Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 15c2e335 authored by Myles Watson's avatar Myles Watson
Browse files

PAN: Always allocate in bta_pan_data_buf_ind_cback 

Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free.  Move the free call to pan_data_buf_ind_cb().

Free the buffer before every return in pan_data_buf_ind_cb.

Bug: 74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
parent 863dea44

system/bta/pan/bta_pan_act.cc

+14 −20
Original line number Original line Diff line number Diff line
@@ -171,16 +171,11 @@ static void bta_pan_data_flow_cb(uint16_t handle, tPAN_RESULT result) { 
static void bta_pan_data_buf_ind_cback(uint16_t handle, const RawAddress& src,

static void bta_pan_data_buf_ind_cback(uint16_t handle, const RawAddress& src,

                                       const RawAddress& dst, uint16_t protocol,

                                       const RawAddress& dst, uint16_t protocol,

                                       BT_HDR* p_buf, bool ext, bool forward) {

                                       BT_HDR* p_buf, bool ext, bool forward) {

  tBTA_PAN_SCB* p_scb;

  tBTA_PAN_SCB* p_scb = bta_pan_scb_by_handle(handle);

  BT_HDR* p_new_buf;



  p_scb = bta_pan_scb_by_handle(handle);

  if (p_scb == NULL) {

  if (p_scb == NULL) {

    return;

    return;

  }

  }





  if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {

    /* offset smaller than data structure in front of actual data */

  if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >

  if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >

      PAN_BUF_SIZE) {

      PAN_BUF_SIZE) {

    android_errorWriteLog(0x534e4554, "63146237");

    android_errorWriteLog(0x534e4554, "63146237");
@@ -188,14 +183,13 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, const RawAddress& src, 
                     p_buf->len);

                     p_buf->len);

    return;

    return;

  }

  }

    p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE);



  BT_HDR* p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE);

  memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),

  memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),

         (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);

         (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);

  p_new_buf->len = p_buf->len;

  p_new_buf->len = p_buf->len;

  p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);

  p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);

  } else {



    p_new_buf = p_buf;

  }

  /* copy params into the space before the data */

  /* copy params into the space before the data */

  ((tBTA_PAN_DATA_PARAMS*)p_new_buf)->src = src;

  ((tBTA_PAN_DATA_PARAMS*)p_new_buf)->src = src;

  ((tBTA_PAN_DATA_PARAMS*)p_new_buf)->dst = dst;

  ((tBTA_PAN_DATA_PARAMS*)p_new_buf)->dst = dst;

system/stack/bnep/bnep_main.cc

+0 −1
Original line number Original line Diff line number Diff line
@@ -606,7 +606,6 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) { 
  if (bnep_cb.p_data_buf_cb) {

  if (bnep_cb.p_data_buf_cb) {

    (*bnep_cb.p_data_buf_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol,

    (*bnep_cb.p_data_buf_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol,

                             p_buf, fw_ext_present);

                             p_buf, fw_ext_present);

    osi_free(p_buf);

  } else if (bnep_cb.p_data_ind_cb) {

  } else if (bnep_cb.p_data_ind_cb) {

    (*bnep_cb.p_data_ind_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol,

    (*bnep_cb.p_data_ind_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol,

                             p, rem_len, fw_ext_present);

                             p, rem_len, fw_ext_present);

system/stack/pan/pan_main.cc

+4 −8
Original line number Original line Diff line number Diff line
@@ -527,12 +527,11 @@ void pan_data_buf_ind_cb(uint16_t handle, const RawAddress& src, 
      if (pan_cb.pan_data_buf_ind_cb)

      if (pan_cb.pan_data_buf_ind_cb)

        (*pan_cb.pan_data_buf_ind_cb)(pcb->handle, src, dst, protocol, p_buf,

        (*pan_cb.pan_data_buf_ind_cb)(pcb->handle, src, dst, protocol, p_buf,

                                      ext, forward);

                                      ext, forward);

      else if (pan_cb.pan_data_ind_cb) {

      else if (pan_cb.pan_data_ind_cb)

        (*pan_cb.pan_data_ind_cb)(pcb->handle, src, dst, protocol, p_data, len,

        (*pan_cb.pan_data_ind_cb)(pcb->handle, src, dst, protocol, p_data, len,

                                  ext, forward);

                                  ext, forward);

        osi_free(p_buf);

      }





      osi_free(p_buf);

      return;

      return;

    }

    }
@@ -557,13 +556,10 @@ void pan_data_buf_ind_cb(uint16_t handle, const RawAddress& src, 
  if (pan_cb.pan_data_buf_ind_cb)

  if (pan_cb.pan_data_buf_ind_cb)

    (*pan_cb.pan_data_buf_ind_cb)(pcb->handle, src, dst, protocol, p_buf, ext,

    (*pan_cb.pan_data_buf_ind_cb)(pcb->handle, src, dst, protocol, p_buf, ext,

                                  forward);

                                  forward);

  else if (pan_cb.pan_data_ind_cb) {

  else if (pan_cb.pan_data_ind_cb)

    (*pan_cb.pan_data_ind_cb)(pcb->handle, src, dst, protocol, p_data, len, ext,

    (*pan_cb.pan_data_ind_cb)(pcb->handle, src, dst, protocol, p_data, len, ext,

                              forward);

                              forward);

  osi_free(p_buf);

  osi_free(p_buf);

  } else

    osi_free(p_buf);



  return;

  return;

}

}