From d77658a680d65feec984c4f24dea28028e1a4853 Mon Sep 17 00:00:00 2001
From: Hansong Zhang <hsz@google.com>
Date: Sun, 27 Sep 2020 16:30:03 -0700
Subject: [PATCH] Check for control block nullptr on l2cap error

Bug: 159815595
Tag: #refactor
Test: compile & verify basic functions working
Change-Id: Ie041822b2f51aa20e57fa35f90c432a6c96733d5
---
 stack/avct/avct_l2c_br.cc  | 1 +
 stack/bnep/bnep_main.cc    | 1 +
 stack/gap/gap_conn.cc      | 1 +
 stack/gatt/gatt_main.cc    | 1 +
 stack/rfcomm/rfc_mx_fsm.cc | 1 +
 stack/sdp/sdp_main.cc      | 1 +
 6 files changed, 6 insertions(+)

diff --git a/stack/avct/avct_l2c_br.cc b/stack/avct/avct_l2c_br.cc
index a11ece8a4..7415c11a8 100644
--- a/stack/avct/avct_l2c_br.cc
+++ b/stack/avct/avct_l2c_br.cc
@@ -103,6 +103,7 @@ void avct_l2c_br_connect_ind_cback(const RawAddress& bd_addr, uint16_t lcid,
 
 void avct_br_on_l2cap_error(uint16_t lcid, uint16_t result) {
   tAVCT_BCB* p_lcb = avct_bcb_by_lcid(lcid);
+  if (p_lcb == nullptr) return;
 
   /* store result value */
   p_lcb->ch_result = result;
diff --git a/stack/bnep/bnep_main.cc b/stack/bnep/bnep_main.cc
index ba3ee0f93..1a25aab56 100644
--- a/stack/bnep/bnep_main.cc
+++ b/stack/bnep/bnep_main.cc
@@ -137,6 +137,7 @@ static void bnep_connect_ind(const RawAddress& bd_addr, uint16_t l2cap_cid,
 
 static void bnep_on_l2cap_error(uint16_t l2cap_cid, uint16_t result) {
   tBNEP_CONN* p_bcb = bnepu_find_bcb_by_cid(l2cap_cid);
+  if (p_bcb == nullptr) return;
 
   /* Tell the upper layer, if there is a callback */
   if ((p_bcb->con_flags & BNEP_FLAGS_IS_ORIG) && (bnep_cb.p_conn_state_cb)) {
diff --git a/stack/gap/gap_conn.cc b/stack/gap/gap_conn.cc
index 13b12e7e6..d3e49aa46 100644
--- a/stack/gap/gap_conn.cc
+++ b/stack/gap/gap_conn.cc
@@ -687,6 +687,7 @@ static void gap_sec_check_complete(const RawAddress*, tBT_TRANSPORT,
 
 static void gap_on_l2cap_error(uint16_t l2cap_cid, uint16_t result) {
   tGAP_CCB* p_ccb = gap_find_ccb_by_cid(l2cap_cid);
+  if (p_ccb == nullptr) return;
 
   /* Tell the user if there is a callback */
   if (p_ccb->p_callback)
diff --git a/stack/gatt/gatt_main.cc b/stack/gatt/gatt_main.cc
index 07d6190e9..aac3d2432 100644
--- a/stack/gatt/gatt_main.cc
+++ b/stack/gatt/gatt_main.cc
@@ -587,6 +587,7 @@ static void gatt_l2cif_connect_ind_cback(const RawAddress& bd_addr,
 
 static void gatt_on_l2cap_error(uint16_t lcid, uint16_t result) {
   tGATT_TCB* p_tcb = gatt_find_tcb_by_cid(lcid);
+  if (p_tcb == nullptr) return;
   if (gatt_get_ch_state(p_tcb) == GATT_CH_CONN) {
     gatt_cleanup_upon_disc(p_tcb->peer_bda, result, BT_TRANSPORT_BR_EDR);
   } else {
diff --git a/stack/rfcomm/rfc_mx_fsm.cc b/stack/rfcomm/rfc_mx_fsm.cc
index 05ac96074..511e590b2 100644
--- a/stack/rfcomm/rfc_mx_fsm.cc
+++ b/stack/rfcomm/rfc_mx_fsm.cc
@@ -556,6 +556,7 @@ static void rfc_mx_send_config_req(tRFC_MCB* p_mcb) {
 
 void rfc_on_l2cap_error(uint16_t lcid, uint16_t result) {
   tRFC_MCB* p_mcb = rfc_find_lcid_mcb(lcid);
+  if (p_mcb == nullptr) return;
 
   if (result == L2CAP_CONN_OTHER_ERROR) {
     RFCOMM_TRACE_DEBUG(
diff --git a/stack/sdp/sdp_main.cc b/stack/sdp/sdp_main.cc
index 5bd4807d5..ec49e4f23 100644
--- a/stack/sdp/sdp_main.cc
+++ b/stack/sdp/sdp_main.cc
@@ -131,6 +131,7 @@ static void sdp_connect_ind(const RawAddress& bd_addr, uint16_t l2cap_cid,
 
 static void sdp_on_l2cap_error(uint16_t l2cap_cid, uint16_t result) {
   tCONN_CB* p_ccb = sdpu_find_ccb_by_cid(l2cap_cid);
+  if (p_ccb == nullptr) return;
   sdp_disconnect(p_ccb, SDP_CFG_FAILED);
 }
 
-- 
2.11.0