From 33f5a705537ad0bac3a49a76258d6dd6e6300d96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matti=20Lehtim=C3=A4ki?= Date: Tue, 11 Feb 2025 15:06:51 +0200 Subject: [PATCH 1/4] [ofono-binder] Fix double free when SMS sending fails. JB#63132 Only affects AIDL interface. Fix an indentation style issue and reduce the scope of some variables. --- src/binder_sms.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/binder_sms.c b/src/binder_sms.c index 9b8487f..c0baa9e 100644 --- a/src/binder_sms.c +++ b/src/binder_sms.c @@ -468,18 +468,19 @@ binder_sms_submit_cb( (RADIO_MESSAGING_RESP)resp == RADIO_MESSAGING_RESP_SEND_IMS_SMS) { if (error == RADIO_ERROR_NONE) { GBinderReader reader; - gint32 message_ref; - char* ack_pdu = NULL; - gint32 error_code; gbinder_reader_copy(&reader, args); if (binder_read_parcelable_size(&reader)) { + gint32 message_ref; + char* ack_pdu = NULL; + gint32 error_code; + gbinder_reader_read_int32(&reader, &message_ref); ack_pdu = gbinder_reader_read_string16(&reader); gbinder_reader_read_int32(&reader, &error_code); DBG("%ssms msg ref: %d, ack: %s err: %d", ims ? "ims " : "", - message_ref, ack_pdu, error_code); + message_ref, ack_pdu, error_code); g_free(ack_pdu); /* @@ -495,7 +496,6 @@ binder_sms_submit_cb( return; } } - g_free(ack_pdu); } else { ofono_error("%ssms send error %s", ims ? "ims " : "", binder_radio_error_string(error)); From 20f286f2a23bf83990bc14f9de578b81fd5d963a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matti=20Lehtim=C3=A4ki?= Date: Tue, 11 Feb 2025 15:12:44 +0200 Subject: [PATCH 2/4] [ofono-binder] Fix null pointer dereference and incorrectly reporting call failure status. JB#63132 --- src/binder_voicecall.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/binder_voicecall.c b/src/binder_voicecall.c index 5022f67..921ad88 100644 --- a/src/binder_voicecall.c +++ b/src/binder_voicecall.c @@ -596,8 +596,11 @@ binder_voicecall_lastcause_cb( if (resp == code) { GBinderReader reader; - const RadioLastCallFailCauseInfo* info; - gint32 cause_code; + /* + * Cause code 0 is invalid and can be used to check if code was + * obtained. + */ + gint32 cause_code = 0; /* * getLastCallFailCauseResponse(RadioResponseInfo, @@ -605,14 +608,17 @@ binder_voicecall_lastcause_cb( */ gbinder_reader_copy(&reader, args); if (self->interface_aidl == RADIO_AIDL_INTERFACE_NONE) { - info = gbinder_reader_read_hidl_struct(&reader, - RadioLastCallFailCauseInfo); - cause_code = info->causeCode; + const RadioLastCallFailCauseInfo* info = + gbinder_reader_read_hidl_struct(&reader, + RadioLastCallFailCauseInfo); + if (info) { + cause_code = info->causeCode; + } } else { gbinder_reader_read_int32(&reader, &cause_code); gbinder_reader_skip_string16(&reader); } - if (info) { + if (cause_code) { enum ofono_disconnect_reason reason = binder_voicecall_map_cause(self, cid, cause_code); From 7dd348cb90119a4a3b866a8def635e7421508397 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matti=20Lehtim=C3=A4ki?= Date: Tue, 11 Feb 2025 16:04:11 +0200 Subject: [PATCH 3/4] [ofono-binder] Fix incorrectly emitting binder property signals. JB#63132 --- src/binder_base.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/binder_base.c b/src/binder_base.c index 1f41c3f..48f6336 100644 --- a/src/binder_base.c +++ b/src/binder_base.c @@ -143,8 +143,8 @@ binder_base_emit_queued_signals( /* Signal handlers may release references to this object */ g_object_ref(self); - /* Emit the signals */ - for (p = 0; self->queued_signals && p < BINDER_BASE_MAX_PROPERTIES; p++) { + /* Emit the signals, ignore the ANY property */ + for (p = 1; self->queued_signals && p < BINDER_BASE_MAX_PROPERTIES; p++) { if (self->queued_signals & BINDER_BASE_PROPERTY_BIT(p)) { self->queued_signals &= ~BINDER_BASE_PROPERTY_BIT(p); g_signal_emit(self, binder_base_signals[SIGNAL_PROPERTY_CHANGED], From b00ecc5417119ecc40c8af05fc377269b4dadcf6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matti=20Lehtim=C3=A4ki?= Date: Tue, 11 Feb 2025 22:01:28 +0200 Subject: [PATCH 4/4] [ofono-binder] Fix disabling and enabling VoLTE with toggle. JB#63009 --- src/binder_ims.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/binder_ims.c b/src/binder_ims.c index ae3934d..3a9804d 100644 --- a/src/binder_ims.c +++ b/src/binder_ims.c @@ -21,6 +21,7 @@ #include "binder_util.h" #include "binder_ext_ims.h" +#include "binder_ext_slot.h" #include @@ -211,6 +212,8 @@ binder_ims_probe( self->handle = handle; self->ims = binder_ims_reg_ref(modem->ims); + self->ext = binder_ext_ims_ref(binder_ext_slot_get_interface(modem->ext, + BINDER_EXT_TYPE_IMS)); self->start_id = g_idle_add(binder_ims_start, self); ofono_ims_set_data(handle, self); return 0;