Fix segfault caused by accessing released device object (#16168)

arkq · pull[bot] · commit 25217842574e · 2024-01-05T20:40:43.000Z
* Fix segfault caused by accessing released device object

Local reference to the device being commissioned has to be cleared when
the device object is released. Otherwise, we will have a local pointer
to freed memory.

* Send operational certificate to given device

Given device proxy object might not necessarily be a device currently
being commissioned.
diff --git a/src/controller/CHIPDeviceController.cpp b/src/controller/CHIPDeviceController.cpp
@@ -745,6 +745,11 @@ CommissioneeDeviceProxy * DeviceCommissioner::FindCommissioneeDevice(NodeId id)
 void DeviceCommissioner::ReleaseCommissioneeDevice(CommissioneeDeviceProxy * device)
 {
     mCommissioneeDevicePool.ReleaseObject(device);
+    // Make sure that there will be no dangling pointer
+    if (mDeviceBeingCommissioned == device)
+    {
+        mDeviceBeingCommissioned = nullptr;
+    }
 }
 
 CHIP_ERROR DeviceCommissioner::GetDeviceBeingCommissioned(NodeId deviceId, CommissioneeDeviceProxy ** out_device)
@@ -887,7 +892,6 @@ CHIP_ERROR DeviceCommissioner::EstablishPASEConnection(NodeId remoteDeviceId, Re
         if (device != nullptr)
         {
             ReleaseCommissioneeDevice(device);
-            mDeviceBeingCommissioned = nullptr;
         }
     }
 
@@ -972,7 +976,6 @@ void DeviceCommissioner::RendezvousCleanup(CHIP_ERROR status)
         // for IP commissioning, we have taken a reference to the
         // operational node to send the completion command.
         ReleaseCommissioneeDevice(mDeviceBeingCommissioned);
-        mDeviceBeingCommissioned = nullptr;
     }
 
     if (mPairingDelegate != nullptr)
@@ -1243,8 +1246,8 @@ CHIP_ERROR DeviceCommissioner::SendOperationalCertificate(DeviceProxy * device,
     request.caseAdminNode = adminSubject;
     request.adminVendorId = mVendorId;
 
-    ReturnErrorOnFailure(SendCommand<OperationalCredentialsCluster>(mDeviceBeingCommissioned, request,
-                                                                    OnOperationalCertificateAddResponse, OnAddNOCFailureResponse));
+    ReturnErrorOnFailure(
+        SendCommand<OperationalCredentialsCluster>(device, request, OnOperationalCertificateAddResponse, OnAddNOCFailureResponse));
 
     ChipLogProgress(Controller, "Sent operational certificate to the device");
 
