From b68fb170e330615d792c8bdab199c9eb281532a2 Mon Sep 17 00:00:00 2001
From: Keith Mok <keithmok@google.com>
Date: Fri, 6 May 2022 04:32:59 +0000
Subject: [PATCH] DefaultVehicleHal: Add null callback checking

AIDL allow nullptr as callback argument.
Wihtout a nullptr callback variable checking, it will crash
the VHAL, if callback pass in is nullptr.

Test: android.hardware.automotive.vehicle@V1-default-service_fuzzer
Bug: 231661617
Change-Id: I9387391c595b608b435daa6e66134fedfccbbf7c
---
 .../aidl/impl/vhal/src/DefaultVehicleHal.cpp        | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/automotive/vehicle/aidl/impl/vhal/src/DefaultVehicleHal.cpp b/automotive/vehicle/aidl/impl/vhal/src/DefaultVehicleHal.cpp
index b191aef9b3..138aad5848 100644
--- a/automotive/vehicle/aidl/impl/vhal/src/DefaultVehicleHal.cpp
+++ b/automotive/vehicle/aidl/impl/vhal/src/DefaultVehicleHal.cpp
@@ -355,6 +355,9 @@ ScopedAStatus DefaultVehicleHal::getValues(const CallbackType& callback,
         ALOGE("getValues: failed to parse getValues requests");
         return std::move(deserializedResults.error());
     }
+    if (callback == nullptr) {
+        return ScopedAStatus::fromExceptionCode(EX_NULL_POINTER);
+    }
     const std::vector<GetValueRequest>& getValueRequests =
             deserializedResults.value().getObject()->payloads;
 
@@ -438,6 +441,9 @@ ScopedAStatus DefaultVehicleHal::setValues(const CallbackType& callback,
         ALOGE("setValues: failed to parse setValues requests");
         return std::move(deserializedResults.error());
     }
+    if (callback == nullptr) {
+        return ScopedAStatus::fromExceptionCode(EX_NULL_POINTER);
+    }
     const std::vector<SetValueRequest>& setValueRequests =
             deserializedResults.value().getObject()->payloads;
 
@@ -629,7 +635,9 @@ ScopedAStatus DefaultVehicleHal::subscribe(const CallbackType& callback,
         ALOGE("subscribe: invalid subscribe options: %s", getErrorMsg(result).c_str());
         return toScopedAStatus(result);
     }
-
+    if (callback == nullptr) {
+        return ScopedAStatus::fromExceptionCode(EX_NULL_POINTER);
+    }
     std::vector<SubscribeOptions> onChangeSubscriptions;
     std::vector<SubscribeOptions> continuousSubscriptions;
     for (const auto& option : options) {
@@ -685,6 +693,9 @@ ScopedAStatus DefaultVehicleHal::subscribe(const CallbackType& callback,
 
 ScopedAStatus DefaultVehicleHal::unsubscribe(const CallbackType& callback,
                                              const std::vector<int32_t>& propIds) {
+    if (callback == nullptr) {
+        return ScopedAStatus::fromExceptionCode(EX_NULL_POINTER);
+    }
     return toScopedAStatus(mSubscriptionManager->unsubscribe(callback->asBinder().get(), propIds));
 }