diff options
| author | Ken Chen <cken@google.com> | 2023-06-15 17:46:16 +0800 |
|---|---|---|
| committer | Ken Chen <cken@google.com> | 2023-08-09 14:26:00 +0000 |
| commit | 452f032db3d9def1ff496ee51f0dc09aa1b1b3ac (patch) | |
| tree | 91d22f592605568838294ec10a912fbb0c606087 /ResolverController.cpp | |
| parent | 5ceece505e79e12ff8721e5854a774e9c90ee481 (diff) | |
Fix use-after-free in DNS64 discovery thread
DNS64 discovery thread is detached from binder requesting thread. But
the discovery thread references resources not belongs to itself, which
can be destroyed in dnsresolver destruction.
Holds a strong pointer of Dns64Configuration in DNS64 discovery thread
so that the instance of Dns64Configuration will keep until the DNS64
thread is force terminated.
Ignore-AOSP-First: Fix security vulnerability
Bug: 278303745
Test: atest
Merged-In: Id74ea4e6f54a00805d3cc8a9d7e15e58a473b7d3
Change-Id: Id74ea4e6f54a00805d3cc8a9d7e15e58a473b7d3
(cherry picked from commit 254115584ff558fb87ee6ec5f5bb043f76219910)
Diffstat (limited to 'ResolverController.cpp')
| -rw-r--r-- | ResolverController.cpp | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/ResolverController.cpp b/ResolverController.cpp index 7fe01d48..66361143 100644 --- a/ResolverController.cpp +++ b/ResolverController.cpp @@ -155,11 +155,11 @@ int getDnsInfo(unsigned netId, std::vector<std::string>* servers, std::vector<st } // namespace ResolverController::ResolverController() - : mDns64Configuration( + : mDns64Configuration(android::sp<Dns64Configuration>::make( [](uint32_t netId, uint32_t uid, android_net_context* netcontext) { gResNetdCallbacks.get_network_context(netId, uid, netcontext); }, - std::bind(sendNat64PrefixEvent, std::placeholders::_1)) {} + std::bind(sendNat64PrefixEvent, std::placeholders::_1))) {} void ResolverController::destroyNetworkCache(unsigned netId) { LOG(VERBOSE) << __func__ << ": netId = " << netId; @@ -173,7 +173,7 @@ void ResolverController::destroyNetworkCache(unsigned netId) { event.network_type(), event.private_dns_modes(), bytesField); resolv_delete_cache_for_net(netId); - mDns64Configuration.stopPrefixDiscovery(netId); + mDns64Configuration->stopPrefixDiscovery(netId); privateDnsConfiguration.clear(netId); // Don't get this instance in PrivateDnsConfiguration. It's probe to deadlock. @@ -276,16 +276,16 @@ int ResolverController::getResolverInfo(int32_t netId, std::vector<std::string>* } void ResolverController::startPrefix64Discovery(int32_t netId) { - mDns64Configuration.startPrefixDiscovery(netId); + mDns64Configuration->startPrefixDiscovery(netId); } void ResolverController::stopPrefix64Discovery(int32_t netId) { - return mDns64Configuration.stopPrefixDiscovery(netId); + return mDns64Configuration->stopPrefixDiscovery(netId); } // TODO: use StatusOr<T> to wrap the result. int ResolverController::getPrefix64(unsigned netId, netdutils::IPPrefix* prefix) { - netdutils::IPPrefix p = mDns64Configuration.getPrefix64(netId); + netdutils::IPPrefix p = mDns64Configuration->getPrefix64(netId); if (p.family() != AF_INET6 || p.length() == 0) { return -ENOENT; } @@ -352,7 +352,7 @@ void ResolverController::dump(DumpWriter& dw, unsigned netId) { params.max_samples, params.base_timeout_msec, params.retry_count); } - mDns64Configuration.dump(dw, netId); + mDns64Configuration->dump(dw, netId); const auto privateDnsStatus = PrivateDnsConfiguration::getInstance().getStatus(netId); dw.println("Private DNS mode: %s", getPrivateDnsModeString(privateDnsStatus.mode)); if (privateDnsStatus.dotServersMap.size() == 0) { |