From 518c012fd2c3dfa356abf3fad23d46d3a8e102d3 Mon Sep 17 00:00:00 2001 From: yunhanw-google Date: Tue, 28 Jan 2025 09:48:29 -0800 Subject: [PATCH] CP [IM]Fix leaked readClient in onFabricRemoved call (#37265) --- src/app/InteractionModelEngine.cpp | 10 +++++++++- src/app/InteractionModelEngine.h | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/app/InteractionModelEngine.cpp b/src/app/InteractionModelEngine.cpp index 74c7aeda76a1a0..3a414c0b73fcb1 100644 --- a/src/app/InteractionModelEngine.cpp +++ b/src/app/InteractionModelEngine.cpp @@ -1864,12 +1864,20 @@ void InteractionModelEngine::OnFabricRemoved(const FabricTable & fabricTable, Fa }); #if CHIP_CONFIG_ENABLE_READ_CLIENT - for (auto * readClient = mpActiveReadClientList; readClient != nullptr; readClient = readClient->GetNextClient()) + for (auto * readClient = mpActiveReadClientList; readClient != nullptr;) { + // ReadClient::Close may delete the read client so that readClient->GetNextClient() will be use-after-free. + // We need save readClient as nextReadClient before closing. if (readClient->GetFabricIndex() == fabricIndex) { ChipLogProgress(InteractionModel, "Fabric removed, deleting obsolete read client with FabricIndex: %u", fabricIndex); + auto * nextReadClient = readClient->GetNextClient(); readClient->Close(CHIP_ERROR_IM_FABRIC_DELETED, false); + readClient = nextReadClient; + } + else + { + readClient = readClient->GetNextClient(); } } #endif // CHIP_CONFIG_ENABLE_READ_CLIENT diff --git a/src/app/InteractionModelEngine.h b/src/app/InteractionModelEngine.h index 0e021a0b812074..32404cb6bef565 100644 --- a/src/app/InteractionModelEngine.h +++ b/src/app/InteractionModelEngine.h @@ -664,7 +664,7 @@ class InteractionModelEngine : public Messaging::UnsolicitedMessageHandler, bool mSubscriptionResumptionScheduled = false; #endif - FabricTable * mpFabricTable; + FabricTable * mpFabricTable = nullptr; CASESessionManager * mpCASESessionMgr = nullptr;