Revert "Use vector instead of raw pointer in l2cap socket write handling"

typedef struct {

  tBTA_JV_STATUS status; /* Whether the operation succeeded or failed. */

  uint32_t handle;       /* The connection handle */

  uint32_t req_id;       /* The req_id in the associated BTA_JvL2capWrite() */

  uint16_t len;          /* The length of the data written. */

  uint8_t* p_data;       /* The buffer where data is held */

  bool cong;             /* congestion status */

} tBTA_JV_L2CAP_WRITE;

  tBTA_JV_STATUS status; /* Whether the operation succeeded or failed. */

  uint16_t channel;      /* The connection channel */

  RawAddress addr;       /* The peer address */

  uint32_t req_id;       /* The req_id in the associated BTA_JvL2capWrite() */

  uint8_t* p_data;       /* The buffer where data is held */

  uint16_t len;          /* The length of the data written. */

  bool cong;             /* congestion status */

} tBTA_JV_L2CAP_WRITE_FIXED;

 *                  BTA_JV_FAILURE, otherwise.

 *

 ******************************************************************************/

tBTA_JV_STATUS BTA_JvL2capWrite(uint32_t handle, std::vector<uint8_t> data,

tBTA_JV_STATUS BTA_JvL2capWrite(uint32_t handle, uint32_t req_id,

                                uint8_t* p_data, uint16_t len,

                                uint32_t user_id);

/*******************************************************************************

 *                  BTA_JV_FAILURE, otherwise.

 *

 ******************************************************************************/

void BTA_JvL2capWriteFixed(uint16_t channel, const RawAddress& addr,

tBTA_JV_STATUS BTA_JvL2capWriteFixed(uint16_t channel, const RawAddress& addr,

                                     uint32_t req_id,

                                     tBTA_JV_L2CAP_CBACK* p_cback,

                           std::vector<uint8_t> data, uint32_t user_id);

                                     uint8_t* p_data, uint16_t len,

                                     uint32_t user_id);

/*******************************************************************************

 *

}

/* Write data to an L2CAP connection */

void bta_jv_l2cap_write(uint32_t handle, const std::vector<uint8_t>& data,

                        uint32_t user_id, tBTA_JV_L2C_CB* p_cb) {

void bta_jv_l2cap_write(uint32_t handle, uint32_t req_id, uint8_t* p_data,

                        uint16_t len, uint32_t user_id, tBTA_JV_L2C_CB* p_cb) {

  /* As we check this callback exists before the tBTA_JV_API_L2CAP_WRITE can be

   * send through the API this check should not be needed. But the API is not

   * designed to be used (safely at least) in a multi-threaded scheduler, hence

   * of 4 disconnects, as a disconnect on the server channel causes a disconnect

   * to be send on the client (notification) channel, but at the peer typically

   * disconnects both the OBEX disconnect request crosses the incoming l2cap

   * disconnect. If p_cback is cleared, we simply discard the data.*/

   * disconnect. If p_cback is cleared, we simply discard the data. RISK: The

   * caller must handle any cleanup based on another signal than

   * BTA_JV_L2CAP_WRITE_EVT, which is typically not possible, as the pointer to

   * the allocated buffer is stored in this message, and can therefore not be

   * freed, hence we have a mem-leak-by-design.*/

  if (!p_cb->p_cback) {

    /* As this pointer is checked in the API function, this occurs only when the

     * channel is disconnected after the API function is called, but before the

  tBTA_JV_L2CAP_WRITE evt_data;

  evt_data.status = BTA_JV_FAILURE;

  evt_data.handle = handle;

  evt_data.req_id = req_id;

  evt_data.p_data = p_data;

  evt_data.cong = p_cb->cong;

  evt_data.len = 0;

  bta_jv_pm_conn_busy(p_cb->p_pm_cb);

  if (!evt_data.cong &&

      BT_PASS ==

          GAP_ConnWriteData(handle, data.data(), data.size(), &evt_data.len)) {

      BT_PASS == GAP_ConnWriteData(handle, p_data, len, &evt_data.len)) {

    evt_data.status = BTA_JV_SUCCESS;

  }

  tBTA_JV bta_jv;

