diff options
| author | Vinay Gannevaram <quic_vganneva@quicinc.com> | 2019-05-31 12:28:30 +0530 |
|---|---|---|
| committer | chenpaul <chenpaul@google.com> | 2019-06-10 19:28:22 +0800 |
| commit | b4861dcd0ffea1dce27c53e6e2dfcd29cf4e9ba2 (patch) | |
| tree | 93ac925eae0c333bf7c9162de31a4cecd8d805fd /qcwcn/wifi_hal/wifi_hal.cpp | |
| parent | dceeae89168333edbda8676581a1820ac3b95a58 (diff) | |
| download | wlan-b4861dcd0ffea1dce27c53e6e2dfcd29cf4e9ba2.tar.gz | |
WIFIHAL: Fix use-after-free issue while freeing monitor socket list
During cleanup of monitor socket list, entries are freed
with out being deleted from the list. This results in
accessing memory which was already freed.
Hence deleting the entry before freeing it, so that
list would have only valid entries.
Bug: 133773150
Test: Manual Test
CRs-Fixed: 2463143
Change-Id: Ic746c7527958f238c77ddd4fd6d98cb8abab67bb
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
Diffstat (limited to 'qcwcn/wifi_hal/wifi_hal.cpp')
| -rw-r--r-- | qcwcn/wifi_hal/wifi_hal.cpp | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp index 5fc3007..64c0cb4 100644 --- a/qcwcn/wifi_hal/wifi_hal.cpp +++ b/qcwcn/wifi_hal/wifi_hal.cpp @@ -957,7 +957,7 @@ static void internal_cleaned_up_handler(wifi_handle handle) { hal_info *info = getHalInfo(handle); wifi_cleaned_up_handler cleaned_up_handler = info->cleaned_up_handler; - wifihal_mon_sock_t *reg; + wifihal_mon_sock_t *reg, *tmp; if (info->cmd_sock != 0) { nl_socket_free(info->cmd_sock); @@ -972,7 +972,8 @@ static void internal_cleaned_up_handler(wifi_handle handle) info->wifihal_ctrl_sock.s = 0; } - list_for_each_entry(reg, &info->monitor_sockets, list) { + list_for_each_entry_safe(reg, tmp, &info->monitor_sockets, list) { + del_from_list(®->list); if(reg) { free(reg); } |