fix use-after-free in adbd_auth

The writev call is using references to data from the packet after it's popped from the queue. This was discovered in GrapheneOS due to using zero-on-free by default. It ends up resulting in adb being unable to persistently whitelist keys. Change-Id: Ibd9c1c4170bfe632b598b7666d09e4ce939a9e95
author: Daniel Micay <danielmicay@gmail.com> 2021-01-02 20:17:35 -0500
committer: Daniel Micay <danielmicay@gmail.com> 2021-01-02 21:01:54 -0500
commit: e3e1cd5351b445a0d8df1617bbd2fc456c16cbd0 (patch)
tree: 7110bad7b58fdc07478c11838a8829e6e8984ba4
parent: f5c89f5911cb24070dd3248d588a0d9d065fbe41 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/libs/adbd_auth/adbd_auth.cpp b/libs/adbd_auth/adbd_auth.cpp
index dae6eebaa5..15bd5c3913 100644
--- a/libs/adbd_auth/adbd_auth.cpp
+++ b/libs/adbd_auth/adbd_auth.cpp
@@ -282,9 +282,8 @@ public:
             LOG(FATAL) << "adbd_auth: unhandled packet type?";
         }
 
-        output_queue_.pop_front();
-
         ssize_t rc = writev(framework_fd_.get(), iovs, iovcnt);
+        output_queue_.pop_front();
         if (rc == -1 && errno != EAGAIN && errno != EWOULDBLOCK) {
             PLOG(ERROR) << "adbd_auth: failed to write to framework fd";
             ReplaceFrameworkFd(unique_fd());
author	Daniel Micay <danielmicay@gmail.com>	2021-01-02 20:17:35 -0500
committer	Daniel Micay <danielmicay@gmail.com>	2021-01-02 21:01:54 -0500
commit	e3e1cd5351b445a0d8df1617bbd2fc456c16cbd0 (patch)
tree	7110bad7b58fdc07478c11838a8829e6e8984ba4
parent	f5c89f5911cb24070dd3248d588a0d9d065fbe41 (diff)