/* Write data to an L2CAP connection using Fixed channels */

void bta_jv_l2cap_write_fixed(uint16_t channel, const RawAddress& addr,

                              const std::vector<uint8_t>& data,

                              uint32_t req_id, uint8_t* p_data, uint16_t len,

                              uint32_t user_id, tBTA_JV_L2CAP_CBACK* p_cback) {

  tBTA_JV_L2CAP_WRITE_FIXED evt_data;

  evt_data.status = BTA_JV_FAILURE;

  evt_data.channel = channel;

  evt_data.addr = addr;

  evt_data.req_id = req_id;

  evt_data.p_data = p_data;

  evt_data.len = 0;

  BT_HDR* msg =

      (BT_HDR*)osi_malloc(sizeof(BT_HDR) + data.size() + L2CAP_MIN_OFFSET);

  memcpy(((uint8_t*)(msg + 1)) + L2CAP_MIN_OFFSET, data.data(), data.size());

  msg->len = data.size();

  BT_HDR* msg = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + len + L2CAP_MIN_OFFSET);

  memcpy(((uint8_t*)(msg + 1)) + L2CAP_MIN_OFFSET, p_data, len);

  msg->len = len;

  msg->offset = L2CAP_MIN_OFFSET;

  L2CA_SendFixedChnlData(channel, addr, msg);

 *                  BTA_JV_FAILURE, otherwise.

 *

 ******************************************************************************/

tBTA_JV_STATUS BTA_JvL2capWrite(uint32_t handle, std::vector<uint8_t> data,

tBTA_JV_STATUS BTA_JvL2capWrite(uint32_t handle, uint32_t req_id,

                                uint8_t* p_data, uint16_t len,

                                uint32_t user_id) {

  VLOG(2) << __func__;

  if (handle >= BTA_JV_MAX_L2C_CONN || !bta_jv_cb.l2c_cb[handle].p_cback)

    return BTA_JV_FAILURE;

  do_in_bta_thread(FROM_HERE, Bind(&bta_jv_l2cap_write, handle, std::move(data),

                                   user_id, &bta_jv_cb.l2c_cb[handle]));

  do_in_bta_thread(FROM_HERE, Bind(&bta_jv_l2cap_write, handle, req_id, p_data,

                                   len, user_id, &bta_jv_cb.l2c_cb[handle]));

  return BTA_JV_SUCCESS;

}

 *                  called with BTA_JV_L2CAP_WRITE_EVT. Works for

 *                  fixed-channel connections

 *

 * Returns          BTA_JV_SUCCESS, if the request is being processed.

 *                  BTA_JV_FAILURE, otherwise.

 *

 ******************************************************************************/

void BTA_JvL2capWriteFixed(uint16_t channel, const RawAddress& addr,

tBTA_JV_STATUS BTA_JvL2capWriteFixed(uint16_t channel, const RawAddress& addr,

                                     uint32_t req_id,

                                     tBTA_JV_L2CAP_CBACK* p_cback,

                           std::vector<uint8_t> data, uint32_t user_id) {

                                     uint8_t* p_data, uint16_t len,

                                     uint32_t user_id) {

  VLOG(2) << __func__;

  do_in_bta_thread(FROM_HERE, Bind(&bta_jv_l2cap_write_fixed, channel, addr,

                                   std::move(data), user_id, p_cback));

                                   req_id, p_data, len, user_id, p_cback));

  return BTA_JV_SUCCESS;

}

/*******************************************************************************

    uint32_t l2cap_socket_id);

extern void bta_jv_l2cap_stop_server(uint16_t local_psm,

                                     uint32_t l2cap_socket_id);

extern void bta_jv_l2cap_write(uint32_t handle,

                               const std::vector<uint8_t>& data,

                               uint32_t user_id, tBTA_JV_L2C_CB* p_cb);

extern void bta_jv_l2cap_write(uint32_t handle, uint32_t req_id,

                               uint8_t* p_data, uint16_t len, uint32_t user_id,

                               tBTA_JV_L2C_CB* p_cb);

extern void bta_jv_rfcomm_connect(tBTA_SEC sec_mask, tBTA_JV_ROLE role,

                                  uint8_t remote_scn,

                                  const RawAddress& peer_bd_addr,

                                         uint32_t l2cap_socket_id);

extern void bta_jv_l2cap_stop_server_le(uint16_t local_chan);

extern void bta_jv_l2cap_write_fixed(uint16_t channel, const RawAddress& addr,

                                     const std::vector<uint8_t>& data,

                                     uint32_t user_id,

                                     uint32_t req_id, uint8_t* p_data,

                                     uint16_t len, uint32_t user_id,

                                     tBTA_JV_L2CAP_CBACK* p_cback);

extern void bta_jv_l2cap_close_fixed(uint32_t handle);

