From 07f612cbc08364a622e6e02cdbb039b82586d82c Mon Sep 17 00:00:00 2001 From: Srinu Jella Date: Tue, 29 Dec 2015 13:30:19 +0530 Subject: [PATCH] Avoid double-free on SDP search failure Use case: BT transfer fails in Doze mode. Pre-condition: 1. Device is in Doze mode. 2. Device is in Active state. Steps to reproduce: 1. On test device and support device, turn on Bluetooth and keep test device in Bluetooth on screen. 2. Put device in Doze mode: adb shell dumpsys battery unplug adb shell dumpsys deviceidle step 3. From support device send pair request to test device. 4. Pair two devices. 5. Put test device in Doze mode again. 6. Share one picture from support device to test device by Bluetooth. 7. Accept Bluetooth file transferring request. Failure: From DUT, BT transfer is failed. Root cause: Free buffer is called twice for the SDP search failure case. Fix: Added null check for p_sdp_db to avoid freeing same buffer again on SDP search failure. Change-Id: Ic7776e842c52418c2b0fb6d6479233d01c709dc2 --- bta/dm/bta_dm_act.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bta/dm/bta_dm_act.c b/bta/dm/bta_dm_act.c index 8a8cfe86d..94d77d639 100644 --- a/bta/dm/bta_dm_act.c +++ b/bta/dm/bta_dm_act.c @@ -1801,7 +1801,8 @@ void bta_dm_sdp_result (tBTA_DM_MSG *p_data) bta_dm_search_cb.wait_disc = FALSE; /* not able to connect go to next device */ - osi_free_and_reset((void **)&bta_dm_search_cb.p_sdp_db); + if (bta_dm_search_cb.p_sdp_db) + osi_free_and_reset((void **)&bta_dm_search_cb.p_sdp_db); BTM_SecDeleteRmtNameNotifyCallback(&bta_dm_service_search_remname_cback); -- 2.11.0