Merge "Fix unexpected behavior in reading BNEP packets" into oc-dev am: 853346d354 am: 0fb9a5e01b (0186b06a) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/bnep/bnep_main.cc

+9 −4

Original line number	Original line	Diff line number	Diff line
	@@ -34,6 +34,7 @@

	#include "l2c_api.h"		#include "l2c_api.h"
	#include "l2cdefs.h"		#include "l2cdefs.h"
			#include "log/log.h"

	#include "btm_api.h"		#include "btm_api.h"
	#include "btu.h"		#include "btu.h"
	@@ -473,18 +474,20 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) {
	org_len = rem_len;		org_len = rem_len;
	new_len = 0;		new_len = 0;
	do {		do {
			if (org_len < 2) break;
	ext = *p++;		ext = *p++;
	length = *p++;		length = *p++;
	p += length;		p += length;

			new_len = (length + 2);
			if (new_len > org_len) break;

	if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))		if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))
	bnep_send_command_not_understood(p_bcb, *p);		bnep_send_command_not_understood(p_bcb, *p);

	new_len += (length + 2);		org_len -= new_len;

	if (new_len > org_len) break;

	} while (ext & 0x80);		} while (ext & 0x80);
			android_errorWriteLog(0x534e4554, "67863755");
	}		}

	osi_free(p_buf);		osi_free(p_buf);
	@@ -529,6 +532,8 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) {
	} else {		} else {
	while (extension_present && p && rem_len) {		while (extension_present && p && rem_len) {
	ext_type = *p++;		ext_type = *p++;
			rem_len--;
			android_errorWriteLog(0x534e4554, "69271284");
	extension_present = ext_type >> 7;		extension_present = ext_type >> 7;
	ext_type &= 0x7F;		ext_type &= 0x7F;

system/stack/bnep/bnep_utils.cc

+23 −0

Original line number	Original line	Diff line number	Diff line
	@@ -22,6 +22,8 @@
	*		*
	******************************************************************************/		******************************************************************************/

			#include <cutils/log.h>

	#include <stdio.h>		#include <stdio.h>
	#include <string.h>		#include <string.h>
	#include "bnep_int.h"		#include "bnep_int.h"
	@@ -760,6 +762,13 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p,
	break;		break;

	case BNEP_SETUP_CONNECTION_REQUEST_MSG:		case BNEP_SETUP_CONNECTION_REQUEST_MSG:
			if (*rem_len < 1) {
			BNEP_TRACE_ERROR(
			"%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
			__func__);
			android_errorWriteLog(0x534e4554, "69177292");
			goto bad_packet_length;
			}
	len = *p++;		len = *p++;
	if (rem_len < ((2 len) + 1)) {		if (rem_len < ((2 len) + 1)) {
	BNEP_TRACE_ERROR(		BNEP_TRACE_ERROR(
	@@ -785,6 +794,13 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p,
	break;		break;

	case BNEP_FILTER_NET_TYPE_SET_MSG:		case BNEP_FILTER_NET_TYPE_SET_MSG:
			if (*rem_len < 2) {
			BNEP_TRACE_ERROR(
			"%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",
			__func__);
			android_errorWriteLog(0x534e4554, "69177292");
			goto bad_packet_length;
			}
	BE_STREAM_TO_UINT16(len, p);		BE_STREAM_TO_UINT16(len, p);
	if (*rem_len < (len + 2)) {		if (*rem_len < (len + 2)) {
	BNEP_TRACE_ERROR(		BNEP_TRACE_ERROR(
	@@ -810,6 +826,13 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p,
	break;		break;

	case BNEP_FILTER_MULTI_ADDR_SET_MSG:		case BNEP_FILTER_MULTI_ADDR_SET_MSG:
			if (*rem_len < 2) {
			BNEP_TRACE_ERROR(
			"%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",
			__func__);
			android_errorWriteLog(0x534e4554, "69177292");
			goto bad_packet_length;
			}
	BE_STREAM_TO_UINT16(len, p);		BE_STREAM_TO_UINT16(len, p);
	if (*rem_len < (len + 2)) {		if (*rem_len < (len + 2)) {
	BNEP_TRACE_ERROR(		BNEP_TRACE_ERROR(