From 7ffd68cac25fa06008f82fd17d00fd9188ec4adf Mon Sep 17 00:00:00 2001
From: Hrishikesh Dhayagude <hrishi@espressif.com>
Date: Wed, 8 Aug 2018 14:16:03 +0530
Subject: [PATCH] components/bt: Fix a probable memory leak for
 BTA_GATTS_CONF_EVT event (backport v3.1)

Multiple modules register their callback BTA_GATTS_AppRegister().

If any of the callbacks do not free the allocated pointer in
BTA_GATTS_CONF_EVT event, then this can result in memory leak.

So, free the pointer after the callback function is called and remove
the calls to free in the callback functions as it is now not required

Signed-off-by: Hrishikesh Dhayagude <hrishi@espressif.com>
---
 components/bt/bluedroid/bta/gatt/bta_gatts_act.c          | 4 ++++
 components/bt/bluedroid/btc/profile/esp/blufi/blufi_prf.c | 5 +----
 components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c  | 3 ---
 3 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/components/bt/bluedroid/bta/gatt/bta_gatts_act.c b/components/bt/bluedroid/bta/gatt/bta_gatts_act.c
index c72cd6328..cf3bb5dbd 100644
--- a/components/bt/bluedroid/bta/gatt/bta_gatts_act.c
+++ b/components/bt/bluedroid/bta/gatt/bta_gatts_act.c
@@ -702,6 +702,10 @@ void bta_gatts_indicate_handle (tBTA_GATTS_CB *p_cb, tBTA_GATTS_DATA *p_msg)
                 APPL_TRACE_ERROR("%s, malloc failed", __func__);
             }
             (*p_rcb->p_cback)(BTA_GATTS_CONF_EVT, &cb_data);
+            if (cb_data.req_data.value != NULL) {
+                osi_free(cb_data.req_data.value);
+                cb_data.req_data.value = NULL;
+            }
         }
     } else {
         APPL_TRACE_ERROR("Not an registered servce attribute ID: 0x%04x",
diff --git a/components/bt/bluedroid/btc/profile/esp/blufi/blufi_prf.c b/components/bt/bluedroid/btc/profile/esp/blufi/blufi_prf.c
index 3bfa6afbc..56be5fb61 100644
--- a/components/bt/bluedroid/btc/profile/esp/blufi/blufi_prf.c
+++ b/components/bt/bluedroid/btc/profile/esp/blufi/blufi_prf.c
@@ -209,10 +209,7 @@ static void blufi_profile_cb(tBTA_GATTS_EVT event, tBTA_GATTS *p_data)
         blufi_env.frag_size = p_data->req_data.p_data->mtu - BLUFI_MTU_RESERVED_SIZE;
         break;
     case BTA_GATTS_CONF_EVT:
-        BLUFI_TRACE_DEBUG("CONIRM EVT\n");
-        if (p_data && p_data->req_data.value){
-            osi_free(p_data->req_data.value);
-        }
+        BLUFI_TRACE_DEBUG("CONFIRM EVT\n");
         /* Nothing */
         break;
     case BTA_GATTS_CREATE_EVT:
diff --git a/components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c b/components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c
index fc043914e..bfe9cc04e 100644
--- a/components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c
+++ b/components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c
@@ -530,9 +530,6 @@ static void btc_gatts_cb_param_copy_free(btc_msg_t *msg, tBTA_GATTS *p_data)
         }
         break;
     case BTA_GATTS_CONF_EVT:
-        if (p_data && p_data->req_data.value){
-            osi_free(p_data->req_data.value);
-        }
         break;
     default:
         break;