From cde75cf54192dc2f0d1ae828fee79a8425156922 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Wed, 24 Aug 2022 21:36:47 +0000
Subject: [PATCH] Defer free in bta_hh_act.cc

Bug: 228837201
Test: BT unit tests, manual testing
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I31842c488909798574a161ebfa009988f330904f
---
 system/bta/hh/bta_hh_act.cc | 6 +++++-
 system/btif/src/btif_hh.cc  | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/system/bta/hh/bta_hh_act.cc b/system/bta/hh/bta_hh_act.cc
index dd9decd31c7..9eaa703794c 100644
--- a/system/bta/hh/bta_hh_act.cc
+++ b/system/bta/hh/bta_hh_act.cc
@@ -706,6 +706,7 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB* p_cb, const tBTA_HH_DATA* p_data) {
   BT_HDR* pdata = p_data->hid_cback.p_data;
   uint8_t* data = (uint8_t*)(pdata + 1) + pdata->offset;
   tBTA_HH_HSDATA hs_data;
+  bool do_free = true;
 
   APPL_TRACE_DEBUG("Ctrl DATA received w4: event[%s]",
                    bta_hh_get_w4_event(p_cb->w4_evt));
@@ -726,6 +727,7 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB* p_cb, const tBTA_HH_DATA* p_data) {
       hs_data.rsp_data.p_rpt_data = pdata;
       bta_hh_co_get_rpt_rsp(hs_data.handle, hs_data.status, pdata->data,
                             pdata->len);
+      do_free = false;
       break;
     case BTA_HH_GET_PROTO_EVT:
       /* match up BTE/BTA report/boot mode def*/
@@ -757,7 +759,9 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB* p_cb, const tBTA_HH_DATA* p_data) {
   (*bta_hh_cb.p_cback)(p_cb->w4_evt, (tBTA_HH*)&hs_data);
 
   p_cb->w4_evt = 0;
-  osi_free_and_reset((void**)&pdata);
+  if (do_free) {
+    osi_free_and_reset((void**)&pdata);
+  }
 }
 
 /*******************************************************************************
diff --git a/system/btif/src/btif_hh.cc b/system/btif/src/btif_hh.cc
index 3280a957d25..77feb5c1ed2 100644
--- a/system/btif/src/btif_hh.cc
+++ b/system/btif/src/btif_hh.cc
@@ -893,6 +893,10 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
         BTIF_TRACE_WARNING("Error: cannot find device with handle %d",
                            p_data->hs_data.handle);
       }
+      if (hdr) {
+        osi_free(hdr);
+        p_data->hs_data.rsp_data.p_rpt_data = NULL;
+      }
       break;
     }
 
-- 
GitLab