644
--- a/command_processor.cpp
+++ b/command_processor.cpp
@@ -186,12 +186,12 @@ bool CommandProcessor::CopyCommandToLog(const void* command_buffer,
   }
   CHECK(current_log_buffer_.CanFitNow(total_size));
 
-  const auto& tstamp_header =
+  const auto tstamp_header =
       TimestampHeader()
           .set_since_boot_awake_only(os_->GetTimestamp(CLOCK_MONOTONIC))
           .set_since_boot_with_sleep(os_->GetTimestamp(CLOCK_BOOTTIME))
           .set_since_epoch(os_->GetTimestamp(CLOCK_REALTIME));
-  const auto& message_buf =
+  const auto message_buf =
       ByteBuffer<sizeof(TimestampHeader) + protocol::kMaxMessageSize>()
           .AppendOrDie(&tstamp_header, sizeof(tstamp_header))
           .AppendOrDie(command_buffer, command_len);
diff --git a/tests/command_processor_unittest.cpp b/tests/command_processor_unittest.cpp
index ede5cb0..50b6e78 100644
--- a/tests/command_processor_unittest.cpp
+++ b/tests/command_processor_unittest.cpp
@@ -88,7 +88,7 @@ class CommandProcessorTest : public ::testing::Test {
         tag.length() + ascii_message_tag_len_adjustment;
     const size_t adjusted_data_len =
         message.length() + ascii_message_data_len_adjustment;
-    const auto& ascii_message_header =
+    const auto ascii_message_header =
         protocol::AsciiMessage()
             .set_tag_len(SAFELY_CLAMP(
                 adjusted_tag_len, uint8_t, 0,
@@ -103,7 +103,7 @@ class CommandProcessorTest : public ::testing::Test {
     const size_t payload_len = sizeof(ascii_message_header) + tag.length() +
                                message.length() +
                                command_payload_len_adjustment;
-    const auto& command =
+    const auto command =
         protocol::Command()
             .set_opcode(protocol::Opcode::kWriteAsciiMessage)
             .set_payload_len(SAFELY_CLAMP(
@@ -143,10 +143,10 @@ class CommandProcessorTest : public ::testing::Test {
   }
 
   bool SendDumpBuffers() {
-    const auto& command = protocol::Command()
-                              .set_opcode(protocol::Opcode::kDumpBuffers)
-                              .set_payload_len(0);
-    const auto& buf = CommandBuffer().AppendOrDie(&command, sizeof(command));
+    const auto command = protocol::Command()
+                             .set_opcode(protocol::Opcode::kDumpBuffers)
+                             .set_payload_len(0);
+    const auto buf = CommandBuffer().AppendOrDie(&command, sizeof(command));
     constexpr int kFakeFd = 100;
     return command_processor_->ProcessCommand(buf.data(), buf.size(), kFakeFd);
   }
@@ -220,12 +220,12 @@ TEST_F(CommandProcessorTest, ProcessCommandInvalidOpcodeReturnsFailure) {
   using opcode_integral_t = std::underlying_type<opcode_enum_t>::type;
   constexpr auto invalid_opcode = GetMaxVal<opcode_integral_t>();
 
-  const auto& command =
+  const auto command =
       protocol::Command()
           .set_opcode(local_utils::CopyFromBufferOrDie<opcode_enum_t>(
               &invalid_opcode, sizeof(invalid_opcode)))
           .set_payload_len(0);
-  const auto& buf = CommandBuffer().AppendOrDie(&command, sizeof(command));
+  const auto buf = CommandBuffer().AppendOrDie(&command, sizeof(command));
   constexpr int kFakeFd = 100;
   EXPECT_FALSE(
       command_processor_->ProcessCommand(buf.data(), buf.size(), kFakeFd));
diff --git a/tests/protocol_unittest.cpp b/tests/protocol_unittest.cpp
index 76de58b..abbd86b 100644
--- a/tests/protocol_unittest.cpp
+++ b/tests/protocol_unittest.cpp
@@ -33,6 +33,27 @@ namespace wifilogd {
 //     2. We need to maintain compatibility with older clients talking to
 //        newer versions of wifilogd.
 
+TEST(ProtocolTest, AsciiMessageChainingWorks) {
+  using protocol::AsciiMessage;
+  uint8_t tagLen = 3;
+  uint16_t dataLen = 7;
+  const auto ascii_message_header =
+      AsciiMessage().set_tag_len(tagLen).set_data_len(dataLen);
+  EXPECT_EQ(tagLen, ascii_message_header.tag_len);
+  EXPECT_EQ(dataLen, ascii_message_header.data_len);
+}
+
+TEST(ProtocolTest, AsciiMessageNonChainingWorks) {
+  using protocol::AsciiMessage;
+  uint8_t tagLen = 3;
+  uint16_t dataLen = 7;
+  AsciiMessage ascii_message_header = AsciiMessage();
+  ascii_message_header.set_tag_len(tagLen);
+  ascii_message_header.set_data_len(dataLen);
+  EXPECT_EQ(tagLen, ascii_message_header.tag_len);
+  EXPECT_EQ(dataLen, ascii_message_header.data_len);
+}
+
 TEST(ProtocolTest, AsciiMessageLayoutIsUnchanged) {
   using protocol::AsciiMessage;
   ASSERT_TRUE(std::is_standard_layout<AsciiMessage>::value);
-- 
cgit v1.2.3