[SP 2025-09-01] Fix use after free in acl_arbiterbanksia-dev

In SendPacketToPeer of acl_arbiter.cc, a buffer length is logged in one case after an intermediate call may free the buffer, leading to use after free. Log instead from the buffer's source, which has not been freed at this point in the code. Bug: 406785684 Flag: EXEMPT obvious logic fix Test: m libbluetooth Test: researcher POC Tag: #security Change-Id: Idd13399c24399d01bcd668a4b779ef1980273691 (cherry picked from commit 243d7484e59730c522640b616445b2747b3062e5)
author: Brian Delwiche <delwiche@google.com> 2025-04-03 17:16:55 +0000
committer: Kampalus <kampalus@protonmail.ch> 2025-09-18 11:09:14 +0200
commit: 76f33e12e610bde76611bd013f5056e1b649bd16 (patch)
tree: 211e34f248e9375ded72549b3cdbf680aa44f464
parent: 4b73ee6039271ffbf71ebdc8c109fc98eac8e137 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/system/stack/arbiter/acl_arbiter.cc b/system/stack/arbiter/acl_arbiter.cc
index a9c09deff4..5f37965e98 100644
--- a/system/stack/arbiter/acl_arbiter.cc
+++ b/system/stack/arbiter/acl_arbiter.cc
@@ -115,7 +115,7 @@ void AclArbiter::SendPacketToPeer(uint8_t tcb_idx, ::rust::Vec<uint8_t> buffer)
     if (stack::l2cap::get_interface().L2CA_SendFixedChnlData(L2CAP_ATT_CID, p_tcb->peer_bda,
                                                              p_buf) != tL2CAP_DW_RESULT::SUCCESS) {
       log::warn("Unable to send L2CAP data peer:{} fixed_cid:{} len:{}", p_tcb->peer_bda,
-                L2CAP_ATT_CID, p_buf->len);
+                L2CAP_ATT_CID, buffer.size());
     }
   } else {
     log::error("Dropping packet since connection no longer exists");
author	Brian Delwiche <delwiche@google.com>	2025-04-03 17:16:55 +0000
committer	Kampalus <kampalus@protonmail.ch>	2025-09-18 11:09:14 +0200
commit	76f33e12e610bde76611bd013f5056e1b649bd16 (patch)
tree	211e34f248e9375ded72549b3cdbf680aa44f464
parent	4b73ee6039271ffbf71ebdc8c109fc98eac8e137 (diff)