Fix use-after-free in wifi_cleanup()
Paul Stewart [Wed, 18 Nov 2015 18:28:32 +0000 (10:28 -0800)]
Release reference to cmd only after possibly calling getType().

BUG: 25753768
Change-Id: Id2156ce51acec04e8364706cf7eafc7d4adae9eb

bcmdhd/wifi_hal/wifi_hal.cpp

index 28f5565..fdb7d7b 100644 (file)
@@ -335,12 +335,12 @@ void wifi_cleanup(wifi_handle handle, wifi_cleaned_up_handler handler)
             pthread_mutex_unlock(&info->cb_lock);
             cmd->cancel();
             pthread_mutex_lock(&info->cb_lock);
-            /* release reference added when command is saved */
-            cmd->releaseRef();
             if (num_cmd == info->num_cmd) {
                 ALOGI("Cancelling command %p:%s did not work", cmd, (cmd ? cmd->getType(): ""));
                 bad_commands++;
             }
+            /* release reference added when command is saved */
+            cmd->releaseRef();
         }
     }