Loading system/stack/avdt/avdt_scb_act.cc +56 −3 Original line number Diff line number Diff line Loading @@ -23,6 +23,7 @@ * ******************************************************************************/ #include <cutils/log.h> #include <string.h> #include "a2dp_codec_api.h" #include "avdt_api.h" Loading Loading @@ -233,10 +234,14 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) { uint16_t offset; uint16_t ex_len; uint8_t pad_len = 0; uint16_t len = p_data->p_pkt->len; p = p_start = (uint8_t*)(p_data->p_pkt + 1) + p_data->p_pkt->offset; /* parse media packet header */ offset = 12; // AVDT_MSG_PRS_OCTET1(1) + AVDT_MSG_PRS_M_PT(1) + UINT16(2) + UINT32(4) + 4 if (offset > len) goto length_error; AVDT_MSG_PRS_OCTET1(p, o_v, o_p, o_x, o_cc); AVDT_MSG_PRS_M_PT(p, m_pt, marker); BE_STREAM_TO_UINT16(seq, p); Loading @@ -244,18 +249,19 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) { p += 4; /* skip over any csrc's in packet */ offset += o_cc * 4; p += o_cc * 4; /* check for and skip over extension header */ if (o_x) { offset += 4; if (offset > len) goto length_error; p += 2; BE_STREAM_TO_UINT16(ex_len, p); offset += ex_len * 4; p += ex_len * 4; } /* save our new offset */ offset = (uint16_t)(p - p_start); /* adjust length for any padding at end of packet */ if (o_p) { /* padding length in last byte of packet */ Loading Loading @@ -283,6 +289,12 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) { osi_free_and_reset((void**)&p_data->p_pkt); } } return; length_error: android_errorWriteLog(0x534e4554, "111450156"); AVDT_TRACE_WARNING("%s: hdl packet length %d too short: must be at least %d", __func__, len, offset); osi_free_and_reset((void**)&p_data->p_pkt); } #if (AVDT_REPORTING == TRUE) Loading @@ -300,6 +312,7 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) { uint8_t* p_start = p; uint32_t ssrc; uint8_t o_v, o_p, o_cc; uint16_t min_len = 0; AVDT_REPORT_TYPE pt; tAVDT_REPORT_DATA report, *p_rpt; Loading @@ -307,6 +320,14 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) { if (p_scb->cs.p_report_cback) { p_rpt = &report; /* parse report packet header */ min_len += 8; if (min_len > len) { android_errorWriteLog(0x534e4554, "111450156"); AVDT_TRACE_WARNING( "%s: hdl packet length %d too short: must be at least %d", __func__, len, min_len); goto avdt_scb_hdl_report_exit; } AVDT_MSG_PRS_RPT_OCTET1(p, o_v, o_p, o_cc); pt = *p++; p += 2; Loading @@ -314,6 +335,14 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) { switch (pt) { case AVDT_RTCP_PT_SR: /* the packet type - SR (Sender Report) */ min_len += 20; if (min_len > len) { android_errorWriteLog(0x534e4554, "111450156"); AVDT_TRACE_WARNING( "%s: hdl packet length %d too short: must be at least %d", __func__, len, min_len); goto avdt_scb_hdl_report_exit; } BE_STREAM_TO_UINT32(report.sr.ntp_sec, p); BE_STREAM_TO_UINT32(report.sr.ntp_frac, p); BE_STREAM_TO_UINT32(report.sr.rtp_time, p); Loading @@ -322,6 +351,14 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) { break; case AVDT_RTCP_PT_RR: /* the packet type - RR (Receiver Report) */ min_len += 20; if (min_len > len) { android_errorWriteLog(0x534e4554, "111450156"); AVDT_TRACE_WARNING( "%s: hdl packet length %d too short: must be at least %d", __func__, len, min_len); goto avdt_scb_hdl_report_exit; } report.rr.frag_lost = *p; BE_STREAM_TO_UINT32(report.rr.packet_lost, p); report.rr.packet_lost &= 0xFFFFFF; Loading @@ -333,8 +370,23 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) { case AVDT_RTCP_PT_SDES: /* the packet type - SDES (Source Description) */ if (*p == AVDT_RTCP_SDES_CNAME) { min_len += sizeof(tAVDT_REPORT_DATA) + 2; if (min_len > len) { android_errorWriteLog(0x534e4554, "111450156"); AVDT_TRACE_WARNING( "%s: hdl packet length %d too short: must be at least %d", __func__, len, min_len); goto avdt_scb_hdl_report_exit; } p_rpt = (tAVDT_REPORT_DATA*)(p + 2); } else { if (min_len + 1 > len) { android_errorWriteLog(0x534e4554, "111450156"); AVDT_TRACE_WARNING( "%s: hdl packet length %d too short: must be at least %d", __func__, len, min_len + 2); goto avdt_scb_hdl_report_exit; } AVDT_TRACE_WARNING(" - SDES SSRC=0x%08x sc=%d %d len=%d %s", ssrc, o_cc, *p, *(p + 1), p + 2); result = AVDT_BUSY; Loading @@ -349,6 +401,7 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) { if (result == AVDT_SUCCESS) (*p_scb->cs.p_report_cback)(avdt_scb_to_hdl(p_scb), pt, p_rpt); } avdt_scb_hdl_report_exit: p_start += len; return p_start; } Loading Loading
