Avoid double-free on SDP search failure

Use case: BT transfer fails in Doze mode.

Pre-condition:
1. Device is in Doze mode.
2. Device is in Active state.

Steps to reproduce:
1. On test device and support device, turn on Bluetooth and keep test device in Bluetooth on screen.
2. Put device in Doze mode:
adb shell dumpsys battery unplug
adb shell dumpsys deviceidle step
3. From support device send pair request to test device.
4. Pair two devices.
5. Put test device in Doze mode again.
6. Share one picture from support device to test device by Bluetooth.
7. Accept Bluetooth file transferring request.

Failure: From DUT, BT transfer is failed.

Root cause: Free buffer is called twice for the SDP search failure case.

Fix: Added null check for p_sdp_db to avoid freeing same buffer
     again on SDP search failure.

Change-Id: Ic7776e842c52418c2b0fb6d6479233d01c709dc2

diff --git a/bta/dm/bta_dm_act.c b/bta/dm/bta_dm_act.c
index 8a8cfe8..94d77d6 100644 (file)
--- a/bta/dm/bta_dm_act.c
+++ b/bta/dm/bta_dm_act.c
@@ -1801,7 +1801,8 @@ void bta_dm_sdp_result (tBTA_DM_MSG *p_data)
             bta_dm_search_cb.wait_disc = FALSE;
 
         /* not able to connect go to next device */
-        osi_free_and_reset((void **)&bta_dm_search_cb.p_sdp_db);
+        if (bta_dm_search_cb.p_sdp_db)
+            osi_free_and_reset((void **)&bta_dm_search_cb.p_sdp_db);
 
         BTM_SecDeleteRmtNameNotifyCallback(&bta_dm_service_search_remname_cback);