Google Git
Sign in
android / platform / system / netd / refs/tags/android-9.0.0_r42
tag2cda141da770da0098159682016700933748d7af
taggerThe Android Open Source Project <initial-contribution@android.com>Fri May 31 15:45:54 2019 -0700
object9762bc1964a37ec56091ee2b6070e19c5206f615 
Android 9.0.0 release 42
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCXPGuogAKCRDorT+BmrEO
ePsqAKCCWRYaAa/Jzw90zTQz/GGsUrVFOwCcC0kbLSEjwWgsVTd+pRDv1+kqz10=
=p4Yu
-----END PGP SIGNATURE-----
commit9762bc1964a37ec56091ee2b6070e19c5206f615[log] [tgz]
authorKen Chen <cken@google.com>Sat Jan 26 19:17:00 2019 +0800
committerBernie Innocenti <codewiz@google.com>Thu Feb 07 07:22:23 2019 +0000
tree8af63a52f028f62b543b15ccf8ba3fd0baefe8b0
parent3eeb0e6b86ac8a7f00968d0a086381e7dcd8cc2b [diff]
Clear Element.mRef immediately after deallocating it

DNSServiceRefDeallocate() and pointer dereferencing in request handler
thread are protected by two separate lock/unlock pairs on mHeadMutex.
If rescan() runs between these, it could dereference mRef, causing
a heap-use-after-free bug.

Solution: set mRef to null immediately after freeing it.

Bug: 121327565
Test: build
Change-Id: I56ace2ad8a2da528afa375aefb1b9420547658a7
1 file changed
tree: 8af63a52f028f62b543b15ccf8ba3fd0baefe8b0
  1. Android.bp
  2. Android.mk
  3. MODULE_LICENSE_APACHE2
  4. NOTICE
  5. OWNERS
  6. bpfloader/
  7. client/
  8. include/
  9. libbpf/
  10. libnetdutils/
  11. netutils_wrappers/
  12. server/
  13. tests/