btm_proc_smp_cback: Don't access p_dev_rec if freed

In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free

Bug: 120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
(cherry picked from commit 953dd279502980b1d8d30656eb78c6445a6e31f7)

diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc
index ca93e1a..0c4bdd9 100644 (file)
--- a/stack/btm/btm_ble.cc
+++ b/stack/btm/btm_ble.cc
@@ -39,6 +39,7 @@
 #include "gap_api.h"
 #include "gatt_api.h"
 #include "hcimsgs.h"
+#include "log/log.h"
 #include "l2c_int.h"
 #include "osi/include/log.h"
 #include "osi/include/osi.h"
@@ -2086,6 +2087,12 @@ uint8_t btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr,
         }
 
         if (event == SMP_COMPLT_EVT) {
+          p_dev_rec = btm_find_dev(bd_addr);
+          if (p_dev_rec == NULL) {
+            BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__);
+            android_errorWriteLog(0x534e4554, "120612744");
+            return 0;
+          }
           BTM_TRACE_DEBUG(
               "evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x",
               p_data->cmplt.sec_level, p_dev_rec->sec_flags);