Loading system/bta/pan/bta_pan_act.cc +5 −8 Original line number Diff line number Diff line Loading @@ -174,6 +174,11 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, BD_ADDR src, tBTA_PAN_SCB* p_scb; BT_HDR* p_new_buf; p_scb = bta_pan_scb_by_handle(handle); if (p_scb == NULL) { return; } if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) { /* offset smaller than data structure in front of actual data */ if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > Loading @@ -181,7 +186,6 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, BD_ADDR src, android_errorWriteLog(0x534e4554, "63146237"); APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, p_buf->len); osi_free(p_buf); return; } p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE); Loading @@ -189,7 +193,6 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, BD_ADDR src, (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len); p_new_buf->len = p_buf->len; p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS); osi_free(p_buf); } else { p_new_buf = p_buf; } Loading @@ -200,12 +203,6 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, BD_ADDR src, ((tBTA_PAN_DATA_PARAMS*)p_new_buf)->ext = ext; ((tBTA_PAN_DATA_PARAMS*)p_new_buf)->forward = forward; p_scb = bta_pan_scb_by_handle(handle); if (p_scb == NULL) { osi_free(p_new_buf); return; } fixed_queue_enqueue(p_scb->data_queue, p_new_buf); BT_HDR* p_event = (BT_HDR*)osi_malloc(sizeof(BT_HDR)); p_event->layer_specific = handle; Loading system/stack/bnep/bnep_main.cc +1 −0 Original line number Diff line number Diff line Loading @@ -605,6 +605,7 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) { if (bnep_cb.p_data_buf_cb) { (*bnep_cb.p_data_buf_cb)(p_bcb->handle, p_src_addr, p_dst_addr, protocol, p_buf, fw_ext_present); osi_free(p_buf); } else if (bnep_cb.p_data_ind_cb) { (*bnep_cb.p_data_ind_cb)(p_bcb->handle, p_src_addr, p_dst_addr, protocol, p, rem_len, fw_ext_present); Loading Loading
system/bta/pan/bta_pan_act.cc +5 −8 Original line number Diff line number Diff line Loading @@ -174,6 +174,11 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, BD_ADDR src, tBTA_PAN_SCB* p_scb; BT_HDR* p_new_buf; p_scb = bta_pan_scb_by_handle(handle); if (p_scb == NULL) { return; } if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) { /* offset smaller than data structure in front of actual data */ if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > Loading @@ -181,7 +186,6 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, BD_ADDR src, android_errorWriteLog(0x534e4554, "63146237"); APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, p_buf->len); osi_free(p_buf); return; } p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE); Loading @@ -189,7 +193,6 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, BD_ADDR src, (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len); p_new_buf->len = p_buf->len; p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS); osi_free(p_buf); } else { p_new_buf = p_buf; } Loading @@ -200,12 +203,6 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, BD_ADDR src, ((tBTA_PAN_DATA_PARAMS*)p_new_buf)->ext = ext; ((tBTA_PAN_DATA_PARAMS*)p_new_buf)->forward = forward; p_scb = bta_pan_scb_by_handle(handle); if (p_scb == NULL) { osi_free(p_new_buf); return; } fixed_queue_enqueue(p_scb->data_queue, p_new_buf); BT_HDR* p_event = (BT_HDR*)osi_malloc(sizeof(BT_HDR)); p_event->layer_specific = handle; Loading
system/stack/bnep/bnep_main.cc +1 −0 Original line number Diff line number Diff line Loading @@ -605,6 +605,7 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) { if (bnep_cb.p_data_buf_cb) { (*bnep_cb.p_data_buf_cb)(p_bcb->handle, p_src_addr, p_dst_addr, protocol, p_buf, fw_ext_present); osi_free(p_buf); } else if (bnep_cb.p_data_ind_cb) { (*bnep_cb.p_data_ind_cb)(p_bcb->handle, p_src_addr, p_dst_addr, protocol, p, rem_len, fw_ext_present); Loading
