Loading system/stack/rfcomm/rfc_ts_frames.cc +22 −1 Original line number Original line Diff line number Diff line Loading @@ -621,6 +621,14 @@ void rfc_process_mx_message(tRFC_MCB* p_mcb, BT_HDR* p_buf) { uint8_t ea, cr, mx_len; uint8_t ea, cr, mx_len; bool is_command; bool is_command; if (length < 2) { RFCOMM_TRACE_ERROR( "%s: Illegal MX Frame len when reading EA, C/R. len:%d < 2", __func__, length); android_errorWriteLog(0x534e4554, "111937065"); osi_free(p_buf); return; } p_rx_frame->ea = *p_data & RFCOMM_EA; p_rx_frame->ea = *p_data & RFCOMM_EA; p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR; p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR; p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK); p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK); Loading @@ -641,6 +649,13 @@ void rfc_process_mx_message(tRFC_MCB* p_mcb, BT_HDR* p_buf) { length--; length--; if (!ea) { if (!ea) { if (length < 1) { RFCOMM_TRACE_ERROR("%s: Illegal MX Frame when EA = 0. len:%d < 1", __func__, length); android_errorWriteLog(0x534e4554, "111937065"); osi_free(p_buf); return; } mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2; mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2; length--; length--; } } Loading Loading @@ -709,7 +724,13 @@ void rfc_process_mx_message(tRFC_MCB* p_mcb, BT_HDR* p_buf) { return; return; case RFCOMM_MX_MSC: case RFCOMM_MX_MSC: if (length != RFCOMM_MX_MSC_LEN_WITH_BREAK && length != RFCOMM_MX_MSC_LEN_NO_BREAK) { RFCOMM_TRACE_ERROR("%s: Illegal MX MSC Frame len:%d", __func__, length); android_errorWriteLog(0x534e4554, "111937065"); osi_free(p_buf); return; } ea = *p_data & RFCOMM_EA; ea = *p_data & RFCOMM_EA; cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR; cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR; p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI; p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI; Loading Loading
system/stack/rfcomm/rfc_ts_frames.cc +22 −1 Original line number Original line Diff line number Diff line Loading @@ -621,6 +621,14 @@ void rfc_process_mx_message(tRFC_MCB* p_mcb, BT_HDR* p_buf) { uint8_t ea, cr, mx_len; uint8_t ea, cr, mx_len; bool is_command; bool is_command; if (length < 2) { RFCOMM_TRACE_ERROR( "%s: Illegal MX Frame len when reading EA, C/R. len:%d < 2", __func__, length); android_errorWriteLog(0x534e4554, "111937065"); osi_free(p_buf); return; } p_rx_frame->ea = *p_data & RFCOMM_EA; p_rx_frame->ea = *p_data & RFCOMM_EA; p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR; p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR; p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK); p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK); Loading @@ -641,6 +649,13 @@ void rfc_process_mx_message(tRFC_MCB* p_mcb, BT_HDR* p_buf) { length--; length--; if (!ea) { if (!ea) { if (length < 1) { RFCOMM_TRACE_ERROR("%s: Illegal MX Frame when EA = 0. len:%d < 1", __func__, length); android_errorWriteLog(0x534e4554, "111937065"); osi_free(p_buf); return; } mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2; mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2; length--; length--; } } Loading Loading @@ -709,7 +724,13 @@ void rfc_process_mx_message(tRFC_MCB* p_mcb, BT_HDR* p_buf) { return; return; case RFCOMM_MX_MSC: case RFCOMM_MX_MSC: if (length != RFCOMM_MX_MSC_LEN_WITH_BREAK && length != RFCOMM_MX_MSC_LEN_NO_BREAK) { RFCOMM_TRACE_ERROR("%s: Illegal MX MSC Frame len:%d", __func__, length); android_errorWriteLog(0x534e4554, "111937065"); osi_free(p_buf); return; } ea = *p_data & RFCOMM_EA; ea = *p_data & RFCOMM_EA; cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR; cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR; p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI; p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI; Loading
