diff options
author | Vinay Gannevaram <quic_vganneva@quicinc.com> | 2019-06-26 01:13:46 -0700 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2019-06-26 01:13:46 -0700 |
commit | 4bc52a35976561867b5b578f49abd61ac970d3eb (patch) | |
tree | 09a382c89d58ac170687b86f24f3ebc3f80698b6 | |
parent | 69687cbf11eb2bff734164dbd6ee4dfaaf3733ed (diff) | |
parent | f2edcbeb9bc05eab416bd985744c98c14c020799 (diff) | |
download | wlan-4bc52a35976561867b5b578f49abd61ac970d3eb.tar.gz |
Merge "WIFIHAL: Fix use-after-free issue while freeing monitor socket list" into qt-r1-dev
am: f2edcbeb9b
Change-Id: I20557bfdbd095f1e1a8b47c8c860092cb7ad99c4
-rw-r--r-- | qcwcn/wifi_hal/list.h | 10 | ||||
-rw-r--r-- | qcwcn/wifi_hal/wifi_hal.cpp | 5 |
2 files changed, 13 insertions, 2 deletions
diff --git a/qcwcn/wifi_hal/list.h b/qcwcn/wifi_hal/list.h index 0417398..90d344c 100644 --- a/qcwcn/wifi_hal/list.h +++ b/qcwcn/wifi_hal/list.h @@ -59,4 +59,14 @@ void replace_in_list(struct list_head *old, struct list_head *latest); ref->member.next, &ref->member != (head); \ ref = list_entry(ref->member.next, typeof(*ref), member)) +#define list_for_each_entry_safe(pos, n, head, member) \ + for (pos = list_entry((head)->next, typeof(*pos), member), \ + n = list_entry(pos->member.next, typeof(*pos), member); \ + &pos->member != (head); \ + pos = n, n = list_entry(n->member.next, typeof(*n), member)) + +#define list_for_each_safe(pos, n, head) \ + for (pos = (head)->next, n = pos->next; pos != (head); \ + pos = n, n = pos->next) + #endif diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp index 462f1fa..cb82885 100644 --- a/qcwcn/wifi_hal/wifi_hal.cpp +++ b/qcwcn/wifi_hal/wifi_hal.cpp @@ -957,7 +957,7 @@ static void internal_cleaned_up_handler(wifi_handle handle) { hal_info *info = getHalInfo(handle); wifi_cleaned_up_handler cleaned_up_handler = info->cleaned_up_handler; - wifihal_mon_sock_t *reg; + wifihal_mon_sock_t *reg, *tmp; if (info->cmd_sock != 0) { nl_socket_free(info->cmd_sock); @@ -972,7 +972,8 @@ static void internal_cleaned_up_handler(wifi_handle handle) info->wifihal_ctrl_sock.s = 0; } - list_for_each_entry(reg, &info->monitor_sockets, list) { + list_for_each_entry_safe(reg, tmp, &info->monitor_sockets, list) { + del_from_list(®->list); if(reg) { free(reg); } |