tag | 2cda141da770da0098159682016700933748d7af | |
---|---|---|
tagger | The Android Open Source Project <initial-contribution@android.com> | Fri May 31 15:45:54 2019 -0700 |
object | 9762bc1964a37ec56091ee2b6070e19c5206f615 |
Android 9.0.0 release 42
commit | 9762bc1964a37ec56091ee2b6070e19c5206f615 | [log] [tgz] |
---|---|---|
author | Ken Chen <cken@google.com> | Sat Jan 26 19:17:00 2019 +0800 |
committer | Bernie Innocenti <codewiz@google.com> | Thu Feb 07 07:22:23 2019 +0000 |
tree | 8af63a52f028f62b543b15ccf8ba3fd0baefe8b0 | |
parent | 3eeb0e6b86ac8a7f00968d0a086381e7dcd8cc2b [diff] |
Clear Element.mRef immediately after deallocating it DNSServiceRefDeallocate() and pointer dereferencing in request handler thread are protected by two separate lock/unlock pairs on mHeadMutex. If rescan() runs between these, it could dereference mRef, causing a heap-use-after-free bug. Solution: set mRef to null immediately after freeing it. Bug: 121327565 Test: build Change-Id: I56ace2ad8a2da528afa375aefb1b9420547658a7