From 4e2e8ec4e0c6635f64dedf6bd29db4fdcbd3f172 Mon Sep 17 00:00:00 2001
From: Myles Watson <mylesgw@google.com>
Date: Wed, 1 Feb 2017 10:46:16 -0800
Subject: [PATCH] Bluetooth: Free memory from transmit_cb commands

Test: Bluetooth starts and stops
Change-Id: I540fcc77f9bae0178db325b7014f2b839d4ad77d
---
 bluetooth/1.0/default/vendor_interface.cc | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/bluetooth/1.0/default/vendor_interface.cc b/bluetooth/1.0/default/vendor_interface.cc
index 51a0addae2..278b66c778 100644
--- a/bluetooth/1.0/default/vendor_interface.cc
+++ b/bluetooth/1.0/default/vendor_interface.cc
@@ -39,8 +39,10 @@ namespace {
 using android::hardware::bluetooth::V1_0::implementation::VendorInterface;
 using android::hardware::hidl_vec;
 
-tINT_CMD_CBACK internal_command_cb;
-uint16_t internal_command_opcode;
+struct {
+  tINT_CMD_CBACK cb;
+  uint16_t opcode;
+} internal_command;
 
 VendorInterface* g_vendor_interface = nullptr;
 
@@ -105,19 +107,20 @@ bool internal_command_event_match(const hidl_vec<uint8_t>& packet) {
 
   uint16_t opcode = packet[opcode_offset] | (packet[opcode_offset + 1] << 8);
 
-  ALOGV("%s internal_command_opcode = %04X opcode = %04x", __func__,
-        internal_command_opcode, opcode);
-  return opcode == internal_command_opcode;
+  ALOGV("%s internal_command.opcode = %04X opcode = %04x", __func__,
+        internal_command.opcode, opcode);
+  return opcode == internal_command.opcode;
 }
 
 uint8_t transmit_cb(uint16_t opcode, void* buffer, tINT_CMD_CBACK callback) {
   ALOGV("%s opcode: 0x%04x, ptr: %p, cb: %p", __func__, opcode, buffer,
         callback);
-  internal_command_cb = callback;
-  internal_command_opcode = opcode;
+  internal_command.cb = callback;
+  internal_command.opcode = opcode;
   uint8_t type = HCI_PACKET_TYPE_COMMAND;
   HC_BT_HDR* bt_hdr = reinterpret_cast<HC_BT_HDR*>(buffer);
   VendorInterface::get()->Send(type, bt_hdr->data, bt_hdr->len);
+  delete[] reinterpret_cast<uint8_t*>(buffer);
   return true;
 }
 
@@ -367,15 +370,15 @@ void VendorInterface::OnDataReady(int fd) {
       hci_packet_bytes_remaining_ -= bytes_read;
       hci_packet_bytes_read_ += bytes_read;
       if (hci_packet_bytes_remaining_ == 0) {
-        if (internal_command_cb != nullptr &&
+        if (internal_command.cb != nullptr &&
             hci_packet_type_ == HCI_PACKET_TYPE_EVENT &&
             internal_command_event_match(hci_packet_)) {
           HC_BT_HDR* bt_hdr =
               WrapPacketAndCopy(HCI_PACKET_TYPE_EVENT, hci_packet_);
 
           // The callbacks can send new commands, so don't zero after calling.
-          tINT_CMD_CBACK saved_cb = internal_command_cb;
-          internal_command_cb = nullptr;
+          tINT_CMD_CBACK saved_cb = internal_command.cb;
+          internal_command.cb = nullptr;
           saved_cb(bt_hdr);
         } else {
           packet_read_cb_(hci_packet_type_, hci_packet_);