WIFIHAL: Fix use-after-free issue while freeing monitor socket list
During cleanup of monitor socket list, entries are freed
with out being deleted from the list. This results in
accessing memory which was already freed.
Hence deleting the entry before freeing it, so that
list would have only valid entries.
Bug: 133773150
Test: Manual Test
CRs-Fixed: 2463143
Change-Id: Ic746c7527958f238c77ddd4fd6d98cb8abab67bb
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
diff --git a/qcwcn/wifi_hal/list.h b/qcwcn/wifi_hal/list.h
index 0417398..90d344c 100644
--- a/qcwcn/wifi_hal/list.h
+++ b/qcwcn/wifi_hal/list.h
@@ -59,4 +59,14 @@
ref->member.next, &ref->member != (head); \
ref = list_entry(ref->member.next, typeof(*ref), member))
+#define list_for_each_entry_safe(pos, n, head, member) \
+ for (pos = list_entry((head)->next, typeof(*pos), member), \
+ n = list_entry(pos->member.next, typeof(*pos), member); \
+ &pos->member != (head); \
+ pos = n, n = list_entry(n->member.next, typeof(*n), member))
+
+#define list_for_each_safe(pos, n, head) \
+ for (pos = (head)->next, n = pos->next; pos != (head); \
+ pos = n, n = pos->next)
+
#endif
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index 5fc3007..64c0cb4 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp
@@ -957,7 +957,7 @@
{
hal_info *info = getHalInfo(handle);
wifi_cleaned_up_handler cleaned_up_handler = info->cleaned_up_handler;
- wifihal_mon_sock_t *reg;
+ wifihal_mon_sock_t *reg, *tmp;
if (info->cmd_sock != 0) {
nl_socket_free(info->cmd_sock);
@@ -972,7 +972,8 @@
info->wifihal_ctrl_sock.s = 0;
}
- list_for_each_entry(reg, &info->monitor_sockets, list) {
+ list_for_each_entry_safe(reg, tmp, &info->monitor_sockets, list) {
+ del_from_list(®->list);
if(reg) {
free(reg);
}
