diff options
| author | Yabin Cui <yabinc@google.com> | 2015-08-27 12:03:11 -0700 |
|---|---|---|
| committer | Yabin Cui <yabinc@google.com> | 2015-08-27 14:41:07 -0700 |
| commit | f4b9928563e97620fc1d9bd5c2efdaa0ded96488 (patch) | |
| tree | f7b1ef261eb99710874c572871c9dd7faef67dae /base/errors_unix.cpp | |
| parent | f3068123039e81cee85ce9103d01b5b2aceb2ba3 (diff) | |
adb: disconnect: fix write-after-free memory corruption and crash.
Transport atransport objects are semi-reference counted: the input and
output threads each hold a reference. The adb disconnect command was
calling transport_unref to release a reference that it never had in the
first place. This meant that the refcount dropped to zero and the object
was deleted before either the input or output thread released its
reference. When that last thread released its reference, it wrote to
freed memory and also sometimes crashed.
This fix is to not release any unheld reference, instead it just kicks
the transport to break remote_read in output_thread. So all transport
close flow goes the following way:
output_thread (exit) -> main thread (offline the transport) ->
input thread (exit) -> main thread (destroy the transport)
Change-Id: Iad1fe718acc8716f3a79c8c22b426a1b2450452c
Diffstat (limited to 'base/errors_unix.cpp')
0 files changed, 0 insertions, 0 deletions