summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAleksander Morgado <aleksandermj@chromium.org>2022-09-27 13:53:20 +0200
committerAleksander Morgado <aleksandermj@chromium.org>2022-09-27 13:54:06 +0200
commitd3baf0c492e954cf75024da71dfaac222278c0b4 (patch)
treee62c9d8b37a8925a6bffeab9ec11692aa8b1cd23
parent18ac2105b9a806dc3497428124a5a3d6ceb99fd4 (diff)
downloadlibqmi-d3baf0c492e954cf75024da71dfaac222278c0b4.tar.gz
libqmi-glib,compat: fix invalid memory read on slot EID loading
This issue affects ModemManager 1.18 running against libqmi from the git main branch. ==87057== Invalid read of size 4 ==87057== at 0x5017285: g_array_maybe_expand (garray.c:988) ==87057== by 0x50176EF: g_array_append_vals (garray.c:528) ==87057== by 0x4A5ECF6: qmi_message_uim_get_slot_status_output_get_slot_eid_information (qmi-compat.c:2410) ==87057== by 0x2028AC: uim_get_slot_status_ready (mm-shared-qmi.c:3268) ==87057== by 0x4E6BD63: g_task_return_now (gtask.c:1232) ==87057== by 0x4E6FA1C: UnknownInlinedFun (gtask.c:1301) ==87057== by 0x4E6FA1C: g_task_return (gtask.c:1258) ==87057== by 0x4B65956: get_slot_status_ready (qmi-uim.c:22339) ==87057== by 0x4E58522: g_simple_async_result_complete (gsimpleasyncresult.c:804) ==87057== by 0x4E585AD: complete_in_idle_cb (gsimpleasyncresult.c:816) ==87057== by 0x504A81A: UnknownInlinedFun (gmain.c:3444) ==87057== by 0x504A81A: g_main_context_dispatch (gmain.c:4162) ==87057== by 0x50A0EC8: g_main_context_iterate.constprop.0 (gmain.c:4238) ==87057== by 0x5049D7E: g_main_loop_run (gmain.c:4438) ==87057== Address 0x9058870 is 16 bytes inside a block of size 40 free'd ==87057== at 0x484426F: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==87057== by 0x5014405: array_free (garray.c:486) ==87057== by 0x4A5ECB7: message_uim_get_slot_status_output_clear_slot_eid_information (qmi-compat.c:2358) ==87057== by 0x4A5ECB7: qmi_message_uim_get_slot_status_output_get_slot_eid_information (qmi-compat.c:2402) ==87057== by 0x2028AC: uim_get_slot_status_ready (mm-shared-qmi.c:3268) ==87057== by 0x4E6BD63: g_task_return_now (gtask.c:1232) ==87057== by 0x4E6FA1C: UnknownInlinedFun (gtask.c:1301) ==87057== by 0x4E6FA1C: g_task_return (gtask.c:1258) ==87057== by 0x4B65956: get_slot_status_ready (qmi-uim.c:22339) ==87057== by 0x4E58522: g_simple_async_result_complete (gsimpleasyncresult.c:804) ==87057== by 0x4E585AD: complete_in_idle_cb (gsimpleasyncresult.c:816) ==87057== by 0x504A81A: UnknownInlinedFun (gmain.c:3444) ==87057== by 0x504A81A: g_main_context_dispatch (gmain.c:4162) ==87057== by 0x50A0EC8: g_main_context_iterate.constprop.0 (gmain.c:4238) ==87057== by 0x5049D7E: g_main_loop_run (gmain.c:4438) ==87057== Block was alloc'd at ==87057== at 0x4841888: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==87057== by 0x50482C9: g_malloc (gmem.c:130) ==87057== by 0x506AD17: g_slice_alloc (gslice.c:1074) ==87057== by 0x5017435: g_array_sized_new (garray.c:273) ==87057== by 0x4A5EC7D: qmi_message_uim_get_slot_status_output_get_slot_eid_information (qmi-compat.c:2399) ==87057== by 0x2028AC: uim_get_slot_status_ready (mm-shared-qmi.c:3268) ==87057== by 0x4E6BD63: g_task_return_now (gtask.c:1232) ==87057== by 0x4E6FA1C: UnknownInlinedFun (gtask.c:1301) ==87057== by 0x4E6FA1C: g_task_return (gtask.c:1258) ==87057== by 0x4B65956: get_slot_status_ready (qmi-uim.c:22339) ==87057== by 0x4E58522: g_simple_async_result_complete (gsimpleasyncresult.c:804) ==87057== by 0x4E585AD: complete_in_idle_cb (gsimpleasyncresult.c:816) ==87057== by 0x504A81A: UnknownInlinedFun (gmain.c:3444) ==87057== by 0x504A81A: g_main_context_dispatch (gmain.c:4162)
Diffstat
-rw-r--r--src/libqmi-glib/qmi-compat.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libqmi-glib/qmi-compat.c b/src/libqmi-glib/qmi-compat.c
index b543a4a0..9eb58340 100644
--- a/src/libqmi-glib/qmi-compat.c
+++ b/src/libqmi-glib/qmi-compat.c
@@ -2396,10 +2396,10 @@ qmi_message_uim_get_slot_status_output_get_slot_eid_information (
guint i;
ctx = message_uim_get_slot_status_output_get_compat_context (self);
- ctx->slot_eid_information = g_array_sized_new (FALSE, FALSE, sizeof (GArray *), slot_eid->len);
if (ctx->slot_eid_information)
message_uim_get_slot_status_output_clear_slot_eid_information (ctx->slot_eid_information);
+ ctx->slot_eid_information = g_array_sized_new (FALSE, FALSE, sizeof (GArray *), slot_eid->len);
for (i = 0; i < slot_eid->len; i++) {
QmiSlotEidElement *element;
View Lorry Controller Status