From bb22c4323d4f56160978366ce8100f29125f98c9 Mon Sep 17 00:00:00 2001 From: Jin Cheng Date: Wed, 29 Nov 2023 15:04:18 +0800 Subject: [PATCH] fix(bt/bluedroid): Set the alarm_arg to NULL after releasing to avoid double free in BTC layer --- .../host/bluedroid/btc/profile/std/spp/btc_spp.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/components/bt/host/bluedroid/btc/profile/std/spp/btc_spp.c b/components/bt/host/bluedroid/btc/profile/std/spp/btc_spp.c index 8d6ef076e1..e4e8b2a575 100644 --- a/components/bt/host/bluedroid/btc/profile/std/spp/btc_spp.c +++ b/components/bt/host/bluedroid/btc/profile/std/spp/btc_spp.c @@ -235,15 +235,17 @@ static void close_timeout_handler(void *arg) { btc_msg_t msg; bt_status_t status; + spp_slot_t *slot = (spp_slot_t *)arg; msg.sig = BTC_SIG_API_CB; msg.pid = BTC_PID_SPP; msg.act = BTA_JV_RFCOMM_CLOSE_EVT; - status = btc_transfer_context(&msg, arg, sizeof(tBTA_JV), NULL, NULL); + status = btc_transfer_context(&msg, slot->alarm_arg, sizeof(tBTA_JV), NULL, NULL); - if (arg) { - free(arg); + if (slot->alarm_arg) { + osi_free(slot->alarm_arg); + slot->alarm_arg = NULL; } if (status != BT_STATUS_SUCCESS) { @@ -1172,9 +1174,11 @@ void btc_spp_cb_handler(btc_msg_t *msg) break; } memcpy(p_arg, p_data, sizeof(tBTA_JV)); + slot->alarm_arg = (void *)p_arg; if ((slot->close_alarm = - osi_alarm_new("slot", close_timeout_handler, (void *)p_arg, VFS_CLOSE_TIMEOUT)) == NULL) { + osi_alarm_new("slot", close_timeout_handler, (void *)slot, VFS_CLOSE_TIMEOUT)) == NULL) { free(p_arg); + slot->alarm_arg = NULL; param.close.status = ESP_SPP_NO_RESOURCE; osi_mutex_unlock(&spp_local_param.spp_slot_mutex); BTC_TRACE_ERROR("%s unable to malloc slot close_alarm!", __func__); @@ -1182,6 +1186,7 @@ void btc_spp_cb_handler(btc_msg_t *msg) } if (osi_alarm_set(slot->close_alarm, VFS_CLOSE_TIMEOUT) != OSI_ALARM_ERR_PASS) { free(p_arg); + slot->alarm_arg = NULL; osi_alarm_free(slot->close_alarm); param.close.status = ESP_SPP_BUSY; osi_mutex_unlock(&spp_local_param.spp_slot_mutex); @@ -1190,7 +1195,6 @@ void btc_spp_cb_handler(btc_msg_t *msg) } BTC_TRACE_WARNING("%s slot rx data will be discard in %d milliseconds!", __func__, VFS_CLOSE_TIMEOUT); - slot->alarm_arg = (void *)p_arg; slot->connected = false; need_call = false; }