From 32fd3a3215b4976a9eaacd2d055f6e5f1c2a350f Mon Sep 17 00:00:00 2001
From: Hrishikesh Dhayagude <hrishi@espressif.com>
Date: Wed, 8 Aug 2018 14:16:03 +0530
Subject: [PATCH] components/bt: Fix a probable memory leak for
 BTA_GATTS_CONF_EVT event (backport v3.0)

Multiple modules register their callback BTA_GATTS_AppRegister().

If any of the callbacks do not free the allocated pointer in
BTA_GATTS_CONF_EVT event, then this can result in memory leak.

So, free the pointer after the callback function is called and remove
the calls to free in the callback functions as it is now not required

Signed-off-by: Hrishikesh Dhayagude <hrishi@espressif.com>
---
 components/bt/bluedroid/bta/gatt/bta_gatts_act.c          | 4 ++++
 components/bt/bluedroid/btc/profile/esp/blufi/blufi_prf.c | 5 +----
 components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c  | 3 ---
 3 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/components/bt/bluedroid/bta/gatt/bta_gatts_act.c b/components/bt/bluedroid/bta/gatt/bta_gatts_act.c
index 923803b83..349fd7ea2 100644
--- a/components/bt/bluedroid/bta/gatt/bta_gatts_act.c
+++ b/components/bt/bluedroid/bta/gatt/bta_gatts_act.c
@@ -702,6 +702,10 @@ void bta_gatts_indicate_handle (tBTA_GATTS_CB *p_cb, tBTA_GATTS_DATA *p_msg)
                 APPL_TRACE_ERROR("%s, malloc failed", __func__);
             }
             (*p_rcb->p_cback)(BTA_GATTS_CONF_EVT, &cb_data);
+            if (cb_data.req_data.value != NULL) {
+                osi_free(cb_data.req_data.value);
+                cb_data.req_data.value = NULL;
+            }
         }
     } else {
         APPL_TRACE_ERROR("Not an registered servce attribute ID: 0x%04x",
diff --git a/components/bt/bluedroid/btc/profile/esp/blufi/blufi_prf.c b/components/bt/bluedroid/btc/profile/esp/blufi/blufi_prf.c
index c3599a722..08d6961bc 100644
--- a/components/bt/bluedroid/btc/profile/esp/blufi/blufi_prf.c
+++ b/components/bt/bluedroid/btc/profile/esp/blufi/blufi_prf.c
@@ -208,10 +208,7 @@ static void blufi_profile_cb(tBTA_GATTS_EVT event, tBTA_GATTS *p_data)
         blufi_env.frag_size = p_data->req_data.p_data->mtu - BLUFI_MTU_RESERVED_SIZE;
         break;
     case BTA_GATTS_CONF_EVT:
-        LOG_DEBUG("CONIRM EVT\n");
-        if (p_data && p_data->req_data.value){
-            osi_free(p_data->req_data.value);
-        }
+        LOG_DEBUG("CONFIRM EVT\n");
         /* Nothing */
         break;
     case BTA_GATTS_CREATE_EVT:
diff --git a/components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c b/components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c
index 15abb7b4a..854e6e7e9 100644
--- a/components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c
+++ b/components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c
@@ -530,9 +530,6 @@ static void btc_gatts_cb_param_copy_free(btc_msg_t *msg, tBTA_GATTS *p_data)
         }
         break;
     case BTA_GATTS_CONF_EVT:
-        if (p_data && p_data->req_data.value){
-            osi_free(p_data->req_data.value);
-        }
         break;
     default:
         break;