From 7705a32fa0188b4f714dd4a594c3304090f6a2f6 Mon Sep 17 00:00:00 2001
From: Myles Watson <mylesgw@google.com>
Date: Wed, 10 Jan 2018 09:51:28 -0800
Subject: [PATCH] PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback

Patch from b/67078939

Test: build
Bug: 67110692
Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a
(cherry picked from commit 2a18e724b2bf101ea38a5b089de56842107c8369)
(cherry picked from commit 08e68337a9eb45818d5a770570c8b1d15a14d904)
---
 bta/pan/bta_pan_act.c  | 12 +++++-------
 stack/bnep/bnep_main.c |  1 +
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/bta/pan/bta_pan_act.c b/bta/pan/bta_pan_act.c
index f80dca1f8..82095fb8f 100644
--- a/bta/pan/bta_pan_act.c
+++ b/bta/pan/bta_pan_act.c
@@ -176,6 +176,11 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
     tBTA_PAN_SCB *p_scb;
     BT_HDR *p_new_buf;
 
+    p_scb = bta_pan_scb_by_handle(handle);
+    if (p_scb == NULL) {
+        return;
+    }
+
     if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
         /* offset smaller than data structure in front of actual data */
         if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
@@ -183,7 +188,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
             android_errorWriteLog(0x534e4554, "63146237");
             APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
                              p_buf->len);
-            osi_free(p_buf);
             return;
         }
         p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE);
@@ -191,7 +195,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
                (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len);
         p_new_buf->len    = p_buf->len;
         p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
-        osi_free(p_buf);
     } else {
         p_new_buf = p_buf;
     }
@@ -202,11 +205,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
     ((tBTA_PAN_DATA_PARAMS *)p_new_buf)->ext = ext;
     ((tBTA_PAN_DATA_PARAMS *)p_new_buf)->forward = forward;
 
-    if ((p_scb = bta_pan_scb_by_handle(handle)) == NULL) {
-        osi_free(p_new_buf);
-        return;
-    }
-
     fixed_queue_enqueue(p_scb->data_queue, p_new_buf);
     BT_HDR *p_event = (BT_HDR *)osi_malloc(sizeof(BT_HDR));
     p_event->layer_specific = handle;
diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c
index 36b76a1e0..e826a9996 100644
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c
@@ -657,6 +657,7 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
     if (bnep_cb.p_data_buf_cb)
     {
         (*bnep_cb.p_data_buf_cb)(p_bcb->handle, p_src_addr, p_dst_addr, protocol, p_buf, fw_ext_present);
+        osi_free(p_buf);
     }
     else if (bnep_cb.p_data_ind_cb)
     {
-- 
2.11.0