From 25b3d5fd7b1d42ba52c8faf819080ebec9af860b Mon Sep 17 00:00:00 2001 From: David Cermak Date: Tue, 27 Aug 2024 15:26:25 +0200 Subject: [PATCH] fix(mdns): Fix use after free reported by coverity Fixes CID 467739: Use after free in mdns.c, mdns_service_remove_for_host We should look only for one match in the service list, since if we assume there could be aliases, we might free one and reference the other. --- components/mdns/mdns.c | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/components/mdns/mdns.c b/components/mdns/mdns.c index 70d424e84..a5e8a00a7 100644 --- a/components/mdns/mdns.c +++ b/components/mdns/mdns.c @@ -6398,22 +6398,14 @@ esp_err_t mdns_service_remove_for_host(const char *instance, const char *service if (_mdns_service_match(a->service, service, proto, hostname)) { if (_mdns_server->services != a) { b->next = a->next; - _mdns_send_bye(&a, 1, false); - _mdns_remove_scheduled_service_packets(a->service); - _mdns_free_service(a->service); - free(a); - a = b->next; - continue; } else { _mdns_server->services = a->next; - _mdns_send_bye(&a, 1, false); - _mdns_remove_scheduled_service_packets(a->service); - _mdns_free_service(a->service); - free(a); - a = _mdns_server->services; - b = a; - continue; } + _mdns_send_bye(&a, 1, false); + _mdns_remove_scheduled_service_packets(a->service); + _mdns_free_service(a->service); + free(a); + break; } b = a; a = a->next;