Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a3352b29 authored by Hemant Gupta's avatar Hemant Gupta
Browse files

HID: Free timer after removing device 

Timer conn.process_repage_timer is being freed in HID_HostDeregister
which causes use after free condition in HID_HostRemoveDev->
HID_HostCloseDev.

Fix:
Call alarm_free after HID_HostRemoveDev in HID_HostDeregister

Test:
Code analysis

Bug: 116774368
Change-Id: Iddecd126716a5660f4c37ddc917bacee84342297
parent cff87bfd

system/stack/hid/hidh_api.cc

+1 −1
Original line number Diff line number Diff line
@@ -295,8 +295,8 @@ tHID_STATUS HID_HostDeregister(void) { 
  if (!hh_cb.reg_flag) return (HID_ERR_NOT_REGISTERED);



  for (i = 0; i < HID_HOST_MAX_DEVICES; i++) {

    alarm_free(hh_cb.devices[i].conn.process_repage_timer);

    HID_HostRemoveDev(i);

    alarm_free(hh_cb.devices[i].conn.process_repage_timer);

  }



  hidh_conn_dereg();