From 50f22a221fe3b4a34048d328abad482e6ce9cd2d Mon Sep 17 00:00:00 2001 From: Michael Sandstedt Date: Wed, 29 Dec 2021 18:46:12 -0600 Subject: [PATCH] Fix ResolverProxy use-after-free in HandleNodeBrowse HandleNodeBrowse decrements the ResolverProxy reference count, which will cause the object to be destructed if the counter reaches 0, and then increments the counter and uses the object, which can be a use-after-free. his commit fixes the problem by ordering Release to occur after Retain. Fixes #13227 --- src/lib/dnssd/Discovery_ImplPlatform.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/dnssd/Discovery_ImplPlatform.cpp b/src/lib/dnssd/Discovery_ImplPlatform.cpp index 8822774648407c..ca32481b5ca8b9 100644 --- a/src/lib/dnssd/Discovery_ImplPlatform.cpp +++ b/src/lib/dnssd/Discovery_ImplPlatform.cpp @@ -129,7 +129,6 @@ static void HandleNodeIdResolve(void * context, DnssdService * result, CHIP_ERRO static void HandleNodeBrowse(void * context, DnssdService * services, size_t servicesSize, CHIP_ERROR error) { ResolverDelegateProxy * proxy = static_cast(context); - proxy->Release(); for (size_t i = 0; i < servicesSize; ++i) { @@ -144,6 +143,7 @@ static void HandleNodeBrowse(void * context, DnssdService * services, size_t ser HandleNodeResolve(context, &services[i], error); } } + proxy->Release(); } CHIP_ERROR AddPtrRecord(DiscoveryFilter filter, const char ** entries, size_t & entriesCount, char * buffer, size_t bufferLen)