[PATCH] Try to fix segfault in xmm6260_ipc_fmt_client_recv on maguro

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Sat Aug 18 14:38:54 UTC 2012 

Without that fix we have:
  I/DEBUG   ( 1801):          #00  pc 0000dd48  /system/lib/libc.so (memcpy)
  I/DEBUG   ( 1801):          #01  pc 00015b8e  /system/lib/libsamsung-ril.so (xmm6260_ipc_fmt_client_recv)
  I/DEBUG   ( 1801):          #02  pc 00011d74  /system/lib/libsamsung-ril.so (ipc_client_recv)
  I/DEBUG   ( 1801):          #03  pc 0000c6c8  /system/lib/libsamsung-ril.so (ipc_fmt_read_loop)
  I/DEBUG   ( 1801):          #04  pc 0000bff4  /system/lib/libsamsung-ril.so (ril_client_thread)
  I/DEBUG   ( 1801):          #05  pc 00012e2c  /system/lib/libc.so (__thread_entry)
  I/DEBUG   ( 1801):          #06  pc 0001295c  /system/lib/libc.so (pthread_create)

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo at no-log.org>
Signed-off-by: Paul Kocialkowski <contact at paulk.fr>
---
 samsung-ipc/device/xmm6260/xmm6260_ipc.c |   13 +++++++++----
 1 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/samsung-ipc/device/xmm6260/xmm6260_ipc.c b/samsung-ipc/device/xmm6260/xmm6260_ipc.c
index 5f4aad1..86ec3ad 100644
--- a/samsung-ipc/device/xmm6260/xmm6260_ipc.c
+++ b/samsung-ipc/device/xmm6260/xmm6260_ipc.c
@@ -92,10 +92,13 @@ int xmm6260_ipc_fmt_client_recv(struct ipc_client *client, struct ipc_message_in
     int num_read = 0;
     int left = 0;
 
+    if (client == NULL || response == NULL)
+	return -1;
+
     num_read = client->handlers->read(buf, IPC_MAX_XFER,
         client->handlers->read_data);
 
-    if (num_read < 0) {
+    if (num_read <= 0) {
         ipc_client_log(client, "read failed to read ipc length: %d", num_read);
         response->data = 0;
         response->length = 0;
@@ -118,9 +121,11 @@ int xmm6260_ipc_fmt_client_recv(struct ipc_client *client, struct ipc_message_in
     response->index = ipc.index;
     response->type = ipc.type;
     response->length = ipc.length - sizeof(ipc);
-    
-    response->data = (unsigned char*)malloc(response->length);
-    memcpy(response->data, buf + sizeof(ipc), response->length);
+
+    if (response->length > 0) {
+        response->data = (unsigned char*)malloc(response->length);
+        memcpy(response->data, buf + sizeof(ipc), response->length);
+    }
 
     ipc_client_log_recv(client, response, __func__);
 
-- 
1.7.5.4

More information about the Replicant mailing list