Merge "WIFIHAL: Fix use-after-free issue while freeing monitor socket list" into qt-r1-dev

am: f2edcbeb9b

Change-Id: I20557bfdbd095f1e1a8b47c8c860092cb7ad99c4

2 files changed, 13 insertions, 2 deletions

diff --git a/qcwcn/wifi_hal/list.h b/qcwcn/wifi_hal/list.h
index 0417398..90d344c 100644
--- a/qcwcn/wifi_hal/list.h
+++ b/qcwcn/wifi_hal/list.h
@@ -59,4 +59,14 @@ void replace_in_list(struct list_head *old, struct list_head *latest);
              ref->member.next, &ref->member != (head); \
              ref = list_entry(ref->member.next, typeof(*ref), member))
 
+#define list_for_each_entry_safe(pos, n, head, member) \
+        for (pos = list_entry((head)->next, typeof(*pos), member), \
+             n = list_entry(pos->member.next, typeof(*pos), member); \
+             &pos->member != (head); \
+             pos = n, n = list_entry(n->member.next, typeof(*n), member))
+
+#define list_for_each_safe(pos, n, head) \
+        for (pos = (head)->next, n = pos->next; pos != (head); \
+             pos = n, n = pos->next)
+
 #endif
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index 462f1fa..cb82885 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp
@@ -957,7 +957,7 @@ static void internal_cleaned_up_handler(wifi_handle handle)
 {
     hal_info *info = getHalInfo(handle);
     wifi_cleaned_up_handler cleaned_up_handler = info->cleaned_up_handler;
-    wifihal_mon_sock_t *reg;
+    wifihal_mon_sock_t *reg, *tmp;
 
     if (info->cmd_sock != 0) {
         nl_socket_free(info->cmd_sock);
@@ -972,7 +972,8 @@ static void internal_cleaned_up_handler(wifi_handle handle)
         info->wifihal_ctrl_sock.s = 0;
     }
 
-   list_for_each_entry(reg, &info->monitor_sockets, list) {
+   list_for_each_entry_safe(reg, tmp, &info->monitor_sockets, list) {
+        del_from_list(&reg->list);
         if(reg) {
            free(reg);
         }