Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 01fc55b9 authored Sep 11, 2015 by Jacob Lee Committed by Scott James Remnant Nov 23, 2015

Memory overwrite due to HDP doesn't allocate enough buffer

HDP doesn't allocate enough buffer, so L2CAP overwrite two bytes.
Allocation tracker trigger assert due to find that memory be overwrite.

Bug: 23981241

Change-Id: Ib2c27472b16de2188758ec521ef290d6c9a6c8f0

parent b244a8ce

system/bta/hl/bta_hl_act.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -499,7 +499,9 @@ void bta_hl_dch_send_data(UINT8 app_idx, UINT8 mcl_idx, UINT8 mdl_idx,

		if (!(p_dcb->cout_oper & BTA_HL_CO_GET_TX_DATA_MASK))
		{
		if ((p_dcb->p_tx_pkt = bta_hl_get_buf(p_data->api_send_data.pkt_size)) != NULL)
		// p_dcb->chnl_cfg.fcs may be BTA_HL_MCA_USE_FCS (0x11) or BTA_HL_MCA_NO_FCS (0x10) or BTA_HL_DEFAULT_SOURCE_FCS (1)
		BOOLEAN fcs_use = (BOOLEAN) (p_dcb->chnl_cfg.fcs & BTA_HL_MCA_FCS_USE_MASK);
		if ((p_dcb->p_tx_pkt = bta_hl_get_buf(p_data->api_send_data.pkt_size, fcs_use)) != NULL)
		{
		bta_hl_co_get_tx_data( p_acb->app_id,
		p_dcb->mdl_handle,

system/bta/hl/bta_hl_int.h

+2 −1

Original line number	Diff line number	Diff line
		@@ -57,6 +57,7 @@ typedef UINT16 (tBTA_HL_ALLOCATE_PSM) (void);
		#define BTA_HL_L2C_USE_FCS 1
		#define BTA_HL_L2C_NO_FCS 0
		#define BTA_HL_DEFAULT_SOURCE_FCS BTA_HL_L2C_USE_FCS
		#define BTA_HL_MCA_FCS_USE_MASK MCA_FCS_USE_MASK

		/* SDP Operations */
		#define BTA_HL_SDP_OP_NONE 0
		@@ -710,7 +711,7 @@ extern "C"
		extern UINT8 bta_hl_set_tx_win_size(UINT16 mtu, UINT16 mps);
		extern UINT16 bta_hl_set_mps(UINT16 mtu);
		extern void bta_hl_clean_mdl_cb(UINT8 app_idx, UINT8 mcl_idx, UINT8 mdl_idx);
		extern BT_HDR * bta_hl_get_buf(UINT16 data_size);
		extern BT_HDR * bta_hl_get_buf(UINT16 data_size, BOOLEAN fcs_use);
		extern BOOLEAN bta_hl_find_service_in_db( UINT8 app_idx, UINT8 mcl_idx,
		UINT16 service_uuid,
		tSDP_DISC_REC **pp_rec );

system/bta/hl/bta_hl_main.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1344,7 +1344,8 @@ static void bta_hl_api_dch_echo_test(tBTA_HL_CB p_cb, tBTA_HL_DATA p_data)
		if ((p_data->api_dch_echo_test.local_cfg == BTA_HL_DCH_CFG_RELIABLE) \|\|
		(p_data->api_dch_echo_test.local_cfg == BTA_HL_DCH_CFG_STREAMING))
		{
		if ((p_dcb->p_echo_tx_pkt = bta_hl_get_buf(p_data->api_dch_echo_test.pkt_size)) != NULL )
		BOOLEAN fcs_use = (BOOLEAN) (p_dcb->chnl_cfg.fcs & BTA_HL_MCA_FCS_USE_MASK);
		if ((p_dcb->p_echo_tx_pkt = bta_hl_get_buf(p_data->api_dch_echo_test.pkt_size, fcs_use)) != NULL )
		{
		if (bta_hl_set_ctrl_psm_for_dch(app_idx, mcl_idx, mdl_idx, p_data->api_dch_open.ctrl_psm))
		{

system/bta/hl/bta_hl_utils.c

+6 −1

Original line number	Diff line number	Diff line
		@@ -266,11 +266,16 @@ void bta_hl_clean_mdl_cb(UINT8 app_idx, UINT8 mcl_idx, UINT8 mdl_idx)
		** Returns BT_HDR *.
		**
		*******************************************************************************/
		BT_HDR * bta_hl_get_buf(UINT16 data_size)
		BT_HDR * bta_hl_get_buf(UINT16 data_size, BOOLEAN fcs_use)
		{
		BT_HDR *p_new;
		UINT16 size = data_size + L2CAP_MIN_OFFSET + BT_HDR_SIZE;

		if (fcs_use)
		{
		size += L2CAP_FCS_LEN;
		}

		p_new = (BT_HDR *)osi_getbuf(size);
		if (p_new)
		{