broadband-modem-qmi: fix potential use-after-freed issues

This patch fixes some potential use-after-freed issues in dms_get_ids_ready(). When an invalid ESN / MEID is retrieved, `ctx->self->priv->esn' / `ctx->self->priv->meid' is freed but not reset to NULL. If no IMEI is retrieved, `str' can be set to the already freed `ctx->self->priv->esn' / `ctx->self->priv->meid' and then propagated to a GSimpleAsyncResult object.
author: Ben Chan <benchan@chromium.org> 2017-08-03 14:25:33 -0700
committer: Aleksander Morgado <aleksander@aleksander.es> 2017-08-04 14:08:18 +0200
commit: 0d3cca2c6f545cf9a91c75aed451df6d16ae5511 (patch)
tree: e3eea0fff30defa6d78a4a8ec2985ad88ad77661
parent: 625c204761592ac41f23de1680b32bc78365c144 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/mm-broadband-modem-qmi.c b/src/mm-broadband-modem-qmi.c
index 38356426..3a04e993 100644
--- a/src/mm-broadband-modem-qmi.c
+++ b/src/mm-broadband-modem-qmi.c
@@ -1231,7 +1231,7 @@ dms_get_ids_ready (QmiClientDms *client,
 
     if (qmi_message_dms_get_ids_output_get_esn (output, &str, NULL) &&
         str[0] != '\0') {
-        g_free (ctx->self->priv->esn);
+        g_clear_pointer (&ctx->self->priv->esn, g_free);
         len = strlen (str);
         if (len == 7)
             ctx->self->priv->esn = g_strdup_printf ("0%s", str);  /* zero-pad to 8 chars */
@@ -1243,7 +1243,7 @@ dms_get_ids_ready (QmiClientDms *client,
 
     if (qmi_message_dms_get_ids_output_get_meid (output, &str, NULL) &&
         str[0] != '\0') {
-        g_free (ctx->self->priv->meid);
+        g_clear_pointer (&ctx->self->priv->meid, g_free);
         len = strlen (str);
         if (len == 14)
             ctx->self->priv->meid = g_strdup (str);
author	Ben Chan <benchan@chromium.org>	2017-08-03 14:25:33 -0700
committer	Aleksander Morgado <aleksander@aleksander.es>	2017-08-04 14:08:18 +0200
commit	0d3cca2c6f545cf9a91c75aed451df6d16ae5511 (patch)
tree	e3eea0fff30defa6d78a4a8ec2985ad88ad77661
parent	625c204761592ac41f23de1680b32bc78365c144 (diff)