From e75b28ed4b94e3d237ce6e47aef2a2a0d8555ae7 Mon Sep 17 00:00:00 2001 From: Sunil Kumar Behera Date: Tue, 10 Jan 2012 12:43:25 +0530 Subject: [PATCH] obexd: Fix possible invalid memory access Issue: As reported by static code analyzer (Coverity), if buffer is NULL and aparams is not NULL, then buffer gets dereferenced in string_read function. Fix: Application parameter is allocated only if maxlistcount is zero during phonebooksize request and buffer is allocated in case of pull phonebook request, hence modify logic to avoid application parameter check, as it is tightly coupled with maxlistcount. --- obexd/plugins/pbap.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/obexd/plugins/pbap.c b/obexd/plugins/pbap.c index 0f07c4646..eb2bc9cd4 100644 --- a/obexd/plugins/pbap.c +++ b/obexd/plugins/pbap.c @@ -996,11 +996,12 @@ static ssize_t vobject_pull_read(void *object, void *buf, size_t count) DBG("buffer %p maxlistcount %d", obj->buffer, pbap->params->maxlistcount); - if (!obj->buffer && !obj->aparams) - return -EAGAIN; + if (!obj->buffer) { + if (pbap->params->maxlistcount == 0) + return -ENOSTR; - if (pbap->params->maxlistcount == 0) - return -ENOSTR; + return -EAGAIN; + } len = string_read(obj->buffer, buf, count); if (len == 0 && !obj->lastpart) { -- 2.47.3