system/bt
| リビジョン | 828e5e16d8f93b2e2ca2df7ba4b57bcda8388696 (tree) |
|---|---|
| 日時 | 2019-02-21 13:37:26 |
| 作者 | Jakub Pawlowski <jpawlowski@goog...> |
| コミッター | Kevin Haggerty |
Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
Bug: 116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit 889efd5b9165ed7641fcd75eabbbef56be2ef5df)
bta/hl/bta_hl_main.c (diff) btif/src/btif_hl.c (diff)| @@ -1564,15 +1564,14 @@ static void bta_hl_sdp_query_results(tBTA_HL_CB *p_cb, tBTA_HL_DATA *p_data) | ||
| 1564 | 1564 | tBTA_HL_MCL_CB *p_mcb = BTA_HL_GET_MCL_CB_PTR( app_idx, mcl_idx); |
| 1565 | 1565 | tBTA_HL_SDP *p_sdp=NULL; |
| 1566 | 1566 | UINT16 event; |
| 1567 | - BOOLEAN release_sdp_buf=FALSE; | |
| 1568 | 1567 | UNUSED(p_cb); |
| 1569 | 1568 | |
| 1570 | 1569 | event = p_data->hdr.event; |
| 1571 | 1570 | |
| 1572 | 1571 | if (event == BTA_HL_SDP_QUERY_OK_EVT) { |
| 1572 | + // this is freed in btif_hl_proc_sdp_query_cfm | |
| 1573 | 1573 | p_sdp = (tBTA_HL_SDP *)osi_malloc(sizeof(tBTA_HL_SDP)); |
| 1574 | 1574 | memcpy(p_sdp, &p_mcb->sdp, sizeof(tBTA_HL_SDP)); |
| 1575 | - release_sdp_buf = TRUE; | |
| 1576 | 1575 | } else { |
| 1577 | 1576 | status = BTA_HL_STATUS_SDP_FAIL; |
| 1578 | 1577 | } |
| @@ -1589,9 +1588,6 @@ static void bta_hl_sdp_query_results(tBTA_HL_CB *p_cb, tBTA_HL_DATA *p_data) | ||
| 1589 | 1588 | p_mcb->bd_addr,p_sdp,status); |
| 1590 | 1589 | p_acb->p_cback(BTA_HL_SDP_QUERY_CFM_EVT,(tBTA_HL *) &evt_data ); |
| 1591 | 1590 | |
| 1592 | - if (release_sdp_buf) | |
| 1593 | - osi_free_and_reset((void **)&p_sdp); | |
| 1594 | - | |
| 1595 | 1591 | if (p_data->cch_sdp.release_mcl_cb) { |
| 1596 | 1592 | memset(p_mcb, 0, sizeof(tBTA_HL_MCL_CB)); |
| 1597 | 1593 | } else { |
| @@ -2333,6 +2333,10 @@ static BOOLEAN btif_hl_proc_sdp_query_cfm(tBTA_HL *p_data){ | ||
| 2333 | 2333 | } |
| 2334 | 2334 | } |
| 2335 | 2335 | } |
| 2336 | + | |
| 2337 | + // this was allocated in bta_hl_sdp_query_results | |
| 2338 | + osi_free_and_reset((void**)&p_data->sdp_query_cfm.p_sdp); | |
| 2339 | + | |
| 2336 | 2340 | return status; |
| 2337 | 2341 | } |
| 2338 | 2342 |
Fork