From: Hansong Zhang <hsz@google.com>
Date: Thu, 10 Jan 2019 02:18:17 +0000 (-0800)
Subject: btm_proc_smp_cback: Don't access p_dev_rec if freed
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=7526f67d66d7ded7857eca094d7c856facb62275;p=android-x86%2Fsystem-bt.git

btm_proc_smp_cback: Don't access p_dev_rec if freed

In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free

Bug: 120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
(cherry picked from commit 953dd279502980b1d8d30656eb78c6445a6e31f7)
---

diff --git a/stack/btm/btm_ble.c b/stack/btm/btm_ble.c
index 542c87a9b..23b4647b1 100644
--- a/stack/btm/btm_ble.c
+++ b/stack/btm/btm_ble.c
@@ -39,6 +39,7 @@
 #include "device/include/controller.h"
 #include "gap_api.h"
 #include "hcimsgs.h"
+#include "log/log.h"
 #include "l2c_int.h"
 #include "osi/include/log.h"
 #include "smp_api.h"
@@ -2090,6 +2091,12 @@ UINT8 btm_proc_smp_cback(tSMP_EVT event, BD_ADDR bd_addr, tSMP_EVT_DATA *p_data)
 
                 if (event == SMP_COMPLT_EVT)
                 {
+                    p_dev_rec = btm_find_dev(bd_addr);
+                    if (p_dev_rec == NULL) {
+                      BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__);
+                      android_errorWriteLog(0x534e4554, "120612744");
+                      return 0;
+                    }
                     BTM_TRACE_DEBUG ("evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level , p_dev_rec->sec_flags );
 
                     res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS : BTM_ERR_PROCESSING;