diff options
| author | Paul Stewart <pstew@google.com> | 2015-11-18 10:28:32 -0800 |
|---|---|---|
| committer | Paul Stewart <pstew@google.com> | 2015-12-07 18:32:29 +0000 |
| commit | 2ce1c4952d871f2baad0bc69dd8500f830f43db4 (patch) | |
| tree | 1bd8b850077e91597b25dae81ff1545c42edac84 | |
| parent | 3522524bada6acaa0a6cf2f6f94f65541febad61 (diff) | |
| download | hardware_broadcom_wlan-2ce1c4952d871f2baad0bc69dd8500f830f43db4.zip hardware_broadcom_wlan-2ce1c4952d871f2baad0bc69dd8500f830f43db4.tar.gz hardware_broadcom_wlan-2ce1c4952d871f2baad0bc69dd8500f830f43db4.tar.bz2 | |
Fix use-after-free in wifi_cleanup()
Release reference to cmd only after possibly calling getType().
BUG: 25753768
Change-Id: Id2156ce51acec04e8364706cf7eafc7d4adae9eb
(cherry picked from commit d7f3cb9915d9ac514393d0ad7767662958054b8f https://googleplex-android-review.git.corp.google.com/#/c/815223)
| -rw-r--r-- | bcmdhd/wifi_hal/wifi_hal.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/bcmdhd/wifi_hal/wifi_hal.cpp b/bcmdhd/wifi_hal/wifi_hal.cpp index b27bac2..982702a 100644 --- a/bcmdhd/wifi_hal/wifi_hal.cpp +++ b/bcmdhd/wifi_hal/wifi_hal.cpp @@ -310,12 +310,12 @@ void wifi_cleanup(wifi_handle handle, wifi_cleaned_up_handler handler) pthread_mutex_unlock(&info->cb_lock); cmd->cancel(); pthread_mutex_lock(&info->cb_lock); - /* release reference added when command is saved */ - cmd->releaseRef(); if (num_cmd == info->num_cmd) { ALOGE("Cancelling command %p:%s did not work", cmd, cmd->getType()); bad_commands++; } + /* release reference added when command is saved */ + cmd->releaseRef(); } } |