mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-17 18:37:23 -05:00
33 lines
1.2 KiB
Diff
33 lines
1.2 KiB
Diff
From 5f01e7f21f155a6b13a5ce659bac1fc03735a5e9 Mon Sep 17 00:00:00 2001
|
|
From: Ken Chen <cken@google.com>
|
|
Date: Sat, 26 Jan 2019 19:17:00 +0800
|
|
Subject: [PATCH] Clear Element.mRef immediately after deallocating it
|
|
|
|
DNSServiceRefDeallocate() and pointer dereferencing in request handler
|
|
thread are protected by two separate lock/unlock pairs on mHeadMutex.
|
|
If rescan() runs between these, it could dereference mRef, causing
|
|
a heap-use-after-free bug.
|
|
|
|
Solution: set mRef to null immediately after freeing it.
|
|
|
|
Bug: 121327565
|
|
Test: build
|
|
Change-Id: I56ace2ad8a2da528afa375aefb1b9420547658a7
|
|
(cherry picked from commit 9762bc1964a37ec56091ee2b6070e19c5206f615)
|
|
---
|
|
server/MDnsSdListener.cpp | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
|
|
index e3fd66a0..563e0207 100644
|
|
--- a/server/MDnsSdListener.cpp
|
|
+++ b/server/MDnsSdListener.cpp
|
|
@@ -775,5 +775,6 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) {
|
|
void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
|
|
pthread_mutex_lock(&mHeadMutex);
|
|
DNSServiceRefDeallocate(*ref);
|
|
+ *ref = nullptr;
|
|
pthread_mutex_unlock(&mHeadMutex);
|
|
}
|
|
\ No newline at end of file
|