PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
Patch from b/67078939
Test: build
Bug: 67110692
Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a
(cherry picked from commit 2a18e724b2bf101ea38a5b089de56842107c8369)
diff --git a/bta/pan/bta_pan_act.cc b/bta/pan/bta_pan_act.cc
index 0cbb9f7..41e0bf6 100644
--- a/bta/pan/bta_pan_act.cc
+++ b/bta/pan/bta_pan_act.cc
@@ -174,6 +174,11 @@
tBTA_PAN_SCB* p_scb;
BT_HDR* p_new_buf;
+ p_scb = bta_pan_scb_by_handle(handle);
+ if (p_scb == NULL) {
+ return;
+ }
+
if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
/* offset smaller than data structure in front of actual data */
if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
@@ -181,7 +186,6 @@
android_errorWriteLog(0x534e4554, "63146237");
APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
p_buf->len);
- osi_free(p_buf);
return;
}
p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE);
@@ -189,7 +193,6 @@
(uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
p_new_buf->len = p_buf->len;
p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
- osi_free(p_buf);
} else {
p_new_buf = p_buf;
}
@@ -200,12 +203,6 @@
((tBTA_PAN_DATA_PARAMS*)p_new_buf)->ext = ext;
((tBTA_PAN_DATA_PARAMS*)p_new_buf)->forward = forward;
- p_scb = bta_pan_scb_by_handle(handle);
- if (p_scb == NULL) {
- osi_free(p_new_buf);
- return;
- }
-
fixed_queue_enqueue(p_scb->data_queue, p_new_buf);
BT_HDR* p_event = (BT_HDR*)osi_malloc(sizeof(BT_HDR));
p_event->layer_specific = handle;
diff --git a/stack/bnep/bnep_main.cc b/stack/bnep/bnep_main.cc
index 475cc28..cf7a911 100644
--- a/stack/bnep/bnep_main.cc
+++ b/stack/bnep/bnep_main.cc
@@ -601,6 +601,7 @@
if (bnep_cb.p_data_buf_cb) {
(*bnep_cb.p_data_buf_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol,
p_buf, fw_ext_present);
+ osi_free(p_buf);
} else if (bnep_cb.p_data_ind_cb) {
(*bnep_cb.p_data_ind_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol,
p, rem_len, fw_ext_present);