security: Use-After-Free in btm_sec_[dis]connected

author Chris Manton <cmanton@google.com>

Tue, 9 Nov 2021 00:45:42 +0000 (16:45 -0800)

committer Chris Manton <cmanton@google.com>

Tue, 9 Nov 2021 00:55:43 +0000 (00:55 +0000)
author Chris Manton <cmanton@google.com>
Tue, 9 Nov 2021 00:45:42 +0000 (16:45 -0800)
committer Chris Manton <cmanton@google.com>
Tue, 9 Nov 2021 00:55:43 +0000 (00:55 +0000)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc

index 50bd604..4b5d70d 100644 (file)
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -3385,7 +3385,6 @@ static void btm_sec_connect_after_reject_timeout(UNUSED_ATTR void* data) {
  void btm_sec_connected(const RawAddress& bda, uint16_t handle,
                         tHCI_STATUS status, uint8_t enc_mode,
                         tHCI_ROLE assigned_role) {
-  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
    tBTM_STATUS res;
    bool is_pairing_device = false;
    bool addr_matched;
@@ -3393,6 +3392,7 @@ void btm_sec_connected(const RawAddress& bda, uint16_t handle,
  
    btm_acl_resubmit_page();
  
+  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
    if (!p_dev_rec) {
      LOG_DEBUG(
          "Connected to new device state:%s handle:0x%04x status:%s "
author	Chris Manton <cmanton@google.com>
	Tue, 9 Nov 2021 00:45:42 +0000 (16:45 -0800)
committer	Chris Manton <cmanton@google.com>
	Tue, 9 Nov 2021 00:55:43 +0000 (00:55 +0000)