diff options
author | Vinay Gannevaram <quic_vganneva@quicinc.com> | 2019-05-31 12:28:30 +0530 |
---|---|---|
committer | chenpaul <chenpaul@google.com> | 2019-06-10 19:28:22 +0800 |
commit | b4861dcd0ffea1dce27c53e6e2dfcd29cf4e9ba2 (patch) | |
tree | 93ac925eae0c333bf7c9162de31a4cecd8d805fd /qcwcn | |
parent | dceeae89168333edbda8676581a1820ac3b95a58 (diff) | |
download | wlan-b4861dcd0ffea1dce27c53e6e2dfcd29cf4e9ba2.tar.gz |
WIFIHAL: Fix use-after-free issue while freeing monitor socket list
During cleanup of monitor socket list, entries are freed
with out being deleted from the list. This results in
accessing memory which was already freed.
Hence deleting the entry before freeing it, so that
list would have only valid entries.
Bug: 133773150
Test: Manual Test
CRs-Fixed: 2463143
Change-Id: Ic746c7527958f238c77ddd4fd6d98cb8abab67bb
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
Diffstat (limited to 'qcwcn')
-rw-r--r-- | qcwcn/wifi_hal/list.h | 10 | ||||
-rw-r--r-- | qcwcn/wifi_hal/wifi_hal.cpp | 5 |
2 files changed, 13 insertions, 2 deletions
diff --git a/qcwcn/wifi_hal/list.h b/qcwcn/wifi_hal/list.h index 0417398..90d344c 100644 --- a/qcwcn/wifi_hal/list.h +++ b/qcwcn/wifi_hal/list.h @@ -59,4 +59,14 @@ void replace_in_list(struct list_head *old, struct list_head *latest); ref->member.next, &ref->member != (head); \ ref = list_entry(ref->member.next, typeof(*ref), member)) +#define list_for_each_entry_safe(pos, n, head, member) \ + for (pos = list_entry((head)->next, typeof(*pos), member), \ + n = list_entry(pos->member.next, typeof(*pos), member); \ + &pos->member != (head); \ + pos = n, n = list_entry(n->member.next, typeof(*n), member)) + +#define list_for_each_safe(pos, n, head) \ + for (pos = (head)->next, n = pos->next; pos != (head); \ + pos = n, n = pos->next) + #endif diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp index 5fc3007..64c0cb4 100644 --- a/qcwcn/wifi_hal/wifi_hal.cpp +++ b/qcwcn/wifi_hal/wifi_hal.cpp @@ -957,7 +957,7 @@ static void internal_cleaned_up_handler(wifi_handle handle) { hal_info *info = getHalInfo(handle); wifi_cleaned_up_handler cleaned_up_handler = info->cleaned_up_handler; - wifihal_mon_sock_t *reg; + wifihal_mon_sock_t *reg, *tmp; if (info->cmd_sock != 0) { nl_socket_free(info->cmd_sock); @@ -972,7 +972,8 @@ static void internal_cleaned_up_handler(wifi_handle handle) info->wifihal_ctrl_sock.s = 0; } - list_for_each_entry(reg, &info->monitor_sockets, list) { + list_for_each_entry_safe(reg, tmp, &info->monitor_sockets, list) { + del_from_list(®->list); if(reg) { free(reg); } |