From: Srinu Jella <sjella@codeaurora.org>
Date: Tue, 29 Dec 2015 08:00:19 +0000 (+0530)
Subject: Avoid double-free on SDP search failure
X-Git-Tag: android-x86-8.1-r1~1736^2~16^2~19
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=07f612cbc0;p=android-x86%2Fsystem-bt.git

Avoid double-free on SDP search failure

Use case: BT transfer fails in Doze mode.

Pre-condition:
1. Device is in Doze mode.
2. Device is in Active state.

Steps to reproduce:
1. On test device and support device, turn on Bluetooth and keep test device in Bluetooth on screen.
2. Put device in Doze mode:
adb shell dumpsys battery unplug
adb shell dumpsys deviceidle step
3. From support device send pair request to test device.
4. Pair two devices.
5. Put test device in Doze mode again.
6. Share one picture from support device to test device by Bluetooth.
7. Accept Bluetooth file transferring request.

Failure: From DUT, BT transfer is failed.

Root cause: Free buffer is called twice for the SDP search failure case.

Fix: Added null check for p_sdp_db to avoid freeing same buffer
     again on SDP search failure.

Change-Id: Ic7776e842c52418c2b0fb6d6479233d01c709dc2
---

diff --git a/bta/dm/bta_dm_act.c b/bta/dm/bta_dm_act.c
index 8a8cfe86d..94d77d639 100644
--- a/bta/dm/bta_dm_act.c
+++ b/bta/dm/bta_dm_act.c
@@ -1801,7 +1801,8 @@ void bta_dm_sdp_result (tBTA_DM_MSG *p_data)
             bta_dm_search_cb.wait_disc = FALSE;
 
         /* not able to connect go to next device */
-        osi_free_and_reset((void **)&bta_dm_search_cb.p_sdp_db);
+        if (bta_dm_search_cb.p_sdp_db)
+            osi_free_and_reset((void **)&bta_dm_search_cb.p_sdp_db);
 
         BTM_SecDeleteRmtNameNotifyCallback(&bta_dm_service_search_remname_cback);