Skip to content

libmbim-glib: ensure client is valid during message processing

Aleksander Morgado requested to merge aleksm/libmbim:aleksander/fix-proxy-crash into main

The Client object may be untracked while processing a message (e.g. if forwarding the response back to the remote client fails), and so the tracked reference may end up disposed.

If that happens, any attempt to use the client object would end up reading already freed memory, and it would segfault, (e.g. in the while (client->buffer->len > 0) check just after having run process_message() in parse_request().

Avoid this by ensuring a valid Client reference is kept around during all this processing.

This is the same fix done in libqmi at libqmi@d2b9f082

0x00007aa58d105375 (libmbim-glib.so.4 - mbim-message.c: 155)    _mbim_message_validate_generic_header
0x00007aa58d1030cf (libmbim-glib.so.4 - mbim-message.c: 171)    _mbim_message_validate_type_header
0x00007aa58d102ffc (libmbim-glib.so.4 - mbim-message.c: 323)    _mbim_message_validate_internal
0x00007aa58d109579 (libmbim-glib.so.4 - mbim-proxy.c: 1196)     parse_request
0x00007aa58d109579 (libmbim-glib.so.4 - mbim-proxy.c: 1255)     connection_readable_cb
0x00007aa58cca6051 (libgio-2.0.so.0 - gsocket.c: 4061)  socket_source_dispatch
0x00007aa58d02c7a0 (libglib-2.0.so.0 - gmain.c: 3460)   g_main_dispatch
0x00007aa58d02c7a0 (libglib-2.0.so.0 - gmain.c: 4200)   g_main_context_dispatch
0x00007aa58d02cabf (libglib-2.0.so.0 - gmain.c: 4276)   g_main_context_iterate
0x00007aa58d02cd3d (libglib-2.0.so.0 - gmain.c: 4479)   g_main_loop_run
0x00005b3b275ea614 (mbim-proxy - mbim-proxy.c: 267)     main
0x00007aa58cd6f6c5 (libc.so.6 - libc_start_call_main.h: 58)     __libc_start_call_main
0x00007aa58cd6f781 (libc.so.6 - libc-start.c: 389)      __libc_start_main_impl
0x00005b3b275ea3a0 (mbim-proxy + 0x000013a0)    _start
0x00007ffc08d6e287

Merge request reports