Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 90291571 authored by Hansong Zhang's avatar Hansong Zhang Committed by android-build-team Robot
Browse files

btm_proc_smp_cback: Don't access p_dev_rec if freed 

In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free

Bug: 120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
(cherry picked from commit 9efb2678)
parent 443cc01b

system/stack/btm/btm_ble.cc

+7 −0
Original line number Diff line number Diff line
@@ -39,6 +39,7 @@ 
#include "gap_api.h"

#include "gatt_api.h"

#include "hcimsgs.h"

#include "log/log.h"

#include "l2c_int.h"

#include "osi/include/log.h"

#include "osi/include/osi.h"
@@ -2086,6 +2087,12 @@ uint8_t btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr, 
        }



        if (event == SMP_COMPLT_EVT) {

          p_dev_rec = btm_find_dev(bd_addr);

          if (p_dev_rec == NULL) {

            BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__);

            android_errorWriteLog(0x534e4554, "120612744");

            return 0;

          }

          BTM_TRACE_DEBUG(

              "evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x",

              p_data->cmplt.sec_level, p_dev_rec->sec_flags);