Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3dc0fb60 authored by George Burgess IV's avatar George Burgess IV Committed by Chris Manton
Browse files

l2c_csm: delete nullptr check 

The code after this unconditionally dereferences `p_ccb->p_lcb`, and
`alarm_cancel` does nothing to somehow set this field. Hence, either
this ~entire switch block needs to be conditional on `p_ccb->p_lcb`, or
this NULL check isn't helpful.

Caught by the static analyzer:
> packages/modules/Bluetooth/system/stack/l2cap/l2c_csm.cc:889:27:
warning: Access to field 'pending_ecoc_conn_cnt' results in a
dereference of a null pointer (loaded from field 'p_lcb')
[clang-analyzer-core.NullDereference]

Tags: #stability
Bug: 206470603
Test: TreeHugger
Change-Id: I85394d3e9d0235f8b5ccc2bce5ca5283bc90f7ed
parent 4ff2eae5

system/stack/l2cap/l2c_csm.cc

+14 −13
Original line number Diff line number Diff line
@@ -881,11 +881,12 @@ static void l2c_csm_w4_l2ca_connect_rsp(tL2C_CCB* p_ccb, tL2CEVT event, 


    case L2CEVT_L2CA_CREDIT_BASED_CONNECT_RSP_NEG:

      p_ci = (tL2C_CONN_INFO*)p_data;

      if (p_ccb->p_lcb && p_ccb->p_lcb->transport == BT_TRANSPORT_LE) {

      alarm_cancel(p_ccb->l2c_ccb_timer);

      if (p_ccb->p_lcb != nullptr) {

        if (p_ccb->p_lcb->transport == BT_TRANSPORT_LE) {

          l2cu_send_peer_credit_based_conn_res(p_ccb, p_ci->lcids,

                                               p_ci->l2cap_result);

        }

      alarm_cancel(p_ccb->l2c_ccb_timer);

        for (int i = 0; i < p_ccb->p_lcb->pending_ecoc_conn_cnt; i++) {

          uint16_t cid = p_ccb->p_lcb->pending_ecoc_connection_cids[i];

          tL2C_CCB* temp_p_ccb = l2cu_find_ccb_by_cid(p_ccb->p_lcb, cid);
@@ -895,7 +896,7 @@ static void l2c_csm_w4_l2ca_connect_rsp(tL2C_CCB* p_ccb, tL2CEVT event, 
        p_ccb->p_lcb->pending_ecoc_conn_cnt = 0;

        memset(p_ccb->p_lcb->pending_ecoc_connection_cids, 0,

               L2CAP_CREDIT_BASED_MAX_CIDS);



      }

      break;

    case L2CEVT_L2CA_CONNECT_RSP_NEG:

      p_ci = (tL2C_CONN_INFO*)p_data;