Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
Bug: 116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit 889efd5b9165ed7641fcd75eabbbef56be2ef5df)
diff --git a/bta/hl/bta_hl_main.cc b/bta/hl/bta_hl_main.cc
index dcd0815..c224a76 100644
--- a/bta/hl/bta_hl_main.cc
+++ b/bta/hl/bta_hl_main.cc
@@ -1404,14 +1404,13 @@
tBTA_HL_MCL_CB* p_mcb = BTA_HL_GET_MCL_CB_PTR(app_idx, mcl_idx);
tBTA_HL_SDP* p_sdp = NULL;
uint16_t event;
- bool release_sdp_buf = false;
event = p_data->hdr.event;
if (event == BTA_HL_SDP_QUERY_OK_EVT) {
+ // this is freed in btif_hl_proc_sdp_query_cfm
p_sdp = (tBTA_HL_SDP*)osi_malloc(sizeof(tBTA_HL_SDP));
memcpy(p_sdp, &p_mcb->sdp, sizeof(tBTA_HL_SDP));
- release_sdp_buf = true;
} else {
status = BTA_HL_STATUS_SDP_FAIL;
}
@@ -1430,8 +1429,6 @@
p_mcb->bd_addr, p_sdp, status);
p_acb->p_cback(BTA_HL_SDP_QUERY_CFM_EVT, (tBTA_HL*)&evt_data);
- if (release_sdp_buf) osi_free_and_reset((void**)&p_sdp);
-
if (p_data->cch_sdp.release_mcl_cb) {
memset(p_mcb, 0, sizeof(tBTA_HL_MCL_CB));
} else {
diff --git a/btif/src/btif_hl.cc b/btif/src/btif_hl.cc
index a317f79..184dbf4 100644
--- a/btif/src/btif_hl.cc
+++ b/btif/src/btif_hl.cc
@@ -2128,6 +2128,10 @@
}
}
}
+
+ // this was allocated in bta_hl_sdp_query_results
+ osi_free_and_reset((void**)&p_data->sdp_query_cfm.p_sdp);
+
return status;
}