CP [IM]Fix leaked readClient in onFabricRemoved call (project-chip#37264)

yunhanw-google · web-flow · commit 6f1b823f30c4 · 2025-01-28T12:03:17.000-05:00
diff --git a/src/app/InteractionModelEngine.cpp b/src/app/InteractionModelEngine.cpp
@@ -1866,12 +1866,20 @@ void InteractionModelEngine::OnFabricRemoved(const FabricTable & fabricTable, Fa
     });
 
 #if CHIP_CONFIG_ENABLE_READ_CLIENT
-    for (auto * readClient = mpActiveReadClientList; readClient != nullptr; readClient = readClient->GetNextClient())
+    for (auto * readClient = mpActiveReadClientList; readClient != nullptr;)
     {
+        // ReadClient::Close may delete the read client so that readClient->GetNextClient() will be use-after-free.
+        // We need save readClient as nextReadClient before closing.
         if (readClient->GetFabricIndex() == fabricIndex)
         {
             ChipLogProgress(InteractionModel, "Fabric removed, deleting obsolete read client with FabricIndex: %u", fabricIndex);
+            auto * nextReadClient = readClient->GetNextClient();
             readClient->Close(CHIP_ERROR_IM_FABRIC_DELETED, false);
+            readClient = nextReadClient;
+        }
+        else
+        {
+            readClient = readClient->GetNextClient();
         }
     }
 #endif // CHIP_CONFIG_ENABLE_READ_CLIENT
diff --git a/src/app/InteractionModelEngine.h b/src/app/InteractionModelEngine.h
@@ -318,7 +318,7 @@ class InteractionModelEngine : public Messaging::UnsolicitedMessageHandler,
     /**
      * @brief Function decrements the number of subscriptions to resume counter - mNumOfSubscriptionsToResume.
      *        This should be called after we have completed a re-subscribe attempt on a persisted subscription wether the attempt
-     *        was succesful or not.
+     *        was successful or not.
      */
     void DecrementNumSubscriptionsToResume();
 #endif // CHIP_CONFIG_PERSIST_SUBSCRIPTIONS
@@ -704,7 +704,7 @@ class InteractionModelEngine : public Messaging::UnsolicitedMessageHandler,
 #endif // CHIP_CONFIG_SUBSCRIPTION_TIMEOUT_RESUMPTION
 #endif // CHIP_CONFIG_PERSIST_SUBSCRIPTIONS
 
-    FabricTable * mpFabricTable;
+    FabricTable * mpFabricTable = nullptr;
 
     CASESessionManager * mpCASESessionMgr = nullptr;
 

Original file line number	Diff line number	Diff line change
`@@ -1866,12 +1866,20 @@ void InteractionModelEngine::OnFabricRemoved(const FabricTable & fabricTable, Fa`
`1866`	`1866`	`});`
`1867`	`1867`
`1868`	`1868`	`#if CHIP_CONFIG_ENABLE_READ_CLIENT`
`1869`		`- for (auto * readClient = mpActiveReadClientList; readClient != nullptr; readClient = readClient->GetNextClient())`
	`1869`	`+ for (auto * readClient = mpActiveReadClientList; readClient != nullptr;)`
`1870`	`1870`	`{`
	`1871`	`+ // ReadClient::Close may delete the read client so that readClient->GetNextClient() will be use-after-free.`
	`1872`	`+ // We need save readClient as nextReadClient before closing.`
`1871`	`1873`	`if (readClient->GetFabricIndex() == fabricIndex)`
`1872`	`1874`	`{`
`1873`	`1875`	`ChipLogProgress(InteractionModel, "Fabric removed, deleting obsolete read client with FabricIndex: %u", fabricIndex);`
	`1876`	`+ auto * nextReadClient = readClient->GetNextClient();`
`1874`	`1877`	`readClient->Close(CHIP_ERROR_IM_FABRIC_DELETED, false);`
	`1878`	`+ readClient = nextReadClient;`
	`1879`	`+ }`
	`1880`	`+ else`
	`1881`	`+ {`
	`1882`	`+ readClient = readClient->GetNextClient();`
`1875`	`1883`	`}`
`1876`	`1884`	`}`
`1877`	`1885`	`#endif // CHIP_CONFIG_ENABLE_READ_CLIENT`