system/bt
| Revision | 98ed90c94a3f6c18049f19e3a28d2959e8e5423b (tree) |
|---|---|
| Time | 2019-02-13 06:10:31 |
| Author | Hansong Zhang <hsz@goog...> |
| Commiter | JP Sugarbroad |
DO NOT MERGE btm_proc_smp_cback: Don't access p_dev_rec if freed
In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free
Bug: 120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: I09aa1cf1d1c835146b62d0f4989aeedfb885d95b
(cherry picked from commit 74c6d501ce55e7bbce4129fae26bd0b5f802a7fc)
stack/btm/btm_ble.c (diff)| @@ -39,6 +39,7 @@ | ||
| 39 | 39 | #include "device/include/controller.h" |
| 40 | 40 | #include "gap_api.h" |
| 41 | 41 | #include "hcimsgs.h" |
| 42 | +#include "log/log.h" | |
| 42 | 43 | #include "l2c_int.h" |
| 43 | 44 | #include "osi/include/log.h" |
| 44 | 45 | #include "smp_api.h" |
| @@ -2090,6 +2091,13 @@ UINT8 btm_proc_smp_cback(tSMP_EVT event, BD_ADDR bd_addr, tSMP_EVT_DATA *p_data) | ||
| 2090 | 2091 | |
| 2091 | 2092 | if (event == SMP_COMPLT_EVT) |
| 2092 | 2093 | { |
| 2094 | + p_dev_rec = btm_find_dev(bd_addr); | |
| 2095 | + if (p_dev_rec == NULL) | |
| 2096 | + { | |
| 2097 | + BTM_TRACE_ERROR ("%s: p_dev_rec is NULL", __func__); | |
| 2098 | + android_errorWriteLog(0x534e4554, "120612744"); | |
| 2099 | + return 0; | |
| 2100 | + } | |
| 2093 | 2101 | BTM_TRACE_DEBUG ("evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level , p_dev_rec->sec_flags ); |
| 2094 | 2102 | |
| 2095 | 2103 | res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS : BTM_ERR_PROCESSING; |
Fork