Darwin: Keep MTRCommissionableBrowser around until OnBleScanStopped

ksperling-apple · ksperling-apple · commit 3d08de3d70dc · 2024-05-30T11:40:08.000+12:00
Because the BLE platform implementation uses a separate dispatch queue,
StopBleScan() does not synchrnously stop any further use of the current
BleScannerDelegate. Keep the MTRCommissionableBrowser that contains the
delegate alive until OnBleScanStopped to avoid a UAF.
diff --git a/src/darwin/Framework/CHIP/MTRCommissionableBrowser.mm b/src/darwin/Framework/CHIP/MTRCommissionableBrowser.mm
@@ -61,7 +61,11 @@ @implementation MTRCommissionableBrowserResult
 #endif // CONFIG_NETWORK_LAYER_BLE
 {
 public:
-    CHIP_ERROR Start(id<MTRCommissionableBrowserDelegate> delegate, MTRDeviceController * controller, dispatch_queue_t queue)
+#if CONFIG_NETWORK_LAYER_BLE
+    id mBleScannerDelegateOwner;
+#endif // CONFIG_NETWORK_LAYER_BLE
+
+    CHIP_ERROR Start(id owner, id<MTRCommissionableBrowserDelegate> delegate, MTRDeviceController * controller, dispatch_queue_t queue)
     {
         assertChipStackLockedByCurrentThread();
 
@@ -77,7 +81,10 @@ CHIP_ERROR Start(id<MTRCommissionableBrowserDelegate> delegate, MTRDeviceControl
         ResetCounters();
 
 #if CONFIG_NETWORK_LAYER_BLE
+        mBleScannerDelegateOwner = owner; // retain the owner until OnBleScanStopped is called (see rdar://128723029)
         ReturnErrorOnFailure(PlatformMgrImpl().StartBleScan(this));
+#else
+        (void)owner;
 #endif // CONFIG_NETWORK_LAYER_BLE
 
         ReturnErrorOnFailure(Resolver::Instance().Init(chip::DeviceLayer::UDPEndPointManager()));
@@ -281,6 +288,7 @@ void OnBrowseStop(CHIP_ERROR error) override
     void OnBleScanAdd(BLE_CONNECTION_OBJECT connObj, const ChipBLEDeviceIdentificationInfo & info) override
     {
         assertChipStackLockedByCurrentThread();
+        VerifyOrReturn(mDelegate != nil);
 
         auto result = [[MTRCommissionableBrowserResult alloc] init];
         result.instanceName = [NSString stringWithUTF8String:kBleKey];
@@ -303,6 +311,7 @@ void OnBleScanAdd(BLE_CONNECTION_OBJECT connObj, const ChipBLEDeviceIdentificati
     void OnBleScanRemove(BLE_CONNECTION_OBJECT connObj) override
     {
         assertChipStackLockedByCurrentThread();
+        VerifyOrReturn(mDelegate != nil);
 
         auto key = [NSString stringWithFormat:@"%@", connObj];
         if ([mDiscoveredResults objectForKey:key] == nil) {
@@ -319,6 +328,12 @@ void OnBleScanRemove(BLE_CONNECTION_OBJECT connObj) override
             [mDelegate controller:mController didFindCommissionableDevice:result];
         });
     }
+
+    void OnBleScanStopped() override
+    {
+        mBleScannerDelegateOwner = nil;
+    }
+
 #endif // CONFIG_NETWORK_LAYER_BLE
 
 private:
@@ -354,7 +369,7 @@ - (instancetype)initWithDelegate:(id<MTRCommissionableBrowserDelegate>)delegate
 
 - (BOOL)start
 {
-    VerifyOrReturnValue(CHIP_NO_ERROR == _browser.Start(_delegate, _controller, _queue), NO);
+    VerifyOrReturnValue(CHIP_NO_ERROR == _browser.Start(self, _delegate, _controller, _queue), NO);
     return YES;
 }
 
