Fix use-after-free of interface name during network destruction. bug:15560990 Change-Id: I899827c4f50847a3a60b6359f829bee5d6eb4f00

commit: 6ff16785ae1f67f44a73ad00d6c86690af6772d2 [log] [tgz]
author: Paul Jensen <pauljensen@google.com> Wed Jun 11 10:58:16 2014 -0400
committer: Paul Jensen <pauljensen@google.com> Wed Jun 11 11:21:34 2014 -0400
tree: 10a8aa7b6d6bfe3c7b8bfc44c64f2c012c3e251d
parent: 3fea54b4de8b09f299fe8f2b184997f560986738 [diff] [blame]
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 4e21114..a32dd67 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp

@@ -36,6 +36,10 @@
 #include "RouteController.h"
 
 #define LOG_TAG "NetworkController"
+
+#include <sys/socket.h>
+#include <linux/if.h>
+
 #include "cutils/log.h"
 #include "resolv_netid.h"
 
@@ -273,9 +277,11 @@
 
     InterfaceRange range = mNetIdToInterfaces.equal_range(netId);
     for (InterfaceIteratorConst iter = range.first; iter != range.second; ) {
-        InterfaceIteratorConst toErase = iter;
+        char interface[IFNAMSIZ];
+        strncpy(interface, iter->second.c_str(), sizeof(interface));
+        interface[sizeof(interface) - 1] = 0;
         ++iter;
-        if (!removeInterfaceFromNetwork(netId, toErase->second.c_str())) {
+        if (!removeInterfaceFromNetwork(netId, interface)) {
             status = false;
         }
     }
commit	6ff16785ae1f67f44a73ad00d6c86690af6772d2	[log] [tgz]
author	Paul Jensen <pauljensen@google.com>	Wed Jun 11 10:58:16 2014 -0400
committer	Paul Jensen <pauljensen@google.com>	Wed Jun 11 11:21:34 2014 -0400
tree	10a8aa7b6d6bfe3c7b8bfc44c64f2c012c3e251d
parent	3fea54b4de8b09f299fe8f2b184997f560986738 [diff] [blame]