espressif/esp-matter
1
0
Fork 0
mirror of https://github.com/espressif/esp-matter.git synced 2026-04-27 19:13:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(data_model): unlink cluster from endpoint on cluster::destroy

Browse Source 
cluster::destroy() freed the cluster memory and its children (attributes,
commands, events) but never removed the cluster from the parent endpoint's
linked list, leaving a dangling pointer. This caused use-after-free crashes
when creating a new cluster on the same endpoint after destroying one.

Fix: look up the parent endpoint via the endpoint_id stored in the cluster
struct and unlink before freeing, consistent with how attribute::destroy,
command::destroy and event::destroy handle their parent lists.
This commit is contained in:
Shubham Patil
2026-03-24 23:18:11 +05:30
parent 3bcc8495ed
commit a4f0b098bc
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/esp_matter/esp_matter_core.cpp
+7 -2
View File
@@ -1592,8 +1592,13 @@ static esp_err_t destroy(cluster_t *cluster)
current_cluster->matter_attributes = NULL;
}
/* Free */
esp_matter_mem_free(current_cluster);
/* Remove from parent endpoint's cluster list and free */
_endpoint_t *parent_endpoint = (_endpoint_t *)endpoint::get(current_cluster->endpoint_id);
if (parent_endpoint) {
SinglyLinkedList<_cluster_t>::remove(&parent_endpoint->cluster_list, current_cluster);
} else {
esp_matter_mem_free(current_cluster);
}
return ESP_OK;
}