HIDD: Check descriptor length and increase buffer (1b621449) · Commits · e / os / android_packages_modules_Bluetooth

system/bta/hd/bta_hd_int.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -66,7 +66,7 @@ typedef struct {
		#define BTA_HD_APP_NAME_LEN 50
		#define BTA_HD_APP_DESCRIPTION_LEN 50
		#define BTA_HD_APP_PROVIDER_LEN 50
		#define BTA_HD_APP_DESCRIPTOR_LEN 2048
		#define BTA_HD_APP_DESCRIPTOR_LEN HIDD_APP_DESCRIPTOR_LEN

		#define BTA_HD_STATE_DISABLED 0x00
		#define BTA_HD_STATE_ENABLED 0x01

+12 −1

Original line number	Diff line number	Diff line
		@@ -33,6 +33,7 @@
		#include "hidd_api.h"
		#include "hidd_int.h"
		#include "hiddefs.h"
		#include "log/log.h"

		tHID_DEV_CTB hd_cb;

		@@ -293,7 +294,13 @@ tHID_STATUS HID_DevAddRecord(uint32_t handle, char* p_name, char* p_description,
		uint8_t* p_buf;
		uint8_t seq_len = 4 + desc_len;

		p_buf = (uint8_t*)osi_malloc(2048);
		if (desc_len > HIDD_APP_DESCRIPTOR_LEN) {
		HIDD_TRACE_ERROR("%s: descriptor length = %d, larger than max %d",
		__func__, desc_len, HIDD_APP_DESCRIPTOR_LEN);
		return HID_ERR_NOT_REGISTERED;
		};

		p_buf = (uint8_t*)osi_malloc(HIDD_APP_DESCRIPTOR_LEN + 6);

		if (p_buf == NULL) {
		HIDD_TRACE_ERROR("%s: Buffer allocation failure for size = 2048 ",
		@@ -314,6 +321,10 @@ tHID_STATUS HID_DevAddRecord(uint32_t handle, char* p_name, char* p_description,
		UINT8_TO_BE_STREAM(p, desc_len);
		ARRAY_TO_BE_STREAM(p, p_desc_data, (int)desc_len);

		if (desc_len > HIDD_APP_DESCRIPTOR_LEN - 6) {
		android_errorWriteLog(0x534e4554, "113572366");
		}

		result &= SDP_AddAttribute(handle, ATTR_ID_HID_DESCRIPTOR_LIST,
		DATA_ELE_SEQ_DESC_TYPE, p - p_buf, p_buf);

+2 −0

Original line number	Diff line number	Diff line
		@@ -131,6 +131,8 @@ typedef struct desc_info {

		#define HID_SSR_PARAM_INVALID 0xffff

		#define HIDD_APP_DESCRIPTOR_LEN 2048

		typedef struct sdp_info {
		char svc_name[HID_MAX_SVC_NAME_LEN]; /Service Name /
		char svc_descr[HID_MAX_SVC_DESCR_LEN]; /Service Description/