Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ec44ba1d authored by Kyunglyul Hyun's avatar Kyunglyul Hyun
Browse files

Check in_use to prevent accessing deallocated cb 

Flag: EXEMPT, strict checking
Bug: 273561907
Bug: 371114560
Test: atest GattClientTest
Change-Id: I4423fbd6bb3808c575992efca89466bcf3734e82
parent 71740aae

system/bta/gatt/bta_gattc_act.cc

+4 −3
Original line number Diff line number Diff line
@@ -297,7 +297,7 @@ void bta_gattc_deregister(tBTA_GATTC_RCB* p_clreg) { 
  /* close all CLCB related to this app */

  if (com::android::bluetooth::flags::gatt_client_dynamic_allocation()) {

    for (auto& p_clcb : bta_gattc_cb.clcb_set) {

      if (p_clcb->p_rcb != p_clreg) {

      if (!p_clcb->in_use || p_clcb->p_rcb != p_clreg) {

        continue;

      }

      p_clreg->dereg_pending = true;
@@ -1504,7 +1504,8 @@ void bta_gattc_process_api_refresh(const RawAddress& remote_bda) { 
      tBTA_GATTC_CLCB* p_clcb = &bta_gattc_cb.clcb[0];

      if (com::android::bluetooth::flags::gatt_client_dynamic_allocation()) {

        for (auto& p_clcb_i : bta_gattc_cb.clcb_set) {

          if (p_clcb_i->p_srcb == p_srvc_cb) {

          if (p_clcb_i->in_use && p_clcb_i->p_srcb == p_srvc_cb) {

            p_clcb = p_clcb_i.get();

            found = true;

            break;

          }
@@ -1576,7 +1577,7 @@ static bool bta_gattc_process_srvc_chg_ind(tCONN_ID conn_id, tBTA_GATTC_RCB* p_c 
    if (p_clcb == NULL || (p_clcb && p_clcb->p_q_cmd != NULL)) {

      if (com::android::bluetooth::flags::gatt_client_dynamic_allocation()) {

        for (auto& p_clcb_i : bta_gattc_cb.clcb_set) {

          if (p_clcb_i->p_srcb == p_srcb && p_clcb_i->p_q_cmd == NULL) {

          if (p_clcb_i->in_use && p_clcb_i->p_srcb == p_srcb && p_clcb_i->p_q_cmd == NULL) {

            p_clcb = p_clcb_i.get();

            break;

          }

system/bta/gatt/bta_gattc_utils.cc

+4 −1
Original line number Diff line number Diff line
@@ -145,7 +145,7 @@ tBTA_GATTC_CLCB* bta_gattc_find_clcb_by_cif(uint8_t client_if, const RawAddress& 
tBTA_GATTC_CLCB* bta_gattc_find_clcb_by_conn_id(tCONN_ID conn_id) {

  if (com::android::bluetooth::flags::gatt_client_dynamic_allocation()) {

    for (auto& p_clcb : bta_gattc_cb.clcb_set) {

      if (p_clcb->bta_conn_id == conn_id) {

      if (p_clcb->in_use && p_clcb->bta_conn_id == conn_id) {

        return p_clcb.get();

      }

    }
@@ -960,6 +960,9 @@ void bta_gatt_client_dump(int fd) { 
  if (com::android::bluetooth::flags::gatt_client_dynamic_allocation()) {

    stream << " ->clcb (dynamic)\n";

    for (auto& p_clcb : bta_gattc_cb.clcb_set) {

      if (!p_clcb->in_use) {

        continue;

      }

      entry_count++;

      stream << "  conn_id: " << loghex(p_clcb->bta_conn_id)

             << "  address: " << ADDRESS_TO_LOGGABLE_STR(p_clcb->bda)