The function lwm2m_close() will destroy all the information about lwm2m link. It calls the function prv_deleteServerList() to free the linked list contextP->serverList and the function prv_deleteTransactionList() to clear the linked list contextP->transactionList as shown in https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/lwm2m/core/liblwm2m.c?_from=gitee_search#L226. When the callback function prv_handleRegistrationReply() is called by the function prv_deleteTransactionList(), it tries to access the memory pointed by the pointer transacP->userData as shown in https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/lwm2m/core/registration.c?_from=gitee_search#L225. However, the pointer transacP->userData points to the memory server aligned by the function prv_register() as shown in https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/lwm2m/core/registration.c?_from=gitee_search#L318 and already freed by the function prv_deleteServerList() before the function prv_deleteTransactionList(). This will lead to a use-after-free fault.
Run the lwm2m demo project under client mode and use the bytes below as the input packet.
0x60, 0x45, 0x00, 0x07, 0xc0, 0xff, 0x77, 0x80, 0x72, 0x6c, 0x64
Due to the fact that lacking efficient error checking mechanism, the developer or tester needs to check this fault by debugging.
Hi, dear SlientDawn, long time no see.
More details about lwm2m spec, pls refer to:
https://support.huaweicloud.com/intl/zh-cn/devg-IoT/iot_02_5024.html;
Actually, when the device call atiny_bind successfully, it will never return. Pls refer to:
https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/agent_tiny/atiny_lwm2m/agenttiny.c?_from=gitee_search#L428.
And the func lwm2m_close() is called by atiny_destroy():
https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/agent_tiny/atiny_lwm2m/agenttiny.c?_from=gitee_searchL349.
However, atiny_destroy() should not be executed because it is executed after atiny_bind():
https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/agent_tiny/atiny_lwm2m/agenttiny.c?_from=gitee_search#L455.
the callback func:prv_handleRegistrationReply() is registered in prv_register():
https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/lwm2m/core/registration.c?_from=gitee_search#L317.
the callback func:prv_handleRegistrationReply() is called in transaction_handleResponse():
https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/lwm2m/core/transaction.c?_from=gitee_search#L364.
and the func: transaction_remove(contextP, transacP) call lwm2m_free(transacP):
https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/lwm2m/core/transaction.c?_from=gitee_search#L366.
In conclusion, the situation you mentioned will not happen.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
登录 后才可以发表评论