Fix use-after-free in CommissioningWindowOpener. (#22767) (#22849)

andy31415 · bzbarsky-apple · web-flow · commit 5f2915947b93 · 2022-09-23T13:41:14.000-04:00
Once we call back into our client, it can delete us, so we need to do any logging that uses `mSetupPayload` before we do that. Fixes project-chip/connectedhomeip#22765 Co-authored-by: Boris Zbarsky <bzbarsky@apple.com>
diff --git a/src/controller/CommissioningWindowOpener.cpp b/src/controller/CommissioningWindowOpener.cpp
@@ -204,9 +204,6 @@ void CommissioningWindowOpener::OnOpenCommissioningWindowSuccess(void * context,
     self->mNextStep = Step::kAcceptCommissioningStart;
     if (self->mCommissioningWindowCallback != nullptr)
     {
-        self->mCommissioningWindowCallback->mCall(self->mCommissioningWindowCallback->mContext, self->mNodeId, CHIP_NO_ERROR,
-                                                  self->mSetupPayload);
-
         char payloadBuffer[QRCodeBasicSetupPayloadGenerator::kMaxQRCodeBase38RepresentationLength + 1];
 
         MutableCharSpan manualCode(payloadBuffer);
@@ -230,11 +227,18 @@ void CommissioningWindowOpener::OnOpenCommissioningWindowSuccess(void * context,
         {
             ChipLogError(Controller, "Unable to generate QR code for setup payload: %" CHIP_ERROR_FORMAT, err.Format());
         }
+
+        self->mCommissioningWindowCallback->mCall(self->mCommissioningWindowCallback->mContext, self->mNodeId, CHIP_NO_ERROR,
+                                                  self->mSetupPayload);
+        // Don't touch `self` anymore; it might have been destroyed by the
+        // callee.
     }
     else if (self->mBasicCommissioningWindowCallback != nullptr)
     {
         self->mBasicCommissioningWindowCallback->mCall(self->mBasicCommissioningWindowCallback->mContext, self->mNodeId,
                                                        CHIP_NO_ERROR);
+        // Don't touch `self` anymore; it might have been destroyed by the
+        // callee.
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -204,9 +204,6 @@ void CommissioningWindowOpener::OnOpenCommissioningWindowSuccess(void * context,`
`204`	`204`	`self->mNextStep = Step::kAcceptCommissioningStart;`
`205`	`205`	`if (self->mCommissioningWindowCallback != nullptr)`
`206`	`206`	`{`
`207`		`- self->mCommissioningWindowCallback->mCall(self->mCommissioningWindowCallback->mContext, self->mNodeId, CHIP_NO_ERROR,`
`208`		`- self->mSetupPayload);`
`209`		`-`
`210`	`207`	`char payloadBuffer[QRCodeBasicSetupPayloadGenerator::kMaxQRCodeBase38RepresentationLength + 1];`
`211`	`208`
`212`	`209`	`MutableCharSpan manualCode(payloadBuffer);`
`@@ -230,11 +227,18 @@ void CommissioningWindowOpener::OnOpenCommissioningWindowSuccess(void * context,`
`230`	`227`	`{`
`231`	`228`	`ChipLogError(Controller, "Unable to generate QR code for setup payload: %" CHIP_ERROR_FORMAT, err.Format());`
`232`	`229`	`}`
	`230`	`+`
	`231`	`+ self->mCommissioningWindowCallback->mCall(self->mCommissioningWindowCallback->mContext, self->mNodeId, CHIP_NO_ERROR,`
	`232`	`+ self->mSetupPayload);`
	`233`	+ // Don't touch `self` anymore; it might have been destroyed by the
	`234`	`+ // callee.`
`233`	`235`	`}`
`234`	`236`	`else if (self->mBasicCommissioningWindowCallback != nullptr)`
`235`	`237`	`{`
`236`	`238`	`self->mBasicCommissioningWindowCallback->mCall(self->mBasicCommissioningWindowCallback->mContext, self->mNodeId,`
`237`	`239`	`CHIP_NO_ERROR);`
	`240`	+ // Don't touch `self` anymore; it might have been destroyed by the
	`241`	`+ // callee.`
`238`	`242`	`}`
`239`	`243`	`}`
`240`	`244`