Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b1a8ad0a authored by Hemant Gupta's avatar Hemant Gupta
Browse files

Bluetooth: Fix to avoid NULL pointer dereferences 

This fix for avoiding NULL pointer dereferences:
 - Added check for state checking in btm_remove_acl function
   to avoid sending disconnect command if already in Disconnecting
   state.
 - Added NULL check for 'pin_code' in btif_dm_pin_reply function
 - Null check before accessing in BD interface layer configuration
   node variables.
 - Add NULL check before accessing p_bd_addr variable to avoid null
    pointer exception while referring to invalid memory.

Change-Id: Ib7ed45b6a1692785a45224d739a564f767e5b10f
parent 83f968e2

system/btif/src/btif_config.c

+1 −1
Original line number Diff line number Diff line
@@ -434,7 +434,7 @@ static cfg_node* find_add_node(cfg_node* p, const char* name) 
        } else ADD_CHILD_COUNT(p, 1);

    }

    else node = &p->child[i];

    if(!node->name)

    if(node && (!node->name))

        node->name = strdup(name);

    return node;

}

system/btif/src/btif_dm.c

+2 −0
Original line number Diff line number Diff line
@@ -2059,6 +2059,8 @@ bt_status_t btif_dm_pin_reply( const bt_bdaddr_t *bd_addr, uint8_t accept, 
                               uint8_t pin_len, bt_pin_code_t *pin_code)

{

    BTIF_TRACE_EVENT("%s: accept=%d", __FUNCTION__, accept);

    if (pin_code == NULL)

        return BT_STATUS_FAIL;

#if (defined(BLE_INCLUDED) && (BLE_INCLUDED == TRUE))



    if (pairing_cb.is_le_only)

system/stack/btm/btm_acl.c

+2 −1
Original line number Diff line number Diff line
@@ -3266,7 +3266,8 @@ tBTM_STATUS btm_remove_acl (BD_ADDR bd_addr, tBT_TRANSPORT transport) 
    else    /* otherwise can disconnect right away */

#endif

    {

        if (hci_handle != 0xFFFF)

        if (hci_handle != 0xFFFF && p_dev_rec &&

             p_dev_rec->sec_state!= BTM_SEC_STATE_DISCONNECTING)

        {

            if (!btsnd_hcic_disconnect (hci_handle, HCI_ERR_PEER_USER))

                status = BTM_NO_RESOURCES;

system/stack/btm/btm_sec.c

+2 −2
Original line number Diff line number Diff line
@@ -3137,7 +3137,7 @@ void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT 
        /* Notify all clients waiting for name to be resolved */

        for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)

        {

            if (btm_cb.p_rmt_name_callback[i])

            if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)

                (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,

                                                 p_dev_rec->sec_bd_name);

        }
@@ -3151,7 +3151,7 @@ void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT 
        /* Notify all clients waiting for name to be resolved even if not found so clients can continue */

        for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)

        {

            if (btm_cb.p_rmt_name_callback[i])

            if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)

                (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");

        }