Fix null pointer deref in libsensor SensorServer When trying to create a senor direct connection, check that native handle resource is not null, and if so return BAD_VALUE error. Bug: 135051254 Test: Load onto device and try "service call sensorservice 5" commands that have no arguments and random arguments. Both throw new error and do not crash system as hoped. Change-Id: Ie2eaf1a17843da89927293e408768bfbaaf86ec8

commit: 2249c88ec56f2524a3c5bee5cbca232eae1357d1 [log] [tgz]
author: Stan Rokita <srok@google.com> Tue Jul 30 14:23:49 2019 -0700
committer: Stan Rokita <srok@google.com> Tue Jul 30 15:58:32 2019 -0700
tree: 353bc7c17734cc0237611279812d297df21a1a8e
parent: 61eba0db9dc4a16ed37fd9f091b02abc65803985 [diff] [blame]
diff --git a/libs/sensor/ISensorServer.cpp b/libs/sensor/ISensorServer.cpp
index 5200545..8ed09f8 100644
--- a/libs/sensor/ISensorServer.cpp
+++ b/libs/sensor/ISensorServer.cpp

@@ -199,6 +199,10 @@
             int32_t type = data.readInt32();
             int32_t format = data.readInt32();
             native_handle_t *resource = data.readNativeHandle();
+            // Avoid a crash in native_handle_close if resource is nullptr
+            if (resource == nullptr) {
+                return BAD_VALUE;
+            }
             sp<ISensorEventConnection> ch =
                     createSensorDirectConnection(opPackageName, size, type, format, resource);
             native_handle_close(resource);
commit	2249c88ec56f2524a3c5bee5cbca232eae1357d1	[log] [tgz]
author	Stan Rokita <srok@google.com>	Tue Jul 30 14:23:49 2019 -0700
committer	Stan Rokita <srok@google.com>	Tue Jul 30 15:58:32 2019 -0700
tree	353bc7c17734cc0237611279812d297df21a1a8e
parent	61eba0db9dc4a16ed37fd9f091b02abc65803985 [diff] [blame]