system/stack/avdt/avdt_scb_act.cc +56 −3 Original line number Diff line number Diff line Loading @@ -23,6 +23,7 @@ * ******************************************************************************/ #include <cutils/log.h> #include <string.h> #include "a2dp_codec_api.h" #include "avdt_api.h" Loading Loading @@ -233,10 +234,14 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) { uint16_t offset; uint16_t ex_len; uint8_t pad_len = 0; uint16_t len = p_data->p_pkt->len; p = p_start = (uint8_t*)(p_data->p_pkt + 1) + p_data->p_pkt->offset; /* parse media packet header */ offset = 12; // AVDT_MSG_PRS_OCTET1(1) + AVDT_MSG_PRS_M_PT(1) + UINT16(2) + UINT32(4) + 4 if (offset > len) goto length_error; AVDT_MSG_PRS_OCTET1(p, o_v, o_p, o_x, o_cc); AVDT_MSG_PRS_M_PT(p, m_pt, marker); BE_STREAM_TO_UINT16(seq, p); Loading @@ -244,18 +249,19 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) { p += 4; /* skip over any csrc's in packet */ offset += o_cc * 4; p += o_cc * 4; /* check for and skip over extension header */ if (o_x) { offset += 4; if (offset > len) goto length_error; p += 2; BE_STREAM_TO_UINT16(ex_len, p); offset += ex_len * 4; p += ex_len * 4; } /* save our new offset */ offset = (uint16_t)(p - p_start); /* adjust length for any padding at end of packet */ if (o_p) { /* padding length in last byte of packet */ Loading Loading @@ -283,6 +289,12 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) { osi_free_and_reset((void**)&p_data->p_pkt); } } return; length_error: android_errorWriteLog(0x534e4554, "111450156"); AVDT_TRACE_WARNING("%s: hdl packet length %d too short: must be at least %d", __func__, len, offset); osi_free_and_reset((void**)&p_data->p_pkt); } #if (AVDT_REPORTING == TRUE) Loading @@ -300,6 +312,7 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) { uint8_t* p_start = p; uint32_t ssrc; uint8_t o_v, o_p, o_cc; uint16_t min_len = 0; AVDT_REPORT_TYPE pt; tAVDT_REPORT_DATA report, *p_rpt; Loading @@ -307,6 +320,14 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) { if (p_scb->cs.p_report_cback) { p_rpt = &report; /* parse report packet header */ min_len += 8; if (min_len > len) { android_errorWriteLog(0x534e4554, "111450156"); AVDT_TRACE_WARNING( "%s: hdl packet length %d too short: must be at least %d", __func__, len, min_len); goto avdt_scb_hdl_report_exit; } AVDT_MSG_PRS_RPT_OCTET1(p, o_v, o_p, o_cc); pt = *p++; p += 2; Loading @@ -314,6 +335,14 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) { switch (pt) { case AVDT_RTCP_PT_SR: /* the packet type - SR (Sender Report) */ min_len += 20; if (min_len > len) { android_errorWriteLog(0x534e4554, "111450156"); AVDT_TRACE_WARNING( "%s: hdl packet length %d too short: must be at least %d", __func__, len, min_len); goto avdt_scb_hdl_report_exit; } BE_STREAM_TO_UINT32(report.sr.ntp_sec, p); BE_STREAM_TO_UINT32(report.sr.ntp_frac, p); BE_STREAM_TO_UINT32(report.sr.rtp_time, p); Loading @@ -322,6 +351,14 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) { break; case AVDT_RTCP_PT_RR: /* the packet type - RR (Receiver Report) */ min_len += 20; if (min_len > len) { android_errorWriteLog(0x534e4554, "111450156"); AVDT_TRACE_WARNING( "%s: hdl packet length %d too short: must be at least %d", __func__, len, min_len); goto avdt_scb_hdl_report_exit; } report.rr.frag_lost = *p; BE_STREAM_TO_UINT32(report.rr.packet_lost, p); report.rr.packet_lost &= 0xFFFFFF; Loading @@ -333,8 +370,23 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) { case AVDT_RTCP_PT_SDES: /* the packet type - SDES (Source Description) */ if (*p == AVDT_RTCP_SDES_CNAME) { min_len += sizeof(tAVDT_REPORT_DATA) + 2; if (min_len > len) { android_errorWriteLog(0x534e4554, "111450156"); AVDT_TRACE_WARNING( "%s: hdl packet length %d too short: must be at least %d", __func__, len, min_len); goto avdt_scb_hdl_report_exit; } p_rpt = (tAVDT_REPORT_DATA*)(p + 2); } else { if (min_len + 1 > len) { android_errorWriteLog(0x534e4554, "111450156"); AVDT_TRACE_WARNING( "%s: hdl packet length %d too short: must be at least %d", __func__, len, min_len + 2); goto avdt_scb_hdl_report_exit; } AVDT_TRACE_WARNING(" - SDES SSRC=0x%08x sc=%d %d len=%d %s", ssrc, o_cc, *p, *(p + 1), p + 2); result = AVDT_BUSY; Loading @@ -349,6 +401,7 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) { if (result == AVDT_SUCCESS) (*p_scb->cs.p_report_cback)(avdt_scb_to_hdl(p_scb), pt, p_rpt); } avdt_scb_hdl_report_exit: p_start += len; return p_start; } Loading