  }

}

static void on_l2cap_write_done(uint16_t len, uint32_t id) {

static void on_l2cap_write_done(void* req_id, uint16_t len, uint32_t id) {

  l2cap_socket* sock;

  if (req_id != NULL) {

    osi_free(req_id);  // free the buffer

  }

  int app_uid = -1;

  std::unique_lock<std::mutex> lock(state_lock);

  uid_set_add_tx(uid_set, app_uid, len);

}

static void on_l2cap_write_fixed_done(uint16_t len, uint32_t id) {

static void on_l2cap_write_fixed_done(void* req_id, uint16_t len, uint32_t id) {

  l2cap_socket* sock;

  if (req_id != NULL) {

    osi_free(req_id);  // free the buffer

  }

  int app_uid = -1;

  std::unique_lock<std::mutex> lock(state_lock);

  sock = btsock_l2cap_find_by_id_l(id);

    case BTA_JV_L2CAP_WRITE_EVT:

      APPL_TRACE_DEBUG("BTA_JV_L2CAP_WRITE_EVT: id: %u", l2cap_socket_id);

      on_l2cap_write_done(p_data->l2c_write.len, l2cap_socket_id);

      on_l2cap_write_done(p_data->l2c_write.p_data, p_data->l2c_write.len,

                          l2cap_socket_id);

      break;

    case BTA_JV_L2CAP_WRITE_FIXED_EVT:

      APPL_TRACE_DEBUG("BTA_JV_L2CAP_WRITE_FIXED_EVT: id: %u", l2cap_socket_id);

      on_l2cap_write_fixed_done(p_data->l2c_write.len, l2cap_socket_id);

      on_l2cap_write_fixed_done(p_data->l2c_write_fixed.p_data,

                                p_data->l2c_write.len, l2cap_socket_id);

      break;

    case BTA_JV_L2CAP_CONG_EVT:

      if (!(flags & SOCK_THREAD_FD_EXCEPTION) ||

          (ioctl(sock->our_fd, FIONREAD, &size) == 0 && size)) {

        std::vector<uint8_t> buffer(L2CAP_MAX_SDU_LENGTH);

        uint8_t* buffer = (uint8_t*)osi_malloc(L2CAP_MAX_SDU_LENGTH);

        /* The socket is created with SOCK_SEQPACKET, hence we read one message

         * at the time. The maximum size of a message is allocated to ensure

         * data is not lost. This is okay to do as Android uses virtual memory,

         * in a tight loop, hence we risk the ioctl will return the total amount

         * of data in the buffer, which could be multiple 64kbyte chunks.

         * UPDATE: As the stack cannot handle 64kbyte buffers, the size is

         * reduced to around 8kbyte */

         * reduced to around 8kbyte - and using malloc for buffer allocation

         * here seems to be wrong

         * UPDATE: Since we are responsible for freeing the buffer in the

         * write_complete_ind, it is OK to use malloc. */

        ssize_t count;

        OSI_NO_INTR(count = recv(fd, buffer.data(), buffer.size(),

        OSI_NO_INTR(count = recv(fd, buffer, L2CAP_MAX_SDU_LENGTH,

                                 MSG_NOSIGNAL | MSG_DONTWAIT));

        APPL_TRACE_DEBUG("%s: %d bytes received from socket", __func__, count);

        buffer.resize((count == -1) ? 0 : count);

        APPL_TRACE_DEBUG(

            "btsock_l2cap_signaled - %d bytes received from socket", count);

        if (sock->fixed_chan) {

          BTA_JvL2capWriteFixed(sock->channel, sock->addr, btsock_l2cap_cbk,

                                std::move(buffer), user_id);

          if (BTA_JvL2capWriteFixed(sock->channel, sock->addr,

                                    PTR_TO_UINT(buffer), btsock_l2cap_cbk,

                                    buffer, count, user_id) != BTA_JV_SUCCESS) {

            // On fail, free the buffer

            on_l2cap_write_fixed_done(buffer, count, user_id);

          }

        } else {

          BTA_JvL2capWrite(sock->handle, std::move(buffer), user_id);

          if (BTA_JvL2capWrite(sock->handle, PTR_TO_UINT(buffer), buffer, count,

                               user_id) != BTA_JV_SUCCESS) {

            // On fail, free the buffer

            on_l2cap_write_done(buffer, count, user_id);

          }

        }

      }

    } else