Clear Element.mRef immediately after deallocating it DNSServiceRefDeallocate() and pointer dereferencing in request handler thread are protected by two separate lock/unlock pairs on mHeadMutex. If rescan() runs between these, it could dereference mRef, causing a heap-use-after-free bug. Solution: set mRef to null immediately after freeing it. Bug: 121327565 Test: build Change-Id: I56ace2ad8a2da528afa375aefb1b9420547658a7

commit: 9762bc1964a37ec56091ee2b6070e19c5206f615 [log] [tgz]
author: Ken Chen <cken@google.com> Sat Jan 26 19:17:00 2019 +0800
committer: Bernie Innocenti <codewiz@google.com> Thu Feb 07 07:22:23 2019 +0000
tree: 8af63a52f028f62b543b15ccf8ba3fd0baefe8b0
parent: 3eeb0e6b86ac8a7f00968d0a086381e7dcd8cc2b [diff]
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
index f3a9f8b..b54014c 100644
--- a/server/MDnsSdListener.cpp
+++ b/server/MDnsSdListener.cpp

@@ -769,5 +769,6 @@
 void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
     pthread_mutex_lock(&mHeadMutex);
     DNSServiceRefDeallocate(*ref);
+    *ref = nullptr;
     pthread_mutex_unlock(&mHeadMutex);
-}
\ No newline at end of file
+}
commit	9762bc1964a37ec56091ee2b6070e19c5206f615	[log] [tgz]
author	Ken Chen <cken@google.com>	Sat Jan 26 19:17:00 2019 +0800
committer	Bernie Innocenti <codewiz@google.com>	Thu Feb 07 07:22:23 2019 +0000
tree	8af63a52f028f62b543b15ccf8ba3fd0baefe8b0
parent	3eeb0e6b86ac8a7f00968d0a086381e7dcd8cc2b [diff]