Don't use Address after it was deleted
Bug: 110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
(cherry picked from commit 9930f6f4e14e64966869b119994126283d645fd0)
diff --git a/bta/dm/bta_dm_act.cc b/bta/dm/bta_dm_act.cc
index 03c5b90..5abda87 100644
--- a/bta/dm/bta_dm_act.cc
+++ b/bta/dm/bta_dm_act.cc
@@ -3075,11 +3075,14 @@
}
}
} else {
- BTM_SecDeleteDevice(remote_bd_addr);
+ // remote_bd_addr comes from security record, which is removed in
+ // BTM_SecDeleteDevice.
+ RawAddress addr_copy = remote_bd_addr;
+ BTM_SecDeleteDevice(addr_copy);
/* need to remove all pending background connection */
- BTA_GATTC_CancelOpen(0, remote_bd_addr, false);
+ BTA_GATTC_CancelOpen(0, addr_copy, false);
/* remove all cached GATT information */
- BTA_GATTC_Refresh(remote_bd_addr);
+ BTA_GATTC_Refresh(addr_copy);
}
}
diff --git a/stack/btm/btm_dev.cc b/stack/btm/btm_dev.cc
index 66382e8..5368fad 100644
--- a/stack/btm/btm_dev.cc
+++ b/stack/btm/btm_dev.cc
@@ -149,17 +149,16 @@
return true;
}
-/*******************************************************************************
+/** Free resources associated with the device associated with |bd_addr| address.
*
- * Function BTM_SecDeleteDevice
+ * *** WARNING ***
+ * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
+ * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
+ * no longer valid!
+ * *** WARNING ***
*
- * Description Free resources associated with the device.
- *
- * Parameters: bd_addr - BD address of the peer
- *
- * Returns true if removed OK, false if not found or ACL link is active
- *
- ******************************************************************************/
+ * Returns true if removed OK, false if not found or ACL link is active.
+ */
bool BTM_SecDeleteDevice(const RawAddress& bd_addr) {
if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) ||
BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) {
@@ -170,9 +169,10 @@
tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
if (p_dev_rec != NULL) {
+ RawAddress bda = p_dev_rec->bd_addr;
btm_sec_free_dev(p_dev_rec);
/* Tell controller to get rid of the link key, if it has one stored */
- BTM_DeleteStoredLinkKey(&p_dev_rec->bd_addr, NULL);
+ BTM_DeleteStoredLinkKey(&bda, NULL);
}
return true;
diff --git a/stack/include/btm_api.h b/stack/include/btm_api.h
index 146a1b8..6ffc0f9 100644
--- a/stack/include/btm_api.h
+++ b/stack/include/btm_api.h
@@ -1411,15 +1411,16 @@
uint8_t key_type, tBTM_IO_CAP io_cap,
uint8_t pin_length);
-/*******************************************************************************
+/** Free resources associated with the device associated with |bd_addr| address.
*
- * Function BTM_SecDeleteDevice
+ * *** WARNING ***
+ * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
+ * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
+ * no longer valid!
+ * *** WARNING ***
*
- * Description Free resources associated with the device.
- *
- * Returns true if rmoved OK, false if not found
- *
- ******************************************************************************/
+ * Returns true if removed OK, false if not found or ACL link is active.
+ */
extern bool BTM_SecDeleteDevice(const RawAddress& bd_addr);
/*******************************************************************************