From 3549b0dc2829184f9911d27a6ab0cf39b19764f1 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@android.com>
Date: Thu, 17 Mar 2011 17:14:46 -0700
Subject: Fix potential race introduced in Icd7f5f03

Digit wrote:

"You probably don't want to close the socket here without updating
c->socket as well. Otherwise, another thread holding a handle to the
client after the c->decRef() could end up sending a message to a
different socket, if the file descriptor index is reused by another
client in the meantime."

Change-Id: Icdefb5ffc0c7607325d7db761e1f04e5d868bfb7
---
 libsysutils/src/SocketClient.cpp   | 31 +++++++++++++++++--------------
 libsysutils/src/SocketListener.cpp |  7 +++++--
 2 files changed, 22 insertions(+), 16 deletions(-)

(limited to 'libsysutils')

diff --git a/libsysutils/src/SocketClient.cpp b/libsysutils/src/SocketClient.cpp
index 6d4dff4..90ca52e 100644
--- a/libsysutils/src/SocketClient.cpp
+++ b/libsysutils/src/SocketClient.cpp
@@ -104,20 +104,23 @@ int SocketClient::sendData(const void* data, int len) {
 }
 
 void SocketClient::incRef() {
-  pthread_mutex_lock(&mRefCountMutex);
-  mRefCount++;
-  pthread_mutex_unlock(&mRefCountMutex);
+    pthread_mutex_lock(&mRefCountMutex);
+    mRefCount++;
+    pthread_mutex_unlock(&mRefCountMutex);
 }
 
-void SocketClient::decRef() {
-  bool deleteSelf = false;
-  pthread_mutex_lock(&mRefCountMutex);
-  mRefCount--;
-  if (mRefCount == 0) {
-      deleteSelf = true;
-  }
-  pthread_mutex_unlock(&mRefCountMutex);
-  if (deleteSelf) {
-      delete this;
-  }
+bool SocketClient::decRef() {
+    bool deleteSelf = false;
+    pthread_mutex_lock(&mRefCountMutex);
+    mRefCount--;
+    if (mRefCount == 0) {
+        deleteSelf = true;
+    } else if (mRefCount < 0) {
+        SLOGE("SocketClient refcount went negative!");
+    }
+    pthread_mutex_unlock(&mRefCountMutex);
+    if (deleteSelf) {
+        delete this;
+    }
+    return deleteSelf;
 }
diff --git a/libsysutils/src/SocketListener.cpp b/libsysutils/src/SocketListener.cpp
index dde9b55..69ed79e 100644
--- a/libsysutils/src/SocketListener.cpp
+++ b/libsysutils/src/SocketListener.cpp
@@ -225,8 +225,11 @@ void SocketListener::runListener() {
                 }
                 pthread_mutex_unlock(&mClientsLock);
                 /* Destroy the client */
-                close(c->getSocket());
-                c->decRef();
+                int socket = c->getSocket();
+                if (c->decRef()) {
+                    // Note: 'c' is deleted memory at this point.
+                    close(socket);
+                }
             }
         }
     }
-- 
cgit v1.1