Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / system / bt / 831423ea1879244e746f39d7696ad4a66681f306^! / .
commit831423ea1879244e746f39d7696ad4a66681f306[log] [tgz]
authorHemant Gupta <hemantg@codeaurora.org>Wed Jan 08 12:42:13 2014 +0530
committerHemant Gupta <hemantg@codeaurora.org>Sun Jun 29 12:11:02 2014 +0530
tree3e4d0f54c1d07518a9dbeb99015639808736b964
parentc8fe2925af4f5b167b615a0677adebbd156a4387 [diff]
Bluetooth: Fix to avoid NULL pointer dereferences

This fix for avoiding NULL pointer dereferences:
 - Added check for state checking in btm_remove_acl function
   to avoid sending disconnect command if already in Disconnecting
   state.
 - Added NULL check for 'pin_code' in btif_dm_pin_reply function
 - Null check before accessing in BD interface layer configuration
   node variables.
 - Add NULL check before accessing p_bd_addr variable to avoid null
    pointer exception while referring to invalid memory.

Change-Id: Ib7ed45b6a1692785a45224d739a564f767e5b10f

diff --git a/btif/src/btif_config.c b/btif/src/btif_config.c
index 06035cf..33f0239 100644
--- a/btif/src/btif_config.c
+++ b/btif/src/btif_config.c

@@ -434,7 +434,7 @@
         } else ADD_CHILD_COUNT(p, 1);
     }
     else node = &p->child[i];
-    if(!node->name)
+    if(node && (!node->name))
         node->name = strdup(name);
     return node;
 }

diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c
index d3cc5f8..9f1caef 100644
--- a/btif/src/btif_dm.c
+++ b/btif/src/btif_dm.c

@@ -2059,6 +2059,8 @@
                                uint8_t pin_len, bt_pin_code_t *pin_code)
 {
     BTIF_TRACE_EVENT("%s: accept=%d", __FUNCTION__, accept);
+    if (pin_code == NULL)
+        return BT_STATUS_FAIL;
 #if (defined(BLE_INCLUDED) && (BLE_INCLUDED == TRUE))
 
     if (pairing_cb.is_le_only)

diff --git a/stack/btm/btm_acl.c b/stack/btm/btm_acl.c
index 07f6e43..24d1b4a 100644
--- a/stack/btm/btm_acl.c
+++ b/stack/btm/btm_acl.c

@@ -3266,7 +3266,8 @@
     else    /* otherwise can disconnect right away */
 #endif
     {
-        if (hci_handle != 0xFFFF)
+        if (hci_handle != 0xFFFF && p_dev_rec &&
+             p_dev_rec->sec_state!= BTM_SEC_STATE_DISCONNECTING)
         {
             if (!btsnd_hcic_disconnect (hci_handle, HCI_ERR_PEER_USER))
                 status = BTM_NO_RESOURCES;

diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c
index 634d40d..01de1b6 100644
--- a/stack/btm/btm_sec.c
+++ b/stack/btm/btm_sec.c

@@ -3137,7 +3137,7 @@
         /* Notify all clients waiting for name to be resolved */
         for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
         {
-            if (btm_cb.p_rmt_name_callback[i])
+            if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
                 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
                                                  p_dev_rec->sec_bd_name);
         }
@@ -3151,7 +3151,7 @@
         /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
         for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
         {
-            if (btm_cb.p_rmt_name_callback[i])
+            if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
                 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
         }