Merge tag 'AU_LINUX_ANDROID_LA.BF64.1.2.1.05.00.02.066.045' into HEAD

AU_LINUX_ANDROID_LA.BF64.1.2.1.05.00.02.066.045 based on quic/aosp/LA.BF64.1.2.1

* tag 'AU_LINUX_ANDROID_LA.BF64.1.2.1.05.00.02.066.045':
  HTTP: Fix OCSP error path
  Ensure NULL checks are done before dereferencing pointer.
  hs20-osu-client: Ensure NULL checks are done before dereferencing

Conflicts:
	src/utils/http_curl.c

Change-Id: I320cbf3cb9d4bc413a73bbf193f4456914deb5aa

4 files changed, 40 insertions, 10 deletions

diff --git a/hs20/client/oma_dm_client.c b/hs20/client/oma_dm_client.c
index 82e91062..6eaeeb47 100644
--- a/hs20/client/oma_dm_client.c
+++ b/hs20/client/oma_dm_client.c
@@ -394,6 +394,10 @@ static int oma_dm_exec_browser(struct hs20_osu_client *ctx, xml_node_t *exec)
 	}
 
 	data = xml_node_get_text(ctx->xml, node);
+	if (data == NULL) {
+		wpa_printf(MSG_INFO, "Invalid data");
+		return DM_RESP_BAD_REQUEST;
+	}
 	wpa_printf(MSG_INFO, "Data: %s", data);
 	wpa_printf(MSG_INFO, "Launch browser to URI '%s'", data);
 	write_summary(ctx, "Launch browser to URI '%s'", data);
@@ -428,6 +432,10 @@ static int oma_dm_exec_get_cert(struct hs20_osu_client *ctx, xml_node_t *exec)
 	}
 
 	data = xml_node_get_text(ctx->xml, node);
+	if (data == NULL) {
+		wpa_printf(MSG_INFO, "Invalid data");
+		return DM_RESP_BAD_REQUEST;
+	}
 	wpa_printf(MSG_INFO, "Data: %s", data);
 	getcert = xml_node_from_buf(ctx->xml, data);
 	xml_node_get_text_free(ctx->xml, data);
@@ -576,6 +584,11 @@ static int oma_dm_run_add(struct hs20_osu_client *ctx, const char *locuri,
 	if (node) {
 		char *type;
 		type = xml_node_get_text(ctx->xml, node);
+		if (type == NULL) {
+			wpa_printf(MSG_ERROR, "Could not find type text");
+			os_free(uri);
+			return DM_RESP_BAD_REQUEST;
+		}
 		use_tnds = node &&
 			os_strstr(type, "application/vnd.syncml.dmtnds+xml");
 	}
@@ -648,6 +661,10 @@ static int oma_dm_add(struct hs20_osu_client *ctx, xml_node_t *add,
 		return DM_RESP_BAD_REQUEST;
 	}
 	locuri = xml_node_get_text(ctx->xml, node);
+	if (locuri == NULL) {
+		wpa_printf(MSG_ERROR, "No LocURI node text found");
+		return DM_RESP_BAD_REQUEST;
+	}
 	wpa_printf(MSG_INFO, "Target LocURI: %s", locuri);
 	if (os_strncasecmp(locuri, "./Wi-Fi/", 8) != 0) {
 		wpa_printf(MSG_INFO, "Unsupported Add Target LocURI");
diff --git a/hs20/client/osu_client.c b/hs20/client/osu_client.c
index a439bdeb..f89b2691 100644
--- a/hs20/client/osu_client.c
+++ b/hs20/client/osu_client.c
@@ -669,6 +669,10 @@ int update_pps_file(struct hs20_osu_client *ctx, const char *pps_fname,
 	wpa_printf(MSG_INFO, "Updating PPS MO %s", pps_fname);
 
