Merge "WIFIHAL: Fix use-after-free issue while freeing monitor socket list" into qt-r1-devandroid-mainline-10.0.0_r9 android-mainline-10.0.0_r7 android-mainline-10.0.0_r5 android-mainline-10.0.0_r4 android-10.0.0_r36 android-10.0.0_r35 android-10.0.0_r34 android-10.0.0_r33 android-10.0.0_r32 android-10.0.0_r31 android-10.0.0_r30 android10-qpr2-s4-release android10-qpr2-s3-release android10-qpr2-s2-release android10-qpr2-s1-release android10-qpr2-release android10-qpr1-mainline-release android10-mainline-media-release

author: TreeHugger Robot <treehugger-gerrit@google.com> 2019-06-26 08:03:39 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2019-06-26 08:03:39 +0000
commit: f2edcbeb9bc05eab416bd985744c98c14c020799 (patch)
tree: 2f956ead89d51a5d139116a5187f31443c39efe5
parent: 320302d00197eadab68b46448551bb06a7a6d17a (diff)
parent: b4861dcd0ffea1dce27c53e6e2dfcd29cf4e9ba2 (diff)
download: wlan-f2edcbeb9bc05eab416bd985744c98c14c020799.tar.gz
2 files changed, 13 insertions, 2 deletions
diff --git a/qcwcn/wifi_hal/list.h b/qcwcn/wifi_hal/list.h
index 0417398..90d344c 100644
--- a/qcwcn/wifi_hal/list.h
+++ b/qcwcn/wifi_hal/list.h
@@ -59,4 +59,14 @@ void replace_in_list(struct list_head *old, struct list_head *latest);
              ref->member.next, &ref->member != (head); \
              ref = list_entry(ref->member.next, typeof(*ref), member))
 
+#define list_for_each_entry_safe(pos, n, head, member) \
+        for (pos = list_entry((head)->next, typeof(*pos), member), \
+             n = list_entry(pos->member.next, typeof(*pos), member); \
+             &pos->member != (head); \
+             pos = n, n = list_entry(n->member.next, typeof(*n), member))
+
+#define list_for_each_safe(pos, n, head) \
+        for (pos = (head)->next, n = pos->next; pos != (head); \
+             pos = n, n = pos->next)
+
 #endif
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index 462f1fa..cb82885 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp
@@ -957,7 +957,7 @@ static void internal_cleaned_up_handler(wifi_handle handle)
 {
     hal_info *info = getHalInfo(handle);
     wifi_cleaned_up_handler cleaned_up_handler = info->cleaned_up_handler;
-    wifihal_mon_sock_t *reg;
+    wifihal_mon_sock_t *reg, *tmp;
 
     if (info->cmd_sock != 0) {
         nl_socket_free(info->cmd_sock);
@@ -972,7 +972,8 @@ static void internal_cleaned_up_handler(wifi_handle handle)
         info->wifihal_ctrl_sock.s = 0;
     }
 
-   list_for_each_entry(reg, &info->monitor_sockets, list) {
+   list_for_each_entry_safe(reg, tmp, &info->monitor_sockets, list) {
+        del_from_list(&reg->list);
         if(reg) {
            free(reg);
         }
author	TreeHugger Robot <treehugger-gerrit@google.com>	2019-06-26 08:03:39 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2019-06-26 08:03:39 +0000
commit	f2edcbeb9bc05eab416bd985744c98c14c020799 (patch)
tree	2f956ead89d51a5d139116a5187f31443c39efe5
parent	320302d00197eadab68b46448551bb06a7a6d17a (diff)
parent	b4861dcd0ffea1dce27c53e6e2dfcd29cf4e9ba2 (diff)
download	wlan-f2edcbeb9bc05eab416bd985744c98c14c020799.tar.gz