Google Git
Sign in
android / platform / packages / modules / Bluetooth / 88861530bc^! / .
commit88861530bcb3ad52537752a23d6049082ab12546[log] [tgz]
authorJakub Pawlowski <jpawlowski@google.com>Tue May 11 19:05:58 2021 +0200
committerJakub Pawlowski <jpawlowski@google.com>Wed May 12 20:41:32 2021 +0000
treeeda089b0b90952950db28b07ce86ff7ba2d45c7d
parentae9302813783bb4daa51df03c8e10d247334c929 [diff]
Fix potential null dereference in avdt_scb_verify

Bug: 180421437
Change-Id: If576aaf302ede63d6bbb13c32c96ac3eea44abf6

diff --git a/system/stack/avdt/avdt_scb.cc b/system/stack/avdt/avdt_scb.cc
index c1c0de4..87b5fae 100644
--- a/system/stack/avdt/avdt_scb.cc
+++ b/system/stack/avdt/avdt_scb.cc

@@ -921,51 +921,53 @@
  ******************************************************************************/
 uint8_t avdt_scb_verify(AvdtpCcb* p_ccb, uint8_t state, uint8_t* p_seid,
                         uint16_t num_seid, uint8_t* p_err_code) {
-  int i;
-  AvdtpScb* p_scb;
-  uint8_t nsc_mask;
-  uint8_t ret = 0;
-
   AVDT_TRACE_DEBUG("avdt_scb_verify state %d", state);
   /* set nonsupported command mask */
   /* translate public state into private state */
-  nsc_mask = 0;
+  uint8_t nsc_mask = 0;
   if (state == AVDT_VERIFY_SUSPEND) {
     nsc_mask = AvdtpStreamConfig::AVDT_NSC_SUSPEND;
   }
 
   /* verify every scb */
-  for (i = 0, *p_err_code = 0;
-       (i < num_seid) && (*p_err_code == 0) && (i < AVDT_NUM_SEPS); i++) {
-    p_scb = avdt_scb_by_hdl(p_seid[i]);
-    if (p_scb == NULL)
+  for (int i = 0, *p_err_code = 0; (i < num_seid) && (i < AVDT_NUM_SEPS); i++) {
+    AvdtpScb* p_scb = avdt_scb_by_hdl(p_seid[i]);
+    if (p_scb == NULL) {
       *p_err_code = AVDT_ERR_BAD_STATE;
-    else if (p_scb->p_ccb != p_ccb)
+      return p_seid[i];
+    }
+
+    if (p_scb->p_ccb != p_ccb) {
       *p_err_code = AVDT_ERR_BAD_STATE;
-    else if (p_scb->stream_config.nsc_mask & nsc_mask)
+      return p_seid[i];
+    }
+
+    if (p_scb->stream_config.nsc_mask & nsc_mask) {
       *p_err_code = AVDT_ERR_NSC;
+      return p_seid[i];
+    }
 
     switch (state) {
       case AVDT_VERIFY_OPEN:
       case AVDT_VERIFY_START:
         if (p_scb->state != AVDT_SCB_OPEN_ST &&
-            p_scb->state != AVDT_SCB_STREAM_ST)
+            p_scb->state != AVDT_SCB_STREAM_ST) {
           *p_err_code = AVDT_ERR_BAD_STATE;
+          return p_seid[i];
+        }
         break;
 
       case AVDT_VERIFY_SUSPEND:
       case AVDT_VERIFY_STREAMING:
-        if (p_scb->state != AVDT_SCB_STREAM_ST)
+        if (p_scb->state != AVDT_SCB_STREAM_ST) {
           *p_err_code = AVDT_ERR_BAD_STATE;
+          return p_seid[i];
+        }
         break;
     }
   }
 
-  if ((i != num_seid) && (i < AVDT_NUM_SEPS)) {
-    ret = p_seid[i];
-  }
-
-  return ret;
+  return 0;
 }
 
 /*******************************************************************************