Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm

Bug: 116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit 889efd5b9165ed7641fcd75eabbbef56be2ef5df)

diff --git a/bta/hl/bta_hl_main.cc b/bta/hl/bta_hl_main.cc
index 69c0909..4e0d7de 100644 (file)
--- a/bta/hl/bta_hl_main.cc
+++ b/bta/hl/bta_hl_main.cc
@@ -1404,14 +1404,13 @@ static void bta_hl_sdp_query_results(UNUSED_ATTR tBTA_HL_CB* p_cb,
   tBTA_HL_MCL_CB* p_mcb = BTA_HL_GET_MCL_CB_PTR(app_idx, mcl_idx);
   tBTA_HL_SDP* p_sdp = NULL;
   uint16_t event;
-  bool release_sdp_buf = false;
 
   event = p_data->hdr.event;
 
   if (event == BTA_HL_SDP_QUERY_OK_EVT) {
+    // this is freed in btif_hl_proc_sdp_query_cfm
     p_sdp = (tBTA_HL_SDP*)osi_malloc(sizeof(tBTA_HL_SDP));
     memcpy(p_sdp, &p_mcb->sdp, sizeof(tBTA_HL_SDP));
-    release_sdp_buf = true;
   } else {
     status = BTA_HL_STATUS_SDP_FAIL;
   }
@@ -1430,8 +1429,6 @@ static void bta_hl_sdp_query_results(UNUSED_ATTR tBTA_HL_CB* p_cb,
                              p_mcb->bd_addr, p_sdp, status);
   p_acb->p_cback(BTA_HL_SDP_QUERY_CFM_EVT, (tBTA_HL*)&evt_data);
 
-  if (release_sdp_buf) osi_free_and_reset((void**)&p_sdp);
-
   if (p_data->cch_sdp.release_mcl_cb) {
     memset(p_mcb, 0, sizeof(tBTA_HL_MCL_CB));
   } else {

diff --git a/btif/src/btif_hl.cc b/btif/src/btif_hl.cc
index 4f701fb..c66b276 100644 (file)
--- a/btif/src/btif_hl.cc
+++ b/btif/src/btif_hl.cc
@@ -2128,6 +2128,10 @@ static bool btif_hl_proc_sdp_query_cfm(tBTA_HL* p_data) {
       }
     }
   }
+
+  // this was allocated in bta_hl_sdp_query_results
+  osi_free_and_reset((void**)&p_data->sdp_query_cfm.p_sdp);
+
   return status;
 }