 	str = xml_node_to_str(ctx->xml, pps);
+	if (str == NULL) {
+		wpa_printf(MSG_ERROR, "No node found");
+		return -1;
+	}
 	wpa_printf(MSG_MSGDUMP, "[hs20] Updated PPS: '%s'", str);
 
 	snprintf(backup, sizeof(backup), "%s.bak", pps_fname);
diff --git a/src/eap_peer/eap_proxy_qmi.c b/src/eap_peer/eap_proxy_qmi.c
index 21ee4547..1100ca37 100644
--- a/src/eap_peer/eap_proxy_qmi.c
+++ b/src/eap_peer/eap_proxy_qmi.c
@@ -481,8 +481,11 @@ static Boolean wpa_qmi_read_card_imsi(int sim_num)
 
 			/* Received IMSI is in the 3GPP format
 				converting it into ascii string */
-			imsi = os_malloc((2 * length));
-			os_memset(imsi, 0, (2 * length));
+			imsi = os_zalloc(2 * length);
+			if (imsi == NULL) {
+				wpa_printf(MSG_ERROR, "Couldn't allocate memmory for imsi");
+				return FALSE;
+			}
 			for (src = 1, dst = 0;
 				(src < length) && (dst < (length * 2));
 				src++) {
@@ -964,9 +967,13 @@ static void handle_qmi_eap_reply(
 	u8 *resp_data;
 	u32 length;
 
+	if (eap_proxy == NULL) {
+		wpa_printf(MSG_ERROR, "eap_proxy is NULL");
+		return;
+	}
 	if (QMI_STATE_RESP_PENDING == eap_proxy->qmi_state) {
-		if (NULL == eap_proxy || QMI_EAP_SERVICE != serviceId ||
-				QMI_EAP_SEND_EAP_PKT_RSP_ID != rspId) {
+		if (QMI_EAP_SERVICE != serviceId ||
+			QMI_EAP_SEND_EAP_PKT_RSP_ID != rspId) {
 			wpa_printf(MSG_ERROR, "Bad Param: serviceId=%d;"
 				 " rspId=%d\n", serviceId, rspId);
 			eap_proxy->qmi_state = QMI_STATE_RESP_TIME_OUT;
@@ -1738,7 +1745,7 @@ static Boolean eap_proxy_build_identity(struct eap_proxy_sm *eap_proxy, u8 id, s
 						/* IMSI RAW */
 						imsi_id_len = imsi_len_g + 1;
 				}
-			} else {
+			} else if (identity) {
 				/* idx is non-zero implies username available */
 				imsi_identity = identity;
 				imsi_id_len = config->identity_len;
@@ -1753,10 +1760,12 @@ static Boolean eap_proxy_build_identity(struct eap_proxy_sm *eap_proxy, u8 id, s
 				idx = imsi_len_g + 1;
 			}
 
-			/* mcc valus */
-			imsi_identity[idx + 16] = imsi[0];
-			imsi_identity[idx + 17] = imsi[1];
-			imsi_identity[idx + 18] = imsi[2];
+			if (imsi_identity != NULL) {
+				/* mcc valus */
+				imsi_identity[idx + 16] = imsi[0];
+				imsi_identity[idx + 17] = imsi[1];
+				imsi_identity[idx + 18] = imsi[2];
+			}
 
 			/* mnc valus */
 			mnc_len = card_mnc_len;
diff --git a/src/utils/http_curl.c b/src/utils/http_curl.c
index 0c18269d..3a042f93 100644
--- a/src/utils/http_curl.c
+++ b/src/utils/http_curl.c
@@ -1098,7 +1098,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)
 				sk_X509_free(certs);
 				certs = NULL;
 			}
-			if (ctx->peer_issuer_issuer) {
+			if (certs && ctx->peer_issuer_issuer) {
 				cert = X509_dup(ctx->peer_issuer_issuer);
 				if (cert && !sk_X509_push(certs, cert)) {
 					tls_show_errors(