[Bluetooth][Mac] Fix Use After Free in macOS BLE Stack

This change fixes bugs in the macOS BLE stack where delegates outlived the object they were observing and caused use-after-frees. Bug: 884897 Change-Id: Ib38164851fb6ab57cc56f9684f8b43161d59e13a Reviewed-on: https://chromium-review.googlesource.com/1233737Reviewed-by: Jérôme Lebel <jlebel@chromium.org> Reviewed-by: Giovanni Ortuño Urquidi <ortuno@chromium.org> Commit-Queue: Jan Wilken Dörrie <jdoerrie@chromium.org> Cr-Commit-Position: refs/heads/master@{#592742}

[Bluetooth][Mac] Fix Use After Free in macOS BLE Stack
This change fixes bugs in the macOS BLE stack where delegates outlived the object they were observing and caused use-after-frees. Bug: 884897 Change-Id: Ib38164851fb6ab57cc56f9684f8b43161d59e13a Reviewed-on: https://chromium-review.googlesource.com/1233737Reviewed-by: Jérôme Lebel <jlebel@chromium.org> Reviewed-by: Giovanni Ortuño Urquidi <ortuno@chromium.org> Commit-Queue: Jan Wilken Dörrie <jdoerrie@chromium.org> Cr-Commit-Position: refs/heads/master@{#592742}
49324561 · Jan Wilken Dörrie · Commit Bot · 12124818 · 49324561 · 49324561
Commit 49324561 authored Sep 20, 2018 by Jan Wilken Dörrie Committed by Commit Bot Sep 20, 2018
5 changed files
--- a/device/bluetooth/bluetooth_adapter_mac.mm
+++ b/device/bluetooth/bluetooth_adapter_mac.mm
@@ -157,6 +157,9 @@ BluetoothAdapterMac::~BluetoothAdapterMac() {
  // disconnect the gatt connection. To make sure they don't use the mac
  // adapter, they should be explicitly destroyed here.
  devices_.clear();
+  // Explicitly clear out delegates, which might outlive the Adapter.
+  [low_energy_peripheral_manager_ setDelegate:nil];
+  [low_energy_central_manager_ setDelegate:nil];
  // Set low_energy_central_manager_ to nil so no devices will try to use it
  // while being destroyed after this method. |devices_| is owned by
  // BluetoothAdapter.

--- a/device/bluetooth/bluetooth_low_energy_central_manager_delegate.mm
+++ b/device/bluetooth/bluetooth_low_energy_central_manager_delegate.mm
@@ -68,11 +68,6 @@ class BluetoothLowEnergyCentralManagerBridge {
  return self;
 }

- (void)dealloc {
-  [bridge_->GetCentralManager() setDelegate:nil];
-  [super dealloc];
-}
-
 - (void)centralManager:(CBCentralManager*)central
 didDiscoverPeripheral:(CBPeripheral*)peripheral
     advertisementData:(NSDictionary*)advertisementData

--- a/device/bluetooth/bluetooth_low_energy_device_mac.mm
+++ b/device/bluetooth/bluetooth_low_energy_device_mac.mm
@@ -56,6 +56,8 @@ BluetoothLowEnergyDeviceMac::~BluetoothLowEnergyDeviceMac() {
  if (IsGattConnected()) {
    GetMacAdapter()->DisconnectGatt(this);
  }
+
+  [peripheral_ setDelegate:nil];
 }

 std::string BluetoothLowEnergyDeviceMac::GetIdentifier() const {

--- a/device/bluetooth/bluetooth_low_energy_peripheral_delegate.mm
+++ b/device/bluetooth/bluetooth_low_energy_peripheral_delegate.mm
@@ -75,11 +75,6 @@ class BluetoothLowEnergyPeripheralBridge {
  return self;
 }

- (void)dealloc {
-  [bridge_->GetPeripheral() setDelegate:nil];
-  [super dealloc];
-}
-
 - (void)peripheral:(CBPeripheral*)peripheral
    didModifyServices:(NSArray*)invalidatedServices {
  bridge_->DidModifyServices(invalidatedServices);

--- a/device/bluetooth/bluetooth_low_energy_peripheral_manager_delegate.mm
+++ b/device/bluetooth/bluetooth_low_energy_peripheral_manager_delegate.mm
@@ -55,11 +55,6 @@ class BluetoothLowEnergyPeripheralManagerBridge {
  return self;
 }

- (void)dealloc {
-  [bridge_->GetPeripheralManager() setDelegate:nil];
-  [super dealloc];
-}
-
 - (void)peripheralManagerDidUpdateState:(CBPeripheralManager*)peripheral {
  bridge_->UpdatedState();
 }