From 238e801392502884d1546e6e218df9ac6e7550cd Mon Sep 17 00:00:00 2001 From: Pradip De Date: Wed, 18 Dec 2024 13:08:02 -0800 Subject: [PATCH] Fix for Bug #36732 (#36879) Set the app_state callback object in the Connection state to null when the CASE session object is being cleared, on top of setting the inner callback methods to null. This prevents the callback object from being accessed later, when the connection is getting closed(after the CASE session has been set up and the session object no longer exists). --- src/protocols/secure_channel/CASESession.cpp | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp index 007a58659f45cd..a012d12fcc56b4 100644 --- a/src/protocols/secure_channel/CASESession.cpp +++ b/src/protocols/secure_channel/CASESession.cpp @@ -428,12 +428,20 @@ void CASESession::Clear() mTCPConnCbCtxt.connClosedCb = nullptr; mTCPConnCbCtxt.connReceivedCb = nullptr; - if (mPeerConnState && mPeerConnState->mConnectionState != Transport::TCPState::kConnected) + if (mPeerConnState) { - // Abort the connection if the CASESession is being destroyed and the - // connection is in the middle of being set up. - mSessionManager->TCPDisconnect(mPeerConnState, /* shouldAbort = */ true); - mPeerConnState = nullptr; + // Set the app state callback object in the Connection state to null + // to prevent any dangling pointer to memory(mTCPConnCbCtxt) owned + // by the CASESession object, that is now getting cleared. + mPeerConnState->mAppState = nullptr; + + if (mPeerConnState->mConnectionState != Transport::TCPState::kConnected) + { + // Abort the connection if the CASESession is being destroyed and the + // connection is in the middle of being set up. + mSessionManager->TCPDisconnect(mPeerConnState, /* shouldAbort = */ true); + mPeerConnState = nullptr; + } } #endif // INET_CONFIG_ENABLE_TCP_ENDPOINT }