Loading system/bta/pan/bta_pan_act.c +6 −7 Original line number Diff line number Diff line Loading @@ -176,6 +176,12 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, tBTA_PAN_SCB *p_scb; BT_HDR *p_new_buf; p_scb = bta_pan_scb_by_handle(handle); if (p_scb == NULL) { return; } if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) { /* offset smaller than data structure in front of actual data */ if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > Loading @@ -183,7 +189,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, android_errorWriteLog(0x534e4554, "63146237"); APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, p_buf->len); osi_free(p_buf); return; } p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE); Loading @@ -191,7 +196,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len); p_new_buf->len = p_buf->len; p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS); osi_free(p_buf); } else { p_new_buf = p_buf; } Loading @@ -202,11 +206,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, ((tBTA_PAN_DATA_PARAMS *)p_new_buf)->ext = ext; ((tBTA_PAN_DATA_PARAMS *)p_new_buf)->forward = forward; if ((p_scb = bta_pan_scb_by_handle(handle)) == NULL) { osi_free(p_new_buf); return; } fixed_queue_enqueue(p_scb->data_queue, p_new_buf); BT_HDR *p_event = (BT_HDR *)osi_malloc(sizeof(BT_HDR)); p_event->layer_specific = handle; Loading system/stack/bnep/bnep_main.c +1 −0 Original line number Diff line number Diff line Loading @@ -661,6 +661,7 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) if (bnep_cb.p_data_buf_cb) { (*bnep_cb.p_data_buf_cb)(p_bcb->handle, p_src_addr, p_dst_addr, protocol, p_buf, fw_ext_present); osi_free(p_buf); } else if (bnep_cb.p_data_ind_cb) { Loading Loading
system/bta/pan/bta_pan_act.c +6 −7 Original line number Diff line number Diff line Loading @@ -176,6 +176,12 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, tBTA_PAN_SCB *p_scb; BT_HDR *p_new_buf; p_scb = bta_pan_scb_by_handle(handle); if (p_scb == NULL) { return; } if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) { /* offset smaller than data structure in front of actual data */ if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > Loading @@ -183,7 +189,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, android_errorWriteLog(0x534e4554, "63146237"); APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, p_buf->len); osi_free(p_buf); return; } p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE); Loading @@ -191,7 +196,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len); p_new_buf->len = p_buf->len; p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS); osi_free(p_buf); } else { p_new_buf = p_buf; } Loading @@ -202,11 +206,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, ((tBTA_PAN_DATA_PARAMS *)p_new_buf)->ext = ext; ((tBTA_PAN_DATA_PARAMS *)p_new_buf)->forward = forward; if ((p_scb = bta_pan_scb_by_handle(handle)) == NULL) { osi_free(p_new_buf); return; } fixed_queue_enqueue(p_scb->data_queue, p_new_buf); BT_HDR *p_event = (BT_HDR *)osi_malloc(sizeof(BT_HDR)); p_event->layer_specific = handle; Loading
system/stack/bnep/bnep_main.c +1 −0 Original line number Diff line number Diff line Loading @@ -661,6 +661,7 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) if (bnep_cb.p_data_buf_cb) { (*bnep_cb.p_data_buf_cb)(p_bcb->handle, p_src_addr, p_dst_addr, protocol, p_buf, fw_ext_present); osi_free(p_buf); } else if (bnep_cb.p_data_ind_cb) { Loading
