From 4f83ede6ba3f4fb4fa349770c52cc9ce57d0a42e Mon Sep 17 00:00:00 2001 From: Seonah Moon Date: Wed, 16 Sep 2020 10:29:33 +0900 Subject: [PATCH] Fix heap-use-after-free In case of below scenario, da_info is freed immediately after cancel request. [client request thread] [http thread] 1. download start 2. network doesn't work temporary 3. wait for auto retry (pthread_cond_timedwait(cond_http)) 4. request cancel 5. pthread_cond_signal(cond_http) 6. free da_info 7. access to da_info for debugging message (fault) Change-Id: I3bf0002e643af77dac17f69c543d29570c1f3cde --- agent/download-agent-dl-mgr.c | 2 +- packaging/download-provider.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/agent/download-agent-dl-mgr.c b/agent/download-agent-dl-mgr.c index 0bce375..14d1d03 100755 --- a/agent/download-agent-dl-mgr.c +++ b/agent/download-agent-dl-mgr.c @@ -111,7 +111,7 @@ da_ret_t cancel_download(int dl_id, da_bool_t is_enable_cb) ret = request_to_cancel_http_download(da_info); if (ret != DA_RESULT_OK) goto ERR; - DA_LOGI("Download cancel Successful for download id[%d]", da_info->da_id); + DA_LOGI("Download cancel Successful for download id[%d]", dl_id); ERR: return ret; diff --git a/packaging/download-provider.spec b/packaging/download-provider.spec index 6bae5f4..d4daee4 100755 --- a/packaging/download-provider.spec +++ b/packaging/download-provider.spec @@ -1,6 +1,6 @@ Name: download-provider Summary: Download the contents in background -Version: 2.2.1 +Version: 2.2.2 Release: 0 Group: Development/Libraries License: Apache-2.0 -- 2.7.4