From c08175b5f15b161a6ba1444e1071e92b03552915 Mon Sep 17 00:00:00 2001 From: Chris Manton Date: Mon, 8 Nov 2021 16:45:42 -0800 Subject: [PATCH] security: Use-After-Free in btm_sec_[dis]connected Bug: 201083442 Tag: #security Test: gd/cert/run Ignore-AOSP-First: Security Change-Id: I69c362d1eb644a3b7fd967cd526a8a58c3b4d975 --- stack/btm/btm_sec.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc index bdda174ac..eecbed5ea 100644 --- a/stack/btm/btm_sec.cc +++ b/stack/btm/btm_sec.cc @@ -3913,7 +3913,6 @@ static void btm_sec_connect_after_reject_timeout(UNUSED_ATTR void* data) { ******************************************************************************/ void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status, uint8_t enc_mode) { - tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); uint8_t res; bool is_pairing_device = false; bool addr_matched; @@ -3922,6 +3921,7 @@ void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status, btm_acl_resubmit_page(); + tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); if (p_dev_rec) { VLOG(2) << __func__ << ": Security Manager: in state: " << btm_pair_state_descr(btm_cb.pairing_state) @@ -4258,7 +4258,6 @@ tBTM_STATUS btm_sec_disconnect(uint16_t handle, uint8_t reason) { * ******************************************************************************/ void btm_sec_disconnected(uint16_t handle, uint8_t reason) { - tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); uint8_t old_pairing_flags = btm_cb.pairing_flags; int result = HCI_ERR_AUTH_FAILURE; tBTM_SEC_CALLBACK* p_callback = NULL; @@ -4269,6 +4268,7 @@ void btm_sec_disconnected(uint16_t handle, uint8_t reason) { btm_acl_resubmit_page(); + tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); if (!p_dev_rec) return; transport = -- 2.11.0