[bt][hci] Fix use-after-free in CommandChannel BT-904 #done Test: bt-host-unittests with fx set ... --variant={asan/bt-host,asan/bt-host-unittests} Change-Id: Ieb127b98394e52436d173bda536c9fabe9cfc357

commit: 13f06c727965d09fb43435ed7b51c0fcdeb65213 [log] [tgz]
author: Xo Wang <xow@google.com> Thu May 16 22:05:20 2019 +0000
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Thu May 16 22:05:20 2019 +0000
tree: d1d75d36065fc6839bffbb2ed8e973f30c94d9c6
parent: b6d2a404b2981cc0a16971c31ec2f712d2957d11 [diff]
diff --git a/src/connectivity/bluetooth/core/bt-host/hci/command_channel.cc b/src/connectivity/bluetooth/core/bt-host/hci/command_channel.cc
index 9b4845a..37cd9cf 100644
--- a/src/connectivity/bluetooth/core/bt-host/hci/command_channel.cc
+++ b/src/connectivity/bluetooth/core/bt-host/hci/command_channel.cc

@@ -570,8 +570,8 @@
         bt_log(DEBUG, "hci",
                "removing completed async handler (id %zu, event code: %#.2x)",
                event_id, event_code);
-        RemoveEventHandlerInternal(event_id);
         pending_transactions_.erase(handler.pending_opcode);
+        RemoveEventHandlerInternal(event_id);  // |handler| is now dangling.
       }
 
       pending_callbacks.emplace_back(std::move(callback), dispatcher);
commit	13f06c727965d09fb43435ed7b51c0fcdeb65213	[log] [tgz]
author	Xo Wang <xow@google.com>	Thu May 16 22:05:20 2019 +0000
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Thu May 16 22:05:20 2019 +0000
tree	d1d75d36065fc6839bffbb2ed8e973f30c94d9c6
parent	b6d2a404b2981cc0a16971c31ec2f712d2957d11 [diff]