Fix null pointer deref in libsensor SensorServer

When trying to create a senor direct connection, check that native handle resource is not null, and if so return BAD_VALUE error. Bug: 135051254 Test: Load onto device and try "service call sensorservice 5" commands that have no arguments and random arguments. Both throw new error and do not crash system as hoped. Change-Id: Ie2eaf1a17843da89927293e408768bfbaaf86ec8
author: Stan Rokita <srok@google.com> 2019-07-30 14:23:49 -0700
committer: Stan Rokita <srok@google.com> 2019-07-30 15:58:32 -0700
commit: 2249c88ec56f2524a3c5bee5cbca232eae1357d1 (patch)
tree: 353bc7c17734cc0237611279812d297df21a1a8e
parent: 61eba0db9dc4a16ed37fd9f091b02abc65803985 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/libs/sensor/ISensorServer.cpp b/libs/sensor/ISensorServer.cpp
index 5200545a53..8ed09f8ff0 100644
--- a/libs/sensor/ISensorServer.cpp
+++ b/libs/sensor/ISensorServer.cpp
@@ -199,6 +199,10 @@ status_t BnSensorServer::onTransact(
             int32_t type = data.readInt32();
             int32_t format = data.readInt32();
             native_handle_t *resource = data.readNativeHandle();
+            // Avoid a crash in native_handle_close if resource is nullptr
+            if (resource == nullptr) {
+                return BAD_VALUE;
+            }
             sp<ISensorEventConnection> ch =
                     createSensorDirectConnection(opPackageName, size, type, format, resource);
             native_handle_close(resource);
author	Stan Rokita <srok@google.com>	2019-07-30 14:23:49 -0700
committer	Stan Rokita <srok@google.com>	2019-07-30 15:58:32 -0700
commit	2249c88ec56f2524a3c5bee5cbca232eae1357d1 (patch)
tree	353bc7c17734cc0237611279812d297df21a1a8e
parent	61eba0db9dc4a16ed37fd9f091b02abc65803985 (diff)