Clear Element.mRef immediately after deallocating it
DNSServiceRefDeallocate() and pointer dereferencing in request handler
thread are protected by two separate lock/unlock pairs on mHeadMutex.
If rescan() runs between these, it could dereference mRef, causing
a heap-use-after-free bug.
Solution: set mRef to null immediately after freeing it.
Bug: 121327565
Test: build
Change-Id: I56ace2ad8a2da528afa375aefb1b9420547658a7
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
index f3a9f8b..b54014c 100644
--- a/server/MDnsSdListener.cpp
+++ b/server/MDnsSdListener.cpp
@@ -769,5 +769,6 @@
void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
pthread_mutex_lock(&mHeadMutex);
DNSServiceRefDeallocate(*ref);
+ *ref = nullptr;
pthread_mutex_unlock(&mHeadMutex);
-}
\ No newline at end of file
+}