Fix use after free in acl_arbiter
In SendPacketToPeer of acl_arbiter.cc, a buffer length is logged in one case after an intermediate call may free the buffer, leading to use after free. Log instead from the buffer's source, which has not been freed at this point in the code. Bug: 406785684 Flag: EXEMPT obvious logic fix Test: m libbluetooth Test: researcher POC Tag: #security (cherry picked from commit 243d7484e59730c522640b616445b2747b3062e5) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59d787dcbf5a95d0f00f28970dc98906f3c53832) Merged-In: Idd13399c24399d01bcd668a4b779ef1980273691 Change-Id: Idd13399c24399d01bcd668a4b779ef1980273691
Loading
Please register or sign in to comment