From: Chris Manton <cmanton@google.com>
Date: Tue, 9 Nov 2021 00:45:42 +0000 (-0800)
Subject: security: Use-After-Free in btm_sec_[dis]connected
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=4f3fdf141b248cacd7c7dd09c06d058931726c98;p=android-x86%2Fsystem-bt.git

security: Use-After-Free in btm_sec_[dis]connected

Bug: 201083442
Tag: #security
Test: gd/cert/run
Ignore-AOSP-First: Security

Change-Id: I69c362d1eb644a3b7fd967cd526a8a58c3b4d975
---

diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 62b1b1858..1c1ceadf6 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -4122,7 +4122,6 @@ static void btm_sec_connect_after_reject_timeout(UNUSED_ATTR void* data) {
  ******************************************************************************/
 void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status,
                        uint8_t enc_mode) {
-  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
   uint8_t res;
   bool is_pairing_device = false;
   bool addr_matched;
@@ -4131,6 +4130,7 @@ void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status,
 
   btm_acl_resubmit_page();
 
+  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
   if (p_dev_rec) {
     VLOG(2) << __func__ << ": Security Manager: in state: "
             << btm_pair_state_descr(btm_cb.pairing_state)
@@ -4464,7 +4464,6 @@ tBTM_STATUS btm_sec_disconnect(uint16_t handle, uint8_t reason) {
  *
  ******************************************************************************/
 void btm_sec_disconnected(uint16_t handle, uint8_t reason) {
-  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle);
   uint8_t old_pairing_flags = btm_cb.pairing_flags;
   int result = HCI_ERR_AUTH_FAILURE;
   tBTM_SEC_CALLBACK* p_callback = NULL;
@@ -4475,6 +4474,7 @@ void btm_sec_disconnected(uint16_t handle, uint8_t reason) {
 
   btm_acl_resubmit_page();
 
+  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle);
   if (!p_dev_rec) return;
 
   transport =