Merge "Fix UAF in sdp_discovery.cc" into tm-dev am: 1cfb2f42 am: ee9730fd

    uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_AG_HANDSFREE);

  }

  /* If we already have a non-null discovery database at this point, we can get

   * into a race condition leading to UAF once this connection is closed.

   * This should only happen with malicious modifications to a client. */

  if (client_cb->p_disc_db != NULL) {

    APPL_TRACE_ERROR(

        "Tried to set up a HF client with a preexisting discovery database.");

    client_cb->p_disc_db = NULL;

    // We manually set the state here because it's possible to call this from an

    // OPEN state, in which case the discovery fail event will be ignored.

    client_cb->state = 0;  // BTA_HF_CLIENT_INIT_ST

    return;

  }

  /* allocate buffer for sdp database */

  client_cb->p_disc_db = (tSDP_DISCOVERY_DB*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);

    uint8_t* p;

    uint16_t bytes_left = SDP_DATA_BUF_SIZE;

    /* If we don't have a valid discovery database, we can't do anything. */

    if (p_ccb->p_db == NULL) {

      SDP_TRACE_WARNING(

          "Attempted continuation or first time request with invalid discovery "

          "database");

      sdp_disconnect(p_ccb, tSDP_STATUS::SDP_INVALID_CONT_STATE);

      return;

    }

    p_msg->offset = L2CAP_MIN_OFFSET;

    p = p_start = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET;