[at_socket.c] Fix null pointer vulnerability caused by the variable at_sock (#7166)

This commit is contained in:
HUST_lxq 2023-04-03 23:06:42 +08:00 committed by GitHub
parent e49140b513
commit 69e5b10e31
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 9 deletions

View File

@ -70,9 +70,9 @@ struct at_socket *at_get_socket(int socket)
rt_slist_for_each(node, &_socket_list) rt_slist_for_each(node, &_socket_list)
{ {
at_sock = rt_slist_entry(node, struct at_socket, list); at_sock = rt_slist_entry(node, struct at_socket, list);
if (socket == at_sock->socket) if (at_sock && socket == at_sock->socket)
{ {
if (at_sock && at_sock->magic == AT_SOCKET_MAGIC) if (at_sock->magic == AT_SOCKET_MAGIC)
{ {
rt_hw_interrupt_enable(level); rt_hw_interrupt_enable(level);
return at_sock; return at_sock;
@ -97,9 +97,9 @@ struct at_socket *at_get_base_socket(int base_socket)
rt_slist_for_each(node, &_socket_list) rt_slist_for_each(node, &_socket_list)
{ {
at_sock = rt_slist_entry(node, struct at_socket, list); at_sock = rt_slist_entry(node, struct at_socket, list);
if (base_socket == (int)at_sock->user_data && at_sock->state != AT_SOCKET_LISTEN) if (at_sock && base_socket == (int)at_sock->user_data && at_sock->state != AT_SOCKET_LISTEN)
{ {
if (at_sock && at_sock->magic == AT_SOCKET_MAGIC) if (at_sock->magic == AT_SOCKET_MAGIC)
{ {
rt_hw_interrupt_enable(level); rt_hw_interrupt_enable(level);
return at_sock; return at_sock;
@ -149,7 +149,7 @@ static int at_recvpkt_all_delete(rt_slist_t *rlist)
{ {
pkt = rt_slist_entry(node, struct at_recv_pkt, list); pkt = rt_slist_entry(node, struct at_recv_pkt, list);
node = rt_slist_next(node); node = rt_slist_next(node);
if (pkt->buff) if (pkt && pkt->buff)
{ {
rt_free(pkt->buff); rt_free(pkt->buff);
} }
@ -176,7 +176,7 @@ static int at_recvpkt_node_delete(rt_slist_t *rlist, rt_slist_t *node)
rt_slist_remove(rlist, node); rt_slist_remove(rlist, node);
pkt = rt_slist_entry(node, struct at_recv_pkt, list); pkt = rt_slist_entry(node, struct at_recv_pkt, list);
if (pkt->buff) if (pkt && pkt->buff)
{ {
rt_free(pkt->buff); rt_free(pkt->buff);
} }
@ -209,6 +209,8 @@ static size_t at_recvpkt_get(rt_slist_t *rlist, char *mem, size_t len)
free_node = node; free_node = node;
node = rt_slist_next(node); node = rt_slist_next(node);
if (!pkt) continue;
page_pos = pkt->bfsz_totle - pkt->bfsz_index; page_pos = pkt->bfsz_totle - pkt->bfsz_index;
if (page_pos >= len - content_pos) if (page_pos >= len - content_pos)
@ -330,7 +332,7 @@ static int alloc_empty_socket(rt_slist_t *l)
rt_slist_for_each(node, &_socket_list) rt_slist_for_each(node, &_socket_list)
{ {
at_sock = rt_slist_entry(node, struct at_socket, list); at_sock = rt_slist_entry(node, struct at_socket, list);
if(at_sock->socket != idx) if(at_sock && at_sock->socket != idx)
break; break;
idx++; idx++;
pre_node = node; pre_node = node;
@ -527,9 +529,9 @@ static int free_socket(struct at_socket *sock)
rt_slist_for_each(node, &_socket_list) rt_slist_for_each(node, &_socket_list)
{ {
at_sock = rt_slist_entry(node, struct at_socket, list); at_sock = rt_slist_entry(node, struct at_socket, list);
if (sock->socket == at_sock->socket) if (at_sock && sock->socket == at_sock->socket)
{ {
if (at_sock && at_sock->magic == AT_SOCKET_MAGIC) if (at_sock->magic == AT_SOCKET_MAGIC)
{ {
rt_slist_remove(&_socket_list, &at_sock->list); rt_slist_remove(&_socket_list, &at_sock->list);
break; break;