Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2fbcfd96 authored by Hansong Zhang's avatar Hansong Zhang
Browse files

DO NOT MERGE Fix unexpected behavior in reading BNEP packets 

Bug: 67863755
Bug: 69177251
Bug: 69177292
Bug: 69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
parent ec778d7c

system/stack/bnep/bnep_main.c

+9 −5
Original line number Diff line number Diff line
@@ -35,6 +35,7 @@ 


#include "l2c_api.h"

#include "l2cdefs.h"

#include "log/log.h"



#include "btu.h"

#include "btm_api.h"
@@ -514,20 +515,21 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) 
            org_len = rem_len;

            new_len = 0;

            do {



                if (org_len < 2) break;

                ext     = *p++;

                length  = *p++;

                p += length;



                new_len = (length + 2);

                if (new_len > org_len) break;



                if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))

                    bnep_send_command_not_understood (p_bcb, *p);



                new_len += (length + 2);



                if (new_len > org_len)

                    break;

                org_len -= new_len;



            } while (ext & 0x80);

            android_errorWriteLog(0x534e4554, "67863755");

        }



        GKI_freebuf (p_buf);
@@ -580,6 +582,8 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) 
            while (extension_present && p && rem_len)

            {

                ext_type = *p++;

                rem_len--;

                android_errorWriteLog(0x534e4554, "69271284");

                extension_present = ext_type >> 7;

                ext_type &= 0x7F;

system/stack/bnep/bnep_utils.c

+23 −0
Original line number Diff line number Diff line
@@ -22,6 +22,8 @@ 
 *

 ******************************************************************************/



#include <cutils/log.h>



#include <stdio.h>

#include <string.h>

#include "gki.h"
@@ -828,6 +830,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len 


    case BNEP_SETUP_CONNECTION_REQUEST_MSG:

        len = *p++;

	    if (*rem_len < 1) {

		    BNEP_TRACE_ERROR(

              "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",

              __func__);

            android_errorWriteLog(0x534e4554, "69177292");

            goto bad_packet_length;

        }

        if (*rem_len < ((2 * len) + 1)) {

            BNEP_TRACE_ERROR(

              "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
@@ -854,6 +863,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len 
        break;



    case BNEP_FILTER_NET_TYPE_SET_MSG:

	    if (*rem_len < 2) {

		    BNEP_TRACE_ERROR(

              "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",

              __func__);

            android_errorWriteLog(0x534e4554, "69177292");

            goto bad_packet_length;

        }

        BE_STREAM_TO_UINT16 (len, p);

        if (*rem_len < (len + 2))

        {
@@ -880,6 +896,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len 
        break;



    case BNEP_FILTER_MULTI_ADDR_SET_MSG:

	    if (*rem_len < 2) {

		    BNEP_TRACE_ERROR(

              "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",

              __func__);

            android_errorWriteLog(0x534e4554, "69177292");

            goto bad_packet_length;

        }

        BE_STREAM_TO_UINT16 (len, p);

        if (*rem_len < (len + 2))

        {