From 715d5c45f13a79c46544753b4046fc17e2c3062d Mon Sep 17 00:00:00 2001
From: Subhani Shaik <subhanis@qca.qualcomm.com>
Date: Tue, 17 Feb 2015 16:06:35 -0800
Subject: [PATCH] hs20-osu-client: Ensure NULL checks are done before
 dereferencing

In some error cases, pointers were dereferenced before NULL check is
done. Fix this by adding checks before the dereference.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 hs20/client/oma_dm_client.c | 17 +++++++++++++++++
 hs20/client/osu_client.c    |  4 ++++
 2 files changed, 21 insertions(+)

diff --git a/hs20/client/oma_dm_client.c b/hs20/client/oma_dm_client.c
index 82e910623..6eaeeb477 100644
--- a/hs20/client/oma_dm_client.c
+++ b/hs20/client/oma_dm_client.c
@@ -394,6 +394,10 @@ static int oma_dm_exec_browser(struct hs20_osu_client *ctx, xml_node_t *exec)
 	}
 
 	data = xml_node_get_text(ctx->xml, node);
+	if (data == NULL) {
+		wpa_printf(MSG_INFO, "Invalid data");
+		return DM_RESP_BAD_REQUEST;
+	}
 	wpa_printf(MSG_INFO, "Data: %s", data);
 	wpa_printf(MSG_INFO, "Launch browser to URI '%s'", data);
 	write_summary(ctx, "Launch browser to URI '%s'", data);
@@ -428,6 +432,10 @@ static int oma_dm_exec_get_cert(struct hs20_osu_client *ctx, xml_node_t *exec)
 	}
 
 	data = xml_node_get_text(ctx->xml, node);
+	if (data == NULL) {
+		wpa_printf(MSG_INFO, "Invalid data");
+		return DM_RESP_BAD_REQUEST;
+	}
 	wpa_printf(MSG_INFO, "Data: %s", data);
 	getcert = xml_node_from_buf(ctx->xml, data);
 	xml_node_get_text_free(ctx->xml, data);
@@ -576,6 +584,11 @@ static int oma_dm_run_add(struct hs20_osu_client *ctx, const char *locuri,
 	if (node) {
 		char *type;
 		type = xml_node_get_text(ctx->xml, node);
+		if (type == NULL) {
+			wpa_printf(MSG_ERROR, "Could not find type text");
+			os_free(uri);
+			return DM_RESP_BAD_REQUEST;
+		}
 		use_tnds = node &&
 			os_strstr(type, "application/vnd.syncml.dmtnds+xml");
 	}
@@ -648,6 +661,10 @@ static int oma_dm_add(struct hs20_osu_client *ctx, xml_node_t *add,
 		return DM_RESP_BAD_REQUEST;
 	}
 	locuri = xml_node_get_text(ctx->xml, node);
+	if (locuri == NULL) {
+		wpa_printf(MSG_ERROR, "No LocURI node text found");
+		return DM_RESP_BAD_REQUEST;
+	}
 	wpa_printf(MSG_INFO, "Target LocURI: %s", locuri);
 	if (os_strncasecmp(locuri, "./Wi-Fi/", 8) != 0) {
 		wpa_printf(MSG_INFO, "Unsupported Add Target LocURI");
diff --git a/hs20/client/osu_client.c b/hs20/client/osu_client.c
index 660342506..de7f351da 100644
--- a/hs20/client/osu_client.c
+++ b/hs20/client/osu_client.c
@@ -687,6 +687,10 @@ int update_pps_file(struct hs20_osu_client *ctx, const char *pps_fname,
 	wpa_printf(MSG_INFO, "Updating PPS MO %s", pps_fname);
 
 	str = xml_node_to_str(ctx->xml, pps);
+	if (str == NULL) {
+		wpa_printf(MSG_ERROR, "No node found");
+		return -1;
+	}
 	wpa_printf(MSG_MSGDUMP, "[hs20] Updated PPS: '%s'", str);
 
 	snprintf(backup, sizeof(backup), "%s.bak", pps_fname);