fix(bt/bluedroid): Set the alarm_arg to NULL after releasing to avoid double free in BTC layer

This commit is contained in:
Jin Cheng 2023-11-29 15:04:18 +08:00
parent b807b6ebf3
commit 7a335421e1

View File

@ -254,15 +254,17 @@ static void close_timeout_handler(void *arg)
{ {
btc_msg_t msg; btc_msg_t msg;
bt_status_t status; bt_status_t status;
spp_slot_t *slot = (spp_slot_t *)arg;
msg.sig = BTC_SIG_API_CB; msg.sig = BTC_SIG_API_CB;
msg.pid = BTC_PID_SPP; msg.pid = BTC_PID_SPP;
msg.act = BTA_JV_RFCOMM_CLOSE_EVT; msg.act = BTA_JV_RFCOMM_CLOSE_EVT;
status = btc_transfer_context(&msg, arg, sizeof(tBTA_JV), NULL, NULL); status = btc_transfer_context(&msg, slot->alarm_arg, sizeof(tBTA_JV), NULL, NULL);
if (arg) { if (slot->alarm_arg) {
osi_free(arg); osi_free(slot->alarm_arg);
slot->alarm_arg = NULL;
} }
if (status != BT_STATUS_SUCCESS) { if (status != BT_STATUS_SUCCESS) {
@ -1211,9 +1213,11 @@ void btc_spp_cb_handler(btc_msg_t *msg)
break; break;
} }
memcpy(p_arg, p_data, sizeof(tBTA_JV)); memcpy(p_arg, p_data, sizeof(tBTA_JV));
slot->alarm_arg = (void *)p_arg;
if ((slot->close_alarm = if ((slot->close_alarm =
osi_alarm_new("slot", close_timeout_handler, (void *)p_arg, VFS_CLOSE_TIMEOUT)) == NULL) { osi_alarm_new("slot", close_timeout_handler, (void *)slot, VFS_CLOSE_TIMEOUT)) == NULL) {
free(p_arg); free(p_arg);
slot->alarm_arg = NULL;
param.close.status = ESP_SPP_NO_RESOURCE; param.close.status = ESP_SPP_NO_RESOURCE;
osi_mutex_unlock(&spp_local_param.spp_slot_mutex); osi_mutex_unlock(&spp_local_param.spp_slot_mutex);
BTC_TRACE_ERROR("%s unable to malloc slot close_alarm!", __func__); BTC_TRACE_ERROR("%s unable to malloc slot close_alarm!", __func__);
@ -1221,6 +1225,7 @@ void btc_spp_cb_handler(btc_msg_t *msg)
} }
if (osi_alarm_set(slot->close_alarm, VFS_CLOSE_TIMEOUT) != OSI_ALARM_ERR_PASS) { if (osi_alarm_set(slot->close_alarm, VFS_CLOSE_TIMEOUT) != OSI_ALARM_ERR_PASS) {
free(p_arg); free(p_arg);
slot->alarm_arg = NULL;
osi_alarm_free(slot->close_alarm); osi_alarm_free(slot->close_alarm);
param.close.status = ESP_SPP_BUSY; param.close.status = ESP_SPP_BUSY;
osi_mutex_unlock(&spp_local_param.spp_slot_mutex); osi_mutex_unlock(&spp_local_param.spp_slot_mutex);
@ -1229,7 +1234,6 @@ void btc_spp_cb_handler(btc_msg_t *msg)
} }
BTC_TRACE_WARNING("%s slot rx data will be discard in %d milliseconds!", BTC_TRACE_WARNING("%s slot rx data will be discard in %d milliseconds!",
__func__, VFS_CLOSE_TIMEOUT); __func__, VFS_CLOSE_TIMEOUT);
slot->alarm_arg = (void *)p_arg;
slot->connected = false; slot->connected = false;
need_call = false; need_call = false;
} }