Yeshwanth Sriram Guntuka 90e1136afb qcacmn: Decrement peer ref cnt after dp_rx_deliver_to_stack ...

Ths issue scenario is that valid peer is fetched from
peer_id in dp_rx_process and peer ref count is released
prior to invoking dp_rx_deliver_to_stack. In parallel,
the peer is freed in a different context. This results in
use after free within dp_rx_check_delivery_to_stack since
stale peer is dereferenced to update stats.

Fix is to decrement peer ref cnt after dp_rx_deliver_to_stack

Change-Id: I145247f7795f926faba66c05927fdae0599f0cad
CRs-Fixed: 2720396

2020-07-02 08:48:21 -07:00

82 KiB

Raw Blame History

View Raw