Merge "Use after free in GATT TCB commands" into main

author: Omair Kamil <okamil@google.com> 2025-01-09 15:28:49 -0800
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2025-01-09 15:28:49 -0800
commit: 1a987b1b9811c8c8a2c4747337d46cf77b2edc42 (patch)
tree: 48f70a28768ae1a79f2d748f677c9cd516955020
parent: 9918dc7f60559e56c45225fa363e96e398fcf6be (diff)
parent: 8d0e042d634077c70467051b284093e467850021 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/system/stack/gatt/gatt_utils.cc b/system/stack/gatt/gatt_utils.cc
index 7ff819a5e0..57f781db3f 100644
--- a/system/stack/gatt/gatt_utils.cc
+++ b/system/stack/gatt/gatt_utils.cc
@@ -1855,6 +1855,9 @@ void gatt_cleanup_upon_disc(const RawAddress& bda, tGATT_DISCONN_REASON reason,
   gatt_free_pending_ind(p_tcb);
   fixed_queue_free(p_tcb->sr_cmd.multi_rsp_q, NULL);
   p_tcb->sr_cmd.multi_rsp_q = NULL;
+  if (p_tcb->sr_cmd.p_rsp_msg) {
+    osi_free_and_reset((void**)&p_tcb->sr_cmd.p_rsp_msg);
+  }
 
   gatt_disconnect_complete_notify_user(bda, reason, transport);
author	Omair Kamil <okamil@google.com>	2025-01-09 15:28:49 -0800
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2025-01-09 15:28:49 -0800
commit	1a987b1b9811c8c8a2c4747337d46cf77b2edc42 (patch)
tree	48f70a28768ae1a79f2d748f677c9cd516955020
parent	9918dc7f60559e56c45225fa363e96e398fcf6be (diff)
parent	8d0e042d634077c70467051b284093e467850021 (diff)