Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 01416eb6 authored by Kyunglyul Hyun's avatar Kyunglyul Hyun
Browse files

Prevent premature freeing of queued GATT command 

In bta_gattc_disc_cmpl, ensure that a queued command is not freed
before it is fully handled.
This prevents a potential crash caused by accessing a freed command.

Before this change, it only checked p_q_cmd to detect if
the command is queued but in bta_gattc_cfg_mtu,
the command is enqueued to p_q_cmd_queue,
and p_q_cmd remains NULL, so it failed to check
and freed the command

Bug: 315905939
Test: atest BluetoothInstrumentationTests
Test: manually connect multiple clients simultaneously
Flag: EXEMPT strict checking
Change-Id: I619e668c5d8831d857a032abeb63a159a1cb41f9
parent f9e41790

system/bta/gatt/bta_gattc_act.cc

+3 −1
Original line number Diff line number Diff line
@@ -972,7 +972,9 @@ void bta_gattc_disc_cmpl(tBTA_GATTC_CLCB* p_clcb, 
     * want to free the underlying buffer that's being

     * referenced by p_clcb->p_q_cmd

     */

    if (p_q_cmd != p_clcb->p_q_cmd) osi_free_and_reset((void**)&p_q_cmd);

    if (!bta_gattc_is_data_queued(p_clcb, p_q_cmd)) {

      osi_free_and_reset((void**)&p_q_cmd);

    }

  } else {

    bta_gattc_continue(p_clcb);

  }