Public bug reported:
A RIL Reply is comprised of the following fields:
uint32_t - Length
uint32_t - 0 (this means it's a reply vs. an event)
uint32_t - Serial Number
uint32_t - Error code
void* - Event Data
If the event data is empty, the low-level gril.c function dispatch()
incorrectly handles the message, and fails to free the buf pointer and
set the buf_len to 0.
Currently all of our rilmodem code checks the error code first, before
attempting to parse the buffer. We recently discovered that SIM_IO
responses may contain event_data even though error is non-zero. When
we changed the code to parse the data on a SIM IO even when error was
non-zero, bad things happened due to buf and buf_len being invalid.
** Affects: ofono (Ubuntu)
Importance: Undecided
Status: Confirmed
** Changed in: ofono (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1254219
Title:
[rilmodem/gril] If RIL message event_data is NULL, ril_msg->buf
contains garbage
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1254219/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
