advertising: Fix assigning mgmt callback id when adding advertisement A struct member add_adv_id is used to track whether the adv client is still needed for some mgmt callback. This is checked when freeing the client to avoid UAF. We currently only set this member if we have a callback after calling mgmt_send. In case of extended advertisement, this is always a two-step process: first to set the params, then the data. It is possible for the client to be freed when we are pending on setting the params, and if we don't set the add_adv_id (because we have no callback for setting the data), the client on the 2nd step of the process will be invalid, leading to UAF scenario. This patch always sets the add_adv_id member on the 1st step of adding an extended advertisement, and adjust the value accordingly on the 2nd step. Additionally, this patch drops the 3rd parameter of the function refresh_advertisement since it can always be derived from the 1st and 2nd parameter. Reviewed-by: Hsin-chen Chuang <chharry@google.com>

Diffstat

1 files changed, 17 insertions(+), 20 deletions(-)