Android 9.0.0 release 42
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Clear Element.mRef immediately after deallocating it
DNSServiceRefDeallocate() and pointer dereferencing in request handler
thread are protected by two separate lock/unlock pairs on mHeadMutex.
If rescan() runs between these, it could dereference mRef, causing
a heap-use-after-free bug.
Solution: set mRef to null immediately after freeing it.
1 file changed