Don't use Address after it was deleted
Bug: 110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
Merged-In: Id3364cf53153eafed478546d7347ed1673217e91
diff --git a/system/bta/dm/bta_dm_act.cc b/system/bta/dm/bta_dm_act.cc
index e827210..b6ca628 100644
--- a/system/bta/dm/bta_dm_act.cc
+++ b/system/bta/dm/bta_dm_act.cc
@@ -3117,11 +3117,15 @@
}
}
if (conn.link_down.is_removed) {
- BTM_SecDeleteDevice(p_bda);
+ // p_bda points to security record, which is removed in
+ // BTM_SecDeleteDevice.
+ BD_ADDR addr_copy;
+ memcpy(addr_copy, p_bda, BD_ADDR_LEN);
+ BTM_SecDeleteDevice(addr_copy);
/* need to remove all pending background connection */
- BTA_GATTC_CancelOpen(0, p_bda, false);
+ BTA_GATTC_CancelOpen(0, addr_copy, false);
/* remove all cached GATT information */
- BTA_GATTC_Refresh(p_bda);
+ BTA_GATTC_Refresh(addr_copy);
}
bdcpy(conn.link_down.bd_addr, p_bda);
diff --git a/system/stack/btm/btm_dev.cc b/system/stack/btm/btm_dev.cc
index 808f1cd..aa6646f 100644
--- a/system/stack/btm/btm_dev.cc
+++ b/system/stack/btm/btm_dev.cc
@@ -148,17 +148,16 @@
return true;
}
-/*******************************************************************************
+/** Free resources associated with the device associated with |bd_addr| address.
*
- * Function BTM_SecDeleteDevice
+ * *** WARNING ***
+ * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
+ * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
+ * no longer valid!
+ * *** WARNING ***
*
- * Description Free resources associated with the device.
- *
- * Parameters: bd_addr - BD address of the peer
- *
- * Returns true if removed OK, false if not found or ACL link is active
- *
- ******************************************************************************/
+ * Returns true if removed OK, false if not found or ACL link is active.
+ */
bool BTM_SecDeleteDevice(BD_ADDR bd_addr) {
if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) ||
BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) {
@@ -169,9 +168,11 @@
tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
if (p_dev_rec != NULL) {
+ BD_ADDR bda;
+ memcpy(bda, bd_addr, BD_ADDR_LEN);
btm_sec_free_dev(p_dev_rec);
/* Tell controller to get rid of the link key, if it has one stored */
- BTM_DeleteStoredLinkKey(p_dev_rec->bd_addr, NULL);
+ BTM_DeleteStoredLinkKey(bda, NULL);
}
return true;
diff --git a/system/stack/include/btm_api.h b/system/stack/include/btm_api.h
index 2c0743f..40f5910 100644
--- a/system/stack/include/btm_api.h
+++ b/system/stack/include/btm_api.h
@@ -1427,15 +1427,16 @@
uint8_t key_type, tBTM_IO_CAP io_cap,
uint8_t pin_length);
-/*******************************************************************************
+/** Free resources associated with the device associated with |bd_addr| address.
*
- * Function BTM_SecDeleteDevice
+ * *** WARNING ***
+ * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
+ * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
+ * no longer valid!
+ * *** WARNING ***
*
- * Description Free resources associated with the device.
- *
- * Returns true if rmoved OK, false if not found
- *
- ******************************************************************************/
+ * Returns true if removed OK, false if not found or ACL link is active.
+ */
extern bool BTM_SecDeleteDevice(BD_ADDR bd_addr);
/*******************************************************************************