Skip to content

Commit

Permalink
Fix for Bug project-chip#36732
Browse files Browse the repository at this point in the history
Set the app_state callback object in the Connection state to null
when the CASE session object is being cleared, on top of setting the
inner callback methods to null.
This prevents the callback object from being accessed later, when the
connection is getting closed(after the CASE session has been set up and
the session object no longer exists).
  • Loading branch information
pidarped committed Dec 18, 2024
1 parent 2c6c421 commit 2625aed
Showing 1 changed file with 13 additions and 5 deletions.
18 changes: 13 additions & 5 deletions src/protocols/secure_channel/CASESession.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -428,12 +428,20 @@ void CASESession::Clear()
mTCPConnCbCtxt.connClosedCb = nullptr;
mTCPConnCbCtxt.connReceivedCb = nullptr;

if (mPeerConnState && mPeerConnState->mConnectionState != Transport::TCPState::kConnected)
if (mPeerConnState)
{
// Abort the connection if the CASESession is being destroyed and the
// connection is in the middle of being set up.
mSessionManager->TCPDisconnect(mPeerConnState, /* shouldAbort = */ true);
mPeerConnState = nullptr;
// Set the app state callback object in the Connection state to null
// to prevent any dangling pointer to memory(mTCPConnCbCtxt) owned
// by the CASESession object, that is now getting cleared.
mPeerConnState->mAppState = nullptr;

if (mPeerConnState->mConnectionState != Transport::TCPState::kConnected)
{
// Abort the connection if the CASESession is being destroyed and the
// connection is in the middle of being set up.
mSessionManager->TCPDisconnect(mPeerConnState, /* shouldAbort = */ true);
mPeerConnState = nullptr;
}
}
#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
}
Expand Down

0 comments on commit 2625aed

Please sign in to comment.