diff options
| author | Jakub Pawlowski <jpawlowski@google.com> | 2018-11-20 22:31:31 +0100 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2019-03-23 15:57:06 +0100 |
| commit | 1ce2f0f57ce8d450ff16c177f51304b3d3736319 (patch) | |
| tree | 455bafe57d09f41a39912326a780f3eb1d2af016 | |
| parent | 4363f8407fb8dfe628b4e34eda4d1ed443461b0d (diff) | |
| download | android_system_bt-1ce2f0f57ce8d450ff16c177f51304b3d3736319.tar.gz android_system_bt-1ce2f0f57ce8d450ff16c177f51304b3d3736319.tar.bz2 android_system_bt-1ce2f0f57ce8d450ff16c177f51304b3d3736319.zip | |
Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
Bug: 116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit 889efd5b9165ed7641fcd75eabbbef56be2ef5df)
| -rw-r--r-- | bta/hl/bta_hl_main.c | 8 | ||||
| -rw-r--r-- | btif/src/btif_hl.c | 5 |
2 files changed, 6 insertions, 7 deletions
diff --git a/bta/hl/bta_hl_main.c b/bta/hl/bta_hl_main.c index abb43a9f6..ad9081d80 100644 --- a/bta/hl/bta_hl_main.c +++ b/bta/hl/bta_hl_main.c @@ -1563,17 +1563,16 @@ static void bta_hl_sdp_query_results(tBTA_HL_CB *p_cb, tBTA_HL_DATA *p_data) tBTA_HL_MCL_CB *p_mcb = BTA_HL_GET_MCL_CB_PTR( app_idx, mcl_idx); tBTA_HL_SDP *p_sdp=NULL; UINT16 event; - BOOLEAN release_sdp_buf=FALSE; UNUSED(p_cb); event = p_data->hdr.event; if ( event == BTA_HL_SDP_QUERY_OK_EVT) { + // this is freed in btif_hl_proc_sdp_query_cfm if ((p_sdp = (tBTA_HL_SDP *)GKI_getbuf((UINT16)(sizeof(tBTA_HL_SDP)))) != NULL) { memcpy(p_sdp, &p_mcb->sdp, sizeof(tBTA_HL_SDP)); - release_sdp_buf = TRUE; } else { @@ -1597,11 +1596,6 @@ static void bta_hl_sdp_query_results(tBTA_HL_CB *p_cb, tBTA_HL_DATA *p_data) p_mcb->bd_addr,p_sdp,status); p_acb->p_cback(BTA_HL_SDP_QUERY_CFM_EVT,(tBTA_HL *) &evt_data ); - if (release_sdp_buf) - { - utl_freebuf((void **) &p_sdp); - } - if (p_data->cch_sdp.release_mcl_cb) { memset(p_mcb, 0 ,sizeof(tBTA_HL_MCL_CB)); diff --git a/btif/src/btif_hl.c b/btif/src/btif_hl.c index cbce15f7b..ddec69247 100644 --- a/btif/src/btif_hl.c +++ b/btif/src/btif_hl.c @@ -67,6 +67,7 @@ #include "btif_storage.h" #include "btif_util.h" #include "btu.h" +#include "utl.h" #include "gki.h" #include "osi/include/list.h" #include "mca_api.h" @@ -2444,6 +2445,10 @@ static BOOLEAN btif_hl_proc_sdp_query_cfm(tBTA_HL *p_data){ } } } + + // this was allocated in bta_hl_sdp_query_results + utl_freebuf((void **) &p_data->sdp_query_cfm.p_sdp); + return status; } |