Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 400ec82a authored by Jacob Lee's avatar Jacob Lee Committed by android-build-merger
Browse files

Memory overwrite due to HDP doesn\'t allocate enough buffer 

am: 01fc55b9

* commit '01fc55b9':
  Memory overwrite due to HDP doesn't allocate enough buffer
parents 0bf36456 01fc55b9

system/bta/hl/bta_hl_act.c

+3 −1
Original line number Diff line number Diff line
@@ -499,7 +499,9 @@ void bta_hl_dch_send_data(UINT8 app_idx, UINT8 mcl_idx, UINT8 mdl_idx, 


    if (!(p_dcb->cout_oper & BTA_HL_CO_GET_TX_DATA_MASK))

    {

        if ((p_dcb->p_tx_pkt = bta_hl_get_buf(p_data->api_send_data.pkt_size)) != NULL)

        // p_dcb->chnl_cfg.fcs may be BTA_HL_MCA_USE_FCS (0x11) or BTA_HL_MCA_NO_FCS (0x10) or BTA_HL_DEFAULT_SOURCE_FCS (1)

        BOOLEAN fcs_use = (BOOLEAN) (p_dcb->chnl_cfg.fcs & BTA_HL_MCA_FCS_USE_MASK);

        if ((p_dcb->p_tx_pkt = bta_hl_get_buf(p_data->api_send_data.pkt_size, fcs_use)) != NULL)

        {

            bta_hl_co_get_tx_data( p_acb->app_id,

                                   p_dcb->mdl_handle,

system/bta/hl/bta_hl_int.h

+2 −1
Original line number Diff line number Diff line
@@ -57,6 +57,7 @@ typedef UINT16 (tBTA_HL_ALLOCATE_PSM) (void); 
#define BTA_HL_L2C_USE_FCS              1

#define BTA_HL_L2C_NO_FCS               0

#define BTA_HL_DEFAULT_SOURCE_FCS       BTA_HL_L2C_USE_FCS

#define BTA_HL_MCA_FCS_USE_MASK         MCA_FCS_USE_MASK



/* SDP Operations */

#define BTA_HL_SDP_OP_NONE                  0
@@ -710,7 +711,7 @@ extern "C" 
    extern UINT8 bta_hl_set_tx_win_size(UINT16 mtu, UINT16 mps);

    extern UINT16 bta_hl_set_mps(UINT16 mtu);

    extern void bta_hl_clean_mdl_cb(UINT8 app_idx, UINT8 mcl_idx, UINT8 mdl_idx);

    extern BT_HDR * bta_hl_get_buf(UINT16 data_size);

    extern BT_HDR * bta_hl_get_buf(UINT16 data_size, BOOLEAN fcs_use);

    extern BOOLEAN bta_hl_find_service_in_db( UINT8 app_idx, UINT8 mcl_idx,

                                              UINT16 service_uuid,

                                              tSDP_DISC_REC **pp_rec );

system/bta/hl/bta_hl_main.c

+2 −1
Original line number Diff line number Diff line
@@ -1344,7 +1344,8 @@ static void bta_hl_api_dch_echo_test(tBTA_HL_CB *p_cb, tBTA_HL_DATA *p_data) 
                    if ((p_data->api_dch_echo_test.local_cfg == BTA_HL_DCH_CFG_RELIABLE) ||

                        (p_data->api_dch_echo_test.local_cfg == BTA_HL_DCH_CFG_STREAMING))

                    {

                        if ((p_dcb->p_echo_tx_pkt = bta_hl_get_buf(p_data->api_dch_echo_test.pkt_size)) != NULL )

                        BOOLEAN fcs_use = (BOOLEAN) (p_dcb->chnl_cfg.fcs & BTA_HL_MCA_FCS_USE_MASK);

                        if ((p_dcb->p_echo_tx_pkt = bta_hl_get_buf(p_data->api_dch_echo_test.pkt_size, fcs_use)) != NULL )

                        {

                            if (bta_hl_set_ctrl_psm_for_dch(app_idx, mcl_idx, mdl_idx, p_data->api_dch_open.ctrl_psm))

                            {

system/bta/hl/bta_hl_utils.c

+6 −1
Original line number Diff line number Diff line
@@ -266,11 +266,16 @@ void bta_hl_clean_mdl_cb(UINT8 app_idx, UINT8 mcl_idx, UINT8 mdl_idx) 
** Returns      BT_HDR *.

**

*******************************************************************************/

BT_HDR * bta_hl_get_buf(UINT16 data_size)

BT_HDR * bta_hl_get_buf(UINT16 data_size, BOOLEAN fcs_use)

{

    BT_HDR *p_new;

    UINT16 size = data_size + L2CAP_MIN_OFFSET + BT_HDR_SIZE;



    if (fcs_use)

    {

        size += L2CAP_FCS_LEN;

    }



    p_new = (BT_HDR *)osi_getbuf(size);

    if (p_new)

    {