From 9bf4ff6114159b9cce013310475995ce133a62e3 Mon Sep 17 00:00:00 2001 From: Jakub Pawlowski Date: Wed, 11 Jul 2018 02:57:07 -0700 Subject: [PATCH] Don't use Address after it was deleted Bug: 110216173 Change-Id: Id3364cf53153eafed478546d7347ed1673217e91 (cherry picked from commit 9930f6f4e14e64966869b119994126283d645fd0) --- bta/dm/bta_dm_act.cc | 9 ++++++--- stack/btm/btm_dev.cc | 20 ++++++++++---------- stack/include/btm_api.h | 15 ++++++++------- 3 files changed, 24 insertions(+), 20 deletions(-) diff --git a/bta/dm/bta_dm_act.cc b/bta/dm/bta_dm_act.cc index 175e3faf2..eaa61abbc 100644 --- a/bta/dm/bta_dm_act.cc +++ b/bta/dm/bta_dm_act.cc @@ -3266,11 +3266,14 @@ static void bta_dm_remove_sec_dev_entry(const RawAddress& remote_bd_addr) { } } } else { - BTM_SecDeleteDevice(remote_bd_addr); + // remote_bd_addr comes from security record, which is removed in + // BTM_SecDeleteDevice. + RawAddress addr_copy = remote_bd_addr; + BTM_SecDeleteDevice(addr_copy); /* need to remove all pending background connection */ - BTA_GATTC_CancelOpen(0, remote_bd_addr, false); + BTA_GATTC_CancelOpen(0, addr_copy, false); /* remove all cached GATT information */ - BTA_GATTC_Refresh(remote_bd_addr); + BTA_GATTC_Refresh(addr_copy); } } diff --git a/stack/btm/btm_dev.cc b/stack/btm/btm_dev.cc index 07332e7c1..0fe5c20e9 100644 --- a/stack/btm/btm_dev.cc +++ b/stack/btm/btm_dev.cc @@ -147,17 +147,16 @@ bool BTM_SecAddDevice(const RawAddress& bd_addr, DEV_CLASS dev_class, return true; } -/******************************************************************************* - * - * Function BTM_SecDeleteDevice - * - * Description Free resources associated with the device. +/** Free resources associated with the device associated with |bd_addr| address. * - * Parameters: bd_addr - BD address of the peer - * - * Returns true if removed OK, false if not found or ACL link is active + * *** WARNING *** + * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function + * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is + * no longer valid! + * *** WARNING *** * - ******************************************************************************/ + * Returns true if removed OK, false if not found or ACL link is active. + */ bool BTM_SecDeleteDevice(const RawAddress& bd_addr) { if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) || BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) { @@ -168,9 +167,10 @@ bool BTM_SecDeleteDevice(const RawAddress& bd_addr) { tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); if (p_dev_rec != NULL) { + RawAddress bda = p_dev_rec->bd_addr; btm_sec_free_dev(p_dev_rec); /* Tell controller to get rid of the link key, if it has one stored */ - BTM_DeleteStoredLinkKey(&p_dev_rec->bd_addr, NULL); + BTM_DeleteStoredLinkKey(&bda, NULL); } return true; diff --git a/stack/include/btm_api.h b/stack/include/btm_api.h index 10f4f6583..3dd556780 100644 --- a/stack/include/btm_api.h +++ b/stack/include/btm_api.h @@ -1411,15 +1411,16 @@ extern bool BTM_SecAddDevice(const RawAddress& bd_addr, DEV_CLASS dev_class, uint8_t key_type, tBTM_IO_CAP io_cap, uint8_t pin_length); -/******************************************************************************* - * - * Function BTM_SecDeleteDevice +/** Free resources associated with the device associated with |bd_addr| address. * - * Description Free resources associated with the device. + * *** WARNING *** + * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function + * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is + * no longer valid! + * *** WARNING *** * - * Returns true if rmoved OK, false if not found - * - ******************************************************************************/ + * Returns true if removed OK, false if not found or ACL link is active. + */ extern bool BTM_SecDeleteDevice(const RawAddress& bd_addr); /******************************************************************************* -- 2.11.0