Don't use Address after it was deleted

Bug: 110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91

diff --git a/bta/dm/bta_dm_act.cc b/bta/dm/bta_dm_act.cc
index 175e3fa..eaa61ab 100644 (file)
--- a/bta/dm/bta_dm_act.cc
+++ b/bta/dm/bta_dm_act.cc
@@ -3266,11 +3266,14 @@ static void bta_dm_remove_sec_dev_entry(const RawAddress& remote_bd_addr) {
       }
     }
   } else {
-    BTM_SecDeleteDevice(remote_bd_addr);
+    // remote_bd_addr comes from security record, which is removed in
+    // BTM_SecDeleteDevice.
+    RawAddress addr_copy = remote_bd_addr;
+    BTM_SecDeleteDevice(addr_copy);
     /* need to remove all pending background connection */
-    BTA_GATTC_CancelOpen(0, remote_bd_addr, false);
+    BTA_GATTC_CancelOpen(0, addr_copy, false);
     /* remove all cached GATT information */
-    BTA_GATTC_Refresh(remote_bd_addr);
+    BTA_GATTC_Refresh(addr_copy);
   }
 }
 

diff --git a/stack/btm/btm_dev.cc b/stack/btm/btm_dev.cc
index 07332e7..0fe5c20 100644 (file)
--- a/stack/btm/btm_dev.cc
+++ b/stack/btm/btm_dev.cc
@@ -147,17 +147,16 @@ bool BTM_SecAddDevice(const RawAddress& bd_addr, DEV_CLASS dev_class,
   return true;
 }
 
-/*******************************************************************************
- *
- * Function         BTM_SecDeleteDevice
- *
- * Description      Free resources associated with the device.
+/** Free resources associated with the device associated with |bd_addr| address.
  *
- * Parameters:      bd_addr          - BD address of the peer
- *
- * Returns          true if removed OK, false if not found or ACL link is active
+ * *** WARNING ***
+ * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
+ * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
+ * no longer valid!
+ * *** WARNING ***
  *
- ******************************************************************************/
+ * Returns true if removed OK, false if not found or ACL link is active.
+ */
 bool BTM_SecDeleteDevice(const RawAddress& bd_addr) {
   if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) ||
       BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) {
@@ -168,9 +167,10 @@ bool BTM_SecDeleteDevice(const RawAddress& bd_addr) {
 
   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
   if (p_dev_rec != NULL) {
+    RawAddress bda = p_dev_rec->bd_addr;
     btm_sec_free_dev(p_dev_rec);
     /* Tell controller to get rid of the link key, if it has one stored */
-    BTM_DeleteStoredLinkKey(&p_dev_rec->bd_addr, NULL);
+    BTM_DeleteStoredLinkKey(&bda, NULL);
   }
 
   return true;

diff --git a/stack/include/btm_api.h b/stack/include/btm_api.h
index 10f4f65..3dd5567 100644 (file)
--- a/stack/include/btm_api.h
+++ b/stack/include/btm_api.h
@@ -1411,15 +1411,16 @@ extern bool BTM_SecAddDevice(const RawAddress& bd_addr, DEV_CLASS dev_class,
                              uint8_t key_type, tBTM_IO_CAP io_cap,
                              uint8_t pin_length);
 
-/*******************************************************************************
- *
- * Function         BTM_SecDeleteDevice
+/** Free resources associated with the device associated with |bd_addr| address.
  *
- * Description      Free resources associated with the device.
+ * *** WARNING ***
+ * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
+ * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
+ * no longer valid!
+ * *** WARNING ***
  *
- * Returns          true if rmoved OK, false if not found
- *
- ******************************************************************************/
+ * Returns true if removed OK, false if not found or ACL link is active.
+ */
 extern bool BTM_SecDeleteDevice(const RawAddress& bd_addr);
 
 /*******************************************************************************