@@ -1466,7 +1469,7 @@ void DeviceCommissioner::CommissioningStageComplete(CHIP_ERROR err, Commissionin
     {
         // Commissioning delegate will only return error if it failed to perform the appropriate commissioning step.
         // In this case, we should call back the commissioning complete and call session error
-        if (mPairingDelegate != nullptr)
+        if (mPairingDelegate != nullptr && mDeviceBeingCommissioned != nullptr)
         {
             mPairingDelegate->OnCommissioningComplete(mDeviceBeingCommissioned->GetDeviceId(), status);
         }
@@ -1487,7 +1490,6 @@ void DeviceCommissioner::OnDeviceConnectedFn(void * context, OperationalDevicePr
             // Let's release the device that's being paired, if pairing was successful,
             // and the device is available on the operational network.
             commissioner->ReleaseCommissioneeDevice(commissioner->mDeviceBeingCommissioned);
-            commissioner->mDeviceBeingCommissioned = nullptr;
             if (commissioner->mCommissioningDelegate != nullptr)
             {
                 CommissioningDelegate::CommissioningReport report;
@@ -1544,7 +1546,6 @@ void DeviceCommissioner::OnDeviceConnectionFailureFn(void * context, PeerId peer
         //
         // Run the above cases under valgrind/asan to validate no additional leaks.
         commissioner->ReleaseCommissioneeDevice(commissioner->mDeviceBeingCommissioned);
-        commissioner->mDeviceBeingCommissioned = nullptr;
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -745,6 +745,11 @@ CommissioneeDeviceProxy * DeviceCommissioner::FindCommissioneeDevice(NodeId id)`
`745`	`745`	`void DeviceCommissioner::ReleaseCommissioneeDevice(CommissioneeDeviceProxy * device)`
`746`	`746`	`{`
`747`	`747`	`mCommissioneeDevicePool.ReleaseObject(device);`
	`748`	`+ // Make sure that there will be no dangling pointer`
	`749`	`+ if (mDeviceBeingCommissioned == device)`
	`750`	`+ {`
	`751`	`+ mDeviceBeingCommissioned = nullptr;`
	`752`	`+ }`
`748`	`753`	`}`
`749`	`754`
`750`	`755`	`CHIP_ERROR DeviceCommissioner::GetDeviceBeingCommissioned(NodeId deviceId, CommissioneeDeviceProxy ** out_device)`
`@@ -887,7 +892,6 @@ CHIP_ERROR DeviceCommissioner::EstablishPASEConnection(NodeId remoteDeviceId, Re`
`887`	`892`	`if (device != nullptr)`
`888`	`893`	`{`
`889`	`894`	`ReleaseCommissioneeDevice(device);`
`890`		`- mDeviceBeingCommissioned = nullptr;`
`891`	`895`	`}`
`892`	`896`	`}`
`893`	`897`
`@@ -972,7 +976,6 @@ void DeviceCommissioner::RendezvousCleanup(CHIP_ERROR status)`
`972`	`976`	`// for IP commissioning, we have taken a reference to the`
`973`	`977`	`// operational node to send the completion command.`
`974`	`978`	`ReleaseCommissioneeDevice(mDeviceBeingCommissioned);`
`975`		`- mDeviceBeingCommissioned = nullptr;`
`976`	`979`	`}`
`977`	`980`
`978`	`981`	`if (mPairingDelegate != nullptr)`
`@@ -1243,8 +1246,8 @@ CHIP_ERROR DeviceCommissioner::SendOperationalCertificate(DeviceProxy * device,`
`1243`	`1246`	`request.caseAdminNode = adminSubject;`
`1244`	`1247`	`request.adminVendorId = mVendorId;`
`1245`	`1248`
`1246`		`- ReturnErrorOnFailure(SendCommand<OperationalCredentialsCluster>(mDeviceBeingCommissioned, request,`
`1247`		`- OnOperationalCertificateAddResponse, OnAddNOCFailureResponse));`
	`1249`	`+ ReturnErrorOnFailure(`
	`1250`	`+ SendCommand<OperationalCredentialsCluster>(device, request, OnOperationalCertificateAddResponse, OnAddNOCFailureResponse));`
`1248`	`1251`
`1249`	`1252`	`ChipLogProgress(Controller, "Sent operational certificate to the device");`
`1250`	`1253`
`@@ -1466,7 +1469,7 @@ void DeviceCommissioner::CommissioningStageComplete(CHIP_ERROR err, Commissionin`
`1466`	`1469`	`{`
`1467`	`1470`	`// Commissioning delegate will only return error if it failed to perform the appropriate commissioning step.`
`1468`	`1471`	`// In this case, we should call back the commissioning complete and call session error`
`1469`		`- if (mPairingDelegate != nullptr)`
	`1472`	`+ if (mPairingDelegate != nullptr && mDeviceBeingCommissioned != nullptr)`
`1470`	`1473`	`{`
`1471`	`1474`	`mPairingDelegate->OnCommissioningComplete(mDeviceBeingCommissioned->GetDeviceId(), status);`
`1472`	`1475`	`}`
`@@ -1487,7 +1490,6 @@ void DeviceCommissioner::OnDeviceConnectedFn(void * context, OperationalDevicePr`
`1487`	`1490`	`// Let's release the device that's being paired, if pairing was successful,`
`1488`	`1491`	`// and the device is available on the operational network.`
`1489`	`1492`	`commissioner->ReleaseCommissioneeDevice(commissioner->mDeviceBeingCommissioned);`
`1490`		`- commissioner->mDeviceBeingCommissioned = nullptr;`
`1491`	`1493`	`if (commissioner->mCommissioningDelegate != nullptr)`
`1492`	`1494`	`{`
`1493`	`1495`	`CommissioningDelegate::CommissioningReport report;`
`@@ -1544,7 +1546,6 @@ void DeviceCommissioner::OnDeviceConnectionFailureFn(void * context, PeerId peer`
`1544`	`1546`	`//`
`1545`	`1547`	`// Run the above cases under valgrind/asan to validate no additional leaks.`
`1546`	`1548`	`commissioner->ReleaseCommissioneeDevice(commissioner->mDeviceBeingCommissioned);`
`1547`		`- commissioner->mDeviceBeingCommissioned = nullptr;`
`1548`	`1549`	`}`
`1549`	`1550`	`}`
`1550`	`1551`