btm_proc_smp_cback: Don't access p_dev_rec if freed
In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free
Bug: 120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc
index d8a187a9..c21af14 100644
--- a/stack/btm/btm_ble.cc
+++ b/stack/btm/btm_ble.cc
@@ -39,6 +39,7 @@
#include "gap_api.h"
#include "gatt_api.h"
#include "hcimsgs.h"
+#include "log/log.h"
#include "l2c_int.h"
#include "osi/include/log.h"
#include "osi/include/osi.h"
@@ -1909,6 +1910,12 @@
}
if (event == SMP_COMPLT_EVT) {
+ p_dev_rec = btm_find_dev(bd_addr);
+ if (p_dev_rec == NULL) {
+ BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__);
+ android_errorWriteLog(0x534e4554, "120612744");
+ return 0;
+ }
BTM_TRACE_DEBUG(
"evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x",
p_data->cmplt.sec_level, p_dev_rec->sec_flags);