Google Git
Sign in
gbmc/pldm/refs/heads/google-dev-common^!/.
commit
8bb94e2e642a5326b444d10f9b8e7b36e24b39f9
[log]
author
Gary Beihl <garybeihl@microsoft.com>
Thu Mar 12 11:03:53 2026 -0400
committer
ManojKiran Eda <manojkiran.eda@gmail.com>
Mon Mar 16 16:41:09 2026 +0000
tree
80941d39dbe4f16169e3c1a2ee275d2f1436877b
parent
5c6790a3753721f795a504db0c1005e1d1e80232 [diff]
requester: Fix null deref and memory leak in async effecter

set_state_effecter_async performs placement new on responseMsg before
checking whether recvMsg() succeeded. On failure responseMsg remains
nullptr, resulting in undefined behavior. The mismatch path also
leaks responseMsg.

Check recvMsg() before placement new, free responseMsg on mismatch,
initialize srcTid, and log errors in both failure paths.

Change-Id: Iae602135b4683a8d294c93b5cc23bdbcfe088d40
Signed-off-by: Gary Beihl <garybeihl@microsoft.com>

diff --git a/utilities/requester/set_state_effecter_async.cpp b/utilities/requester/set_state_effecter_async.cpp
index 0a1f2e8..fc054d6 100644
--- a/utilities/requester/set_state_effecter_async.cpp
+++ b/utilities/requester/set_state_effecter_async.cpp

@@ -63,12 +63,21 @@
 
         void* responseMsg = nullptr;
         size_t responseMsgSize{};
-        pldm_tid_t srcTid;
+        pldm_tid_t srcTid = 0;
         auto rc = pldmTransport.recvMsg(srcTid, responseMsg, responseMsgSize);
+        if (rc)
+        {
+            error("Failed to receive PLDM response, rc={RC}", "RC", rc);
+            return;
+        }
         pldm_msg* response = new (responseMsg) pldm_msg;
-        if (rc || dstTid != srcTid ||
+        if (dstTid != srcTid ||
             !pldm_msg_hdr_correlate_response(&request->hdr, &response->hdr))
         {
+            error(
+                "Unexpected PLDM response, received TID={RTID} expected TID={ETID}",
+                "RTID", srcTid, "ETID", dstTid);
+            free(responseMsg);
             return;
         }