From 953dd279502980b1d8d30656eb78c6445a6e31f7 Mon Sep 17 00:00:00 2001
From: Hansong Zhang <hsz@google.com>
Date: Wed, 9 Jan 2019 18:18:17 -0800
Subject: [PATCH] btm_proc_smp_cback: Don't access p_dev_rec if freed

In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free

Bug: 120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
---
 stack/btm/btm_ble.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc
index d8a187a97..c21af1430 100644
--- a/stack/btm/btm_ble.cc
+++ b/stack/btm/btm_ble.cc
@@ -39,6 +39,7 @@
 #include "gap_api.h"
 #include "gatt_api.h"
 #include "hcimsgs.h"
+#include "log/log.h"
 #include "l2c_int.h"
 #include "osi/include/log.h"
 #include "osi/include/osi.h"
@@ -1909,6 +1910,12 @@ uint8_t btm_proc_smp_cback(tSMP_EVT event, BD_ADDR bd_addr,
         }
 
         if (event == SMP_COMPLT_EVT) {
+          p_dev_rec = btm_find_dev(bd_addr);
+          if (p_dev_rec == NULL) {
+            BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__);
+            android_errorWriteLog(0x534e4554, "120612744");
+            return 0;
+          }
           BTM_TRACE_DEBUG(
               "evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x",
               p_data->cmplt.sec_level, p_dev_rec->sec_flags);
-- 
2.11.0