DO NOT MERGE: PAN: Always allocate in bta_pan_data_buf_ind_cback

Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free.  Move the free call to pan_data_buf_ind_cb().

Free the buffer before every return in pan_data_buf_ind_cb.

Bug: 74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit 2e0deb1d135805b37697f0e02a55269c6cc500fe)

diff --git a/bta/pan/bta_pan_act.c b/bta/pan/bta_pan_act.c
index 4601799..5f458c3 100644 (file)
--- a/bta/pan/bta_pan_act.c
+++ b/bta/pan/bta_pan_act.c
@@ -212,33 +212,25 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
         return;
     }
 
-    if ( sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset )
-    {
-        if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
-            GKI_get_pool_bufsize(PAN_POOL_ID)) {
-            android_errorWriteLog(0x534e4554, "63146237");
-            APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
-                             p_buf->len);
-            return;
-        }
+    if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
+        GKI_get_pool_bufsize(PAN_POOL_ID)) {
+        android_errorWriteLog(0x534e4554, "63146237");
+        APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
+                         p_buf->len);
+        return;
+    }
 
-        /* offset smaller than data structure in front of actual data */
-        p_new_buf = (BT_HDR *)GKI_getpoolbuf( PAN_POOL_ID );
-        if(!p_new_buf)
-        {
-            APPL_TRACE_WARNING("Cannot get a PAN GKI buffer");
-            return;
-        }
-        else
-        {
-            memcpy( (UINT8 *)(p_new_buf+1)+sizeof(tBTA_PAN_DATA_PARAMS), (UINT8 *)(p_buf+1)+p_buf->offset, p_buf->len );
-            p_new_buf->len    = p_buf->len;
-            p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
-        }
+    p_new_buf = (BT_HDR *)GKI_getpoolbuf( PAN_POOL_ID );
+    if(!p_new_buf)
+    {
+        APPL_TRACE_WARNING("Cannot get a PAN GKI buffer");
+        return;
     }
     else
     {
-        p_new_buf = p_buf;
+        memcpy( (UINT8 *)(p_new_buf+1)+sizeof(tBTA_PAN_DATA_PARAMS), (UINT8 *)(p_buf+1)+p_buf->offset, p_buf->len );
+        p_new_buf->len    = p_buf->len;
+        p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
     }
     /* copy params into the space before the data */
     bdcpy(((tBTA_PAN_DATA_PARAMS *)p_new_buf)->src, src);

diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c
index c3fa051..d0eb362 100644 (file)
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c
@@ -661,7 +661,6 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
     if (bnep_cb.p_data_buf_cb)
     {
         (*bnep_cb.p_data_buf_cb)(p_bcb->handle, p_src_addr, p_dst_addr, protocol, p_buf, fw_ext_present);
-        GKI_freebuf (p_buf);
     }
     else if (bnep_cb.p_data_ind_cb)
     {

diff --git a/stack/pan/pan_main.c b/stack/pan/pan_main.c
index eb39a85..aee65f2 100644 (file)
--- a/stack/pan/pan_main.c
+++ b/stack/pan/pan_main.c
@@ -629,11 +629,8 @@ void pan_data_buf_ind_cb (UINT16 handle,
             if (pan_cb.pan_data_buf_ind_cb)
                 (*pan_cb.pan_data_buf_ind_cb) (pcb->handle, src, dst, protocol, p_buf, ext, forward);
             else if (pan_cb.pan_data_ind_cb)
-            {
                 (*pan_cb.pan_data_ind_cb) (pcb->handle, src, dst, protocol, p_data, len, ext, forward);
-                GKI_freebuf (p_buf);
-            }
-
+            GKI_freebuf (p_buf);
             return;
         }
 
@@ -656,13 +653,8 @@ void pan_data_buf_ind_cb (UINT16 handle,
     if (pan_cb.pan_data_buf_ind_cb)
         (*pan_cb.pan_data_buf_ind_cb) (pcb->handle, src, dst, protocol, p_buf, ext, forward);
     else if (pan_cb.pan_data_ind_cb)
-    {
         (*pan_cb.pan_data_ind_cb) (pcb->handle, src, dst, protocol, p_data, len, ext, forward);
-        GKI_freebuf (p_buf);
-    }
-    else
-        GKI_freebuf (p_buf);
-
+    GKI_freebuf (p_buf);
     return;
 }