summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPurushottam Kushwaha <pkushwah@codeaurora.org>2021-01-29 16:08:36 +0530
committerPurushottam Kushwaha <pkushwah@codeaurora.org>2021-02-11 07:00:18 +0000
commitddffe981e88146adf777ce64c1c2dac2e1dad05e (patch)
tree0ec729893ab001e1105eb3469da3a4ca92148c78
parentf9e66c7cbc3ebef30cc29b8c29eca36ed4bb75a1 (diff)
eap_proxy: Cancel eloop registration during eap_proxy_deinit
QMI callbacks are scheduled from QMI threads to supplicant eloop via eloop_regsiter_timeout. During deinit, callback data is freed. For cases where scheduled callbacks are invoked post deinit, it would result in heap use-after-free. This commit is to cancel the registered callback during deinit to avoid use-after-free. Change-Id: Ie734fbf7708e1c830fa88fe0694ba4fade48f386 CRs-Fixed: 2859124 (cherry picked from commit bde2d8f35a5ac5d268d11fd7cd2dbe6058c2c8c5)
-rw-r--r--src/eap_peer/eap_proxy_qmi.c21
-rw-r--r--src/eap_peer/eap_proxy_qmi.h1
2 files changed, 14 insertions, 8 deletions
diff --git a/src/eap_peer/eap_proxy_qmi.c b/src/eap_peer/eap_proxy_qmi.c
index bbcca92..a7aac15 100644
--- a/src/eap_peer/eap_proxy_qmi.c
+++ b/src/eap_peer/eap_proxy_qmi.c
@@ -207,8 +207,8 @@ static int validate_qmi_cb_data(struct qmi_cb_data *cb_data) {
static struct qmi_cb_data* eap_proxy_prepare_qmi_cb_data(
qmi_client_type user_handle, unsigned int msg_id,
- void *ind_buf_ptr, unsigned int ind_buf_len,
- void *ind_cb_data) {
+ void *ind_buf_ptr, unsigned int ind_buf_len, void *ind_cb_data,
+ eloop_timeout_handler handler) {
struct qmi_cb_data *cb_data;
@@ -232,6 +232,7 @@ static struct qmi_cb_data* eap_proxy_prepare_qmi_cb_data(
cb_data->msg_id = msg_id;
cb_data->buflen = ind_buf_len;
cb_data->userdata = ind_cb_data;
+ cb_data->handler = handler;
return cb_data;
}
@@ -335,14 +336,15 @@ static void wpa_qmi_client_indication_cb
pthread_mutex_lock(&eloop_lock); // Lock
wpa_printf(MSG_ERROR, "eap_proxy: %s eap_proxy=%p", __func__, eap_proxy);
cb_data = eap_proxy_prepare_qmi_cb_data(user_handle, msg_id, ind_buf_ptr,
- ind_buf_len, ind_cb_data);
+ ind_buf_len, ind_cb_data,
+ __wpa_qmi_client_indication_cb);
if (cb_data == NULL) {
pthread_mutex_unlock(&eloop_lock); // Unlock
return;
}
dl_list_add(&eap_proxy->callback, &cb_data->list);
- eloop_register_timeout(0, 0, __wpa_qmi_client_indication_cb, cb_data, NULL);
+ eloop_register_timeout(0, 0, cb_data->handler, cb_data, NULL);
pthread_mutex_unlock(&eloop_lock); // Unlock
}
@@ -843,7 +845,8 @@ void eap_proxy_notifier_cb
wpa_printf(MSG_DEBUG, "eap_proxy: %s Handle QMI_CLIENT_SERVICE_COUNT_INC event",
__func__);
pthread_mutex_lock(&eloop_lock); // Lock
- cb_data = eap_proxy_prepare_qmi_cb_data(user_handle, 0, notify_cb_data, 0, NULL);
+ cb_data = eap_proxy_prepare_qmi_cb_data(user_handle, 0, notify_cb_data, 0, NULL,
+ __eap_proxy_notifier_cb);
if (cb_data == NULL) {
wpa_printf(MSG_ERROR, "eap_proxy: failed to allocate memory");
@@ -852,7 +855,7 @@ void eap_proxy_notifier_cb
}
dl_list_add(&eap_proxy->callback, &cb_data->list);
- eloop_register_timeout(0, 0, __eap_proxy_notifier_cb, cb_data, NULL);
+ eloop_register_timeout(0, 0, cb_data->handler, cb_data, NULL);
pthread_mutex_unlock(&eloop_lock); // Unlock
break;
@@ -1274,6 +1277,7 @@ static void eap_proxy_clear_callbacks(struct eap_proxy_sm *eap_proxy)
struct qmi_cb_data *tmp, *prev;
dl_list_for_each_safe(tmp, prev, &eap_proxy->callback,
struct qmi_cb_data, list) {
+ eloop_cancel_timeout(tmp->handler, tmp, NULL);
eap_proxy_clear_qmi_cb_data(tmp);
}
}
@@ -1387,7 +1391,8 @@ static void handle_qmi_eap_ind(qmi_client_type user_handle,
wpa_printf(MSG_ERROR, "eap_proxy: %s eap_proxy=%p", __func__, eap_proxy);
cb_data = eap_proxy_prepare_qmi_cb_data(user_handle, msg_id, ind_buf,
- ind_buf_len, ind_cb_data);
+ ind_buf_len, ind_cb_data,
+ __handle_qmi_eap_ind);
if (cb_data == NULL) {
pthread_mutex_unlock(&eloop_lock); // Unlock
return;
@@ -1399,7 +1404,7 @@ static void handle_qmi_eap_ind(qmi_client_type user_handle,
if (eap_proxy != NULL && eap_proxy->qmi_state == QMI_STATE_RESP_PENDING)
__handle_qmi_eap_ind(cb_data, NULL);
else
- eloop_register_timeout(0, 0, __handle_qmi_eap_ind, cb_data, NULL);
+ eloop_register_timeout(0, 0, cb_data->handler, cb_data, NULL);
pthread_mutex_unlock(&eloop_lock); // Unlock
}
diff --git a/src/eap_peer/eap_proxy_qmi.h b/src/eap_peer/eap_proxy_qmi.h
index 2a4a50a..b4a7eff 100644
--- a/src/eap_peer/eap_proxy_qmi.h
+++ b/src/eap_peer/eap_proxy_qmi.h
@@ -112,6 +112,7 @@ struct qmi_cb_data {
void *buf;
unsigned int buflen;
void *userdata;
+ eloop_timeout_handler handler;
/* additional data for eap_reply */
qmi_client_error_type err_code;