Self-check security issue modification: The abnormal branch memory is not released

Signed-off-by: erliangqi <zhangjiaxiang7@huawei.com>
2024-12-14 05:18:57 +00:00 · 2024-05-08 10:59:22 +08:00 · 2024-05-08 10:59:22 +08:00 · 2e692518e1
commit 2e692518e1
parent 0a5731aa52
4 changed files with 10 additions and 8 deletions
--- a/core/transmission/trans_channel/tcp_direct/src/trans_tcp_direct_message.c
+++ b/core/transmission/trans_channel/tcp_direct/src/trans_tcp_direct_message.c
@ -839,6 +839,7 @@ static int32_t OpenDataBusRequest(int32_t channelId, uint32_t flags, uint64_t se
        TRANS_LOGI(TRANS_CTRL,
            "Request denied: session is not a meta session. sessionName=%{public}s", tmpName);
        AnonymizeFree(tmpName);
+        SoftBusFree(conn);
        return SOFTBUS_TRANS_NOT_META_SESSION;
    }
    char *errDesc = NULL;
--- a/sdk/frame/standard/src/softbus_client_stub.cpp
+++ b/sdk/frame/standard/src/softbus_client_stub.cpp
@ -428,14 +428,7 @@ int32_t SoftBusClientStub::OnChannelMsgReceivedInner(MessageParcel &data, Messag
        COMM_LOGE(COMM_SDK, "OnChannelMsgReceivedInner read type failed!");
        return SOFTBUS_ERR;
    }
-    char *infoData = (char *)SoftBusMalloc(len);
-    if (infoData == NULL) {
-        COMM_LOGE(COMM_SDK, "malloc infoData failed!");
-        return SOFTBUS_ERR;
-    }
-    memcpy_s(infoData, len, dataInfo, len);
-    int ret = OnChannelMsgReceived(channelId, channelType, infoData, len, type);
-    SoftBusFree(infoData);
+    int ret = OnChannelMsgReceived(channelId, channelType, dataInfo, len, type);
    bool res = reply.WriteInt32(ret);
    if (!res) {
        COMM_LOGE(COMM_SDK, "OnChannelMsgReceivedInner write reply failed!");
--- a/sdk/transmission/session/src/client_trans_session_manager.c
+++ b/sdk/transmission/session/src/client_trans_session_manager.c
@ -201,6 +201,7 @@ NO_SANITIZE("cfi") static DestroySessionInfo *CreateDestroySessionNode(SessionIn
    destroyNode->channelType = sessionNode->channelType;
    if (memcpy_s(destroyNode->sessionName, SESSION_NAME_SIZE_MAX, server->sessionName, SESSION_NAME_SIZE_MAX) != EOK) {
        TRANS_LOGE(TRANS_SDK, "memcpy_s sessionName fail.");
+        SoftBusFree(destroyNode);
        return NULL;
    }
    destroyNode->OnSessionClosed = server->listener.session.OnSessionClosed;
--- a/sdk/transmission/trans_channel/proxy/src/client_trans_proxy_manager.c
+++ b/sdk/transmission/trans_channel/proxy/src/client_trans_proxy_manager.c
@ -907,12 +907,15 @@ int32_t TransProxyPackAndSendData(
        uint8_t *sliceData = (uint8_t *)SoftBusCalloc(dataLen + sizeof(SliceHead));
        if (sliceData == NULL) {
            TRANS_LOGE(TRANS_SDK, "malloc slice data error, channelId=%{public}d", channelId);
+            SoftBusFree(dataInfo.outData);
            return SOFTBUS_MALLOC_ERR;
        }
        SliceHead *slicehead = (SliceHead *)sliceData;
        slicehead->priority = SessionPktTypeToProxyIndex(pktType);
        if (sliceNum > INT32_MAX) {
            TRANS_LOGE(TRANS_FILE, "Data overflow");
+            SoftBusFree(sliceData);
+            SoftBusFree(dataInfo.outData);
            return SOFTBUS_INVALID_NUM;
        }
        slicehead->sliceNum = (int32_t)sliceNum;
@ -920,12 +923,16 @@ int32_t TransProxyPackAndSendData(
        ClientPackSliceHead(slicehead);
        if (memcpy_s(sliceData + sizeof(SliceHead), dataLen, dataInfo.outData + offset, dataLen) != EOK) {
            TRANS_LOGE(TRANS_SDK, "memcpy_s error, channelId=%{public}d", channelId);
+            SoftBusFree(sliceData);
+            SoftBusFree(dataInfo.outData);
            return SOFTBUS_MEM_ERR;
        }

        int ret = ServerIpcSendMessage(channelId, CHANNEL_TYPE_PROXY, sliceData, dataLen + sizeof(SliceHead), pktType);
        if (ret != SOFTBUS_OK) {
            TRANS_LOGE(TRANS_SDK, "ServerIpcSendMessage error, channelId=%{public}d, ret=%{public}d", channelId, ret);
+            SoftBusFree(sliceData);
+            SoftBusFree(dataInfo.outData);
            return ret;
        }