From 629cc9773a9f2948a5a69729b29fd87a8e49539e Mon Sep 17 00:00:00 2001 From: Jakub Pawlowski Date: Wed, 11 Jul 2018 02:57:07 -0700 Subject: [PATCH] Don't use Address after it was deleted Bug: 110216173 Change-Id: Id3364cf53153eafed478546d7347ed1673217e91 Merged-In: Id3364cf53153eafed478546d7347ed1673217e91 --- bta/dm/bta_dm_act.cc | 10 +++++++--- stack/btm/btm_dev.cc | 21 +++++++++++---------- stack/include/btm_api.h | 15 ++++++++------- 3 files changed, 26 insertions(+), 20 deletions(-) diff --git a/bta/dm/bta_dm_act.cc b/bta/dm/bta_dm_act.cc index e827210dd..b6ca628e0 100644 --- a/bta/dm/bta_dm_act.cc +++ b/bta/dm/bta_dm_act.cc @@ -3117,11 +3117,15 @@ void bta_dm_acl_change(tBTA_DM_MSG* p_data) { } } if (conn.link_down.is_removed) { - BTM_SecDeleteDevice(p_bda); + // p_bda points to security record, which is removed in + // BTM_SecDeleteDevice. + BD_ADDR addr_copy; + memcpy(addr_copy, p_bda, BD_ADDR_LEN); + BTM_SecDeleteDevice(addr_copy); /* need to remove all pending background connection */ - BTA_GATTC_CancelOpen(0, p_bda, false); + BTA_GATTC_CancelOpen(0, addr_copy, false); /* remove all cached GATT information */ - BTA_GATTC_Refresh(p_bda); + BTA_GATTC_Refresh(addr_copy); } bdcpy(conn.link_down.bd_addr, p_bda); diff --git a/stack/btm/btm_dev.cc b/stack/btm/btm_dev.cc index 808f1cd99..aa6646f14 100644 --- a/stack/btm/btm_dev.cc +++ b/stack/btm/btm_dev.cc @@ -148,17 +148,16 @@ bool BTM_SecAddDevice(BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name, return true; } -/******************************************************************************* - * - * Function BTM_SecDeleteDevice - * - * Description Free resources associated with the device. +/** Free resources associated with the device associated with |bd_addr| address. * - * Parameters: bd_addr - BD address of the peer - * - * Returns true if removed OK, false if not found or ACL link is active + * *** WARNING *** + * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function + * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is + * no longer valid! + * *** WARNING *** * - ******************************************************************************/ + * Returns true if removed OK, false if not found or ACL link is active. + */ bool BTM_SecDeleteDevice(BD_ADDR bd_addr) { if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) || BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) { @@ -169,9 +168,11 @@ bool BTM_SecDeleteDevice(BD_ADDR bd_addr) { tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); if (p_dev_rec != NULL) { + BD_ADDR bda; + memcpy(bda, bd_addr, BD_ADDR_LEN); btm_sec_free_dev(p_dev_rec); /* Tell controller to get rid of the link key, if it has one stored */ - BTM_DeleteStoredLinkKey(p_dev_rec->bd_addr, NULL); + BTM_DeleteStoredLinkKey(bda, NULL); } return true; diff --git a/stack/include/btm_api.h b/stack/include/btm_api.h index 2c0743fff..40f591041 100644 --- a/stack/include/btm_api.h +++ b/stack/include/btm_api.h @@ -1427,15 +1427,16 @@ extern bool BTM_SecAddDevice(BD_ADDR bd_addr, DEV_CLASS dev_class, uint8_t key_type, tBTM_IO_CAP io_cap, uint8_t pin_length); -/******************************************************************************* - * - * Function BTM_SecDeleteDevice +/** Free resources associated with the device associated with |bd_addr| address. * - * Description Free resources associated with the device. + * *** WARNING *** + * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function + * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is + * no longer valid! + * *** WARNING *** * - * Returns true if rmoved OK, false if not found - * - ******************************************************************************/ + * Returns true if removed OK, false if not found or ACL link is active. + */ extern bool BTM_SecDeleteDevice(BD_ADDR bd_addr); /******************************************************************************* -- 2.11.0