commit	a21c665cee0a701ddc44a7fa0c0a98ac8d8f076f	[log] [tgz]
author	Aleksander Morgado <aleksandermj@chromium.org>	Tue Nov 21 14:57:12 2023
committer	Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com>	Thu Nov 23 08:07:51 2023
tree	892b0c827bb578f5e0dcc0b26a84dea21d558e1f
parent	ea6b9417891cdbfab3d29441fcaf3890d1cf57b3 [diff]

UPSTREAM: libmbim-glib: ensure client is valid during message processing

The Client object may be untracked while processing a message (e.g. if
forwarding the response back to the remote client fails), and so the
tracked reference may end up disposed.

If that happens, any attempt to use the client object would end up
reading already freed memory, and it would segfault, (e.g. in the
`while (client->buffer->len > 0)` check just after having run
`process_message()` in `parse_request()`.

Avoid this by ensuring a valid Client reference is kept around during
all this processing.

This is the same fix done in libqmi at
https://gitlab.freedesktop.org/mobile-broadband/libqmi/-/commit/d2b9f082e8684be41e9cd0d3de6edf488803e236

    0x00007aa58d105375 (libmbim-glib.so.4 - mbim-message.c: 155)    _mbim_message_validate_generic_header
    0x00007aa58d1030cf (libmbim-glib.so.4 - mbim-message.c: 171)    _mbim_message_validate_type_header
    0x00007aa58d102ffc (libmbim-glib.so.4 - mbim-message.c: 323)    _mbim_message_validate_internal
    0x00007aa58d109579 (libmbim-glib.so.4 - mbim-proxy.c: 1196)     parse_request
    0x00007aa58d109579 (libmbim-glib.so.4 - mbim-proxy.c: 1255)     connection_readable_cb
    0x00007aa58cca6051 (libgio-2.0.so.0 - gsocket.c: 4061)  socket_source_dispatch
    0x00007aa58d02c7a0 (libglib-2.0.so.0 - gmain.c: 3460)   g_main_dispatch
    0x00007aa58d02c7a0 (libglib-2.0.so.0 - gmain.c: 4200)   g_main_context_dispatch
    0x00007aa58d02cabf (libglib-2.0.so.0 - gmain.c: 4276)   g_main_context_iterate
    0x00007aa58d02cd3d (libglib-2.0.so.0 - gmain.c: 4479)   g_main_loop_run
    0x00005b3b275ea614 (mbim-proxy - mbim-proxy.c: 267)     main
    0x00007aa58cd6f6c5 (libc.so.6 - libc_start_call_main.h: 58)     __libc_start_call_main
    0x00007aa58cd6f781 (libc.so.6 - libc-start.c: 389)      __libc_start_main_impl
    0x00005b3b275ea3a0 (mbim-proxy + 0x000013a0)    _start
    0x00007ffc08d6e287

(cherry picked from commit 2fbe1cff1894e6a45e9cf91e77a45d9c76b17914)

BUG=b:311151130
TEST=Manual testing to ensure we don't crash or leak anything

Change-Id: I2aaaa5f2d18abbb6da041738ef38d4bee8997e9f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/libmbim/+/5050220
Reviewed-by: Eric Caruso <ejcaruso@chromium.org>
Tested-by: Aleksander Morgado <aleksandermj@google.com>
Commit-Queue: Aleksander Morgado <aleksandermj@google.com>
(cherry picked from commit cc369ea9d0578ba22a0b90c284848443f357d398)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/libmbim/+/5049887
Reviewed-by: Andrew Lassalle <andrewlassalle@chromium.org>

src/libmbim-glib/mbim-proxy.c[diff]

1 file changed

tree: 892b0c827bb578f5e0dcc0b26a84dea21d558e1f

README.md

libmbim

libmbim is a glib-based library for talking to WWAN modems and devices which speak the Mobile Broadband Interface Model (MBIM) protocol.

Documentation

Project documentation is kept in: https://modemmanager.org/docs/libmbim/

License

libmbim-glib library is released under the LGPL-2.1-or-later license.
mbimcli and mbim-network tools are released under the GPL-2.0-or-later license.

License texts can be found under the LICENSES folder.

Code of Conduct

Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms, which you can find in the following link: https://www.freedesktop.org/wiki/CodeOfConduct CoC issues may be raised to the project maintainers at the following address: libmbim-devel-owner@lists.freedesktop.org