Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
Bug: 116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
Merged-In: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit 78508d2c2cf93b4dd5c7aa630b90f5c6283fe53c)
diff --git a/bta/hl/bta_hl_main.c b/bta/hl/bta_hl_main.c
index b4d96cd..8bf2bc6 100644
--- a/bta/hl/bta_hl_main.c
+++ b/bta/hl/bta_hl_main.c
@@ -1564,15 +1564,14 @@
tBTA_HL_MCL_CB *p_mcb = BTA_HL_GET_MCL_CB_PTR( app_idx, mcl_idx);
tBTA_HL_SDP *p_sdp=NULL;
UINT16 event;
- BOOLEAN release_sdp_buf=FALSE;
UNUSED(p_cb);
event = p_data->hdr.event;
if (event == BTA_HL_SDP_QUERY_OK_EVT) {
+ // this is freed in btif_hl_proc_sdp_query_cfm
p_sdp = (tBTA_HL_SDP *)osi_malloc(sizeof(tBTA_HL_SDP));
memcpy(p_sdp, &p_mcb->sdp, sizeof(tBTA_HL_SDP));
- release_sdp_buf = TRUE;
} else {
status = BTA_HL_STATUS_SDP_FAIL;
}
@@ -1589,9 +1588,6 @@
p_mcb->bd_addr,p_sdp,status);
p_acb->p_cback(BTA_HL_SDP_QUERY_CFM_EVT,(tBTA_HL *) &evt_data );
- if (release_sdp_buf)
- osi_free_and_reset((void **)&p_sdp);
-
if (p_data->cch_sdp.release_mcl_cb) {
memset(p_mcb, 0, sizeof(tBTA_HL_MCL_CB));
} else {
diff --git a/btif/src/btif_hl.c b/btif/src/btif_hl.c
index eec9d34..97ca1c2 100644
--- a/btif/src/btif_hl.c
+++ b/btif/src/btif_hl.c
@@ -2333,6 +2333,10 @@
}
}
}
+
+ // this was allocated in bta_hl_sdp_query_results
+ osi_free_and_reset((void**)&p_data->sdp_query_cfm.p_sdp);
+
return status;
}
