Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4161f3a4 authored by Pavlin Radoslavov's avatar Pavlin Radoslavov
Browse files

Fix the processing of AVRCP Rcvd Pass Through messages 

The assignment and handling of the optional tAVRC_MSG_PASS.p_pass_data
data buffer pointer was inconsistent:
 - For originating AVRCP packets, it was assigned to osi_getbuf()
   allocated memory.
 - For received AVRCP packets, it was a pointer in the middle of the
   received data buffer.
However, in the common function avrc_pass_msg(), the p_pass_data pointer
was deallocated by osi_freebuf(). This triggered an assert when processing
AVRCP Rcvd Pass Through messages with non-zero Data Length field.

Bug: 26865159
Change-Id: I1b2eb6713636c290caca16e77226c114d99dcb8e
parent 05fa852c

system/bta/av/bta_av_api.c

+17 −10
Original line number Original line Diff line number Diff line
@@ -471,25 +471,32 @@ void BTA_AvRemoteCmd(UINT8 rc_handle, UINT8 label, tBTA_AV_RC rc_id, tBTA_AV_STA 
**

**

** Function         BTA_AvRemoteVendorUniqueCmd

** Function         BTA_AvRemoteVendorUniqueCmd

**

**

** Description      Send a remote control command with Vendor Unique rc_id. This function can only

** Description      Send a remote control command with Vendor Unique rc_id.

**                  be used if AV is enabled with feature BTA_AV_FEAT_RCCT.

**                  This function can only be used if AV is enabled with

**                  feature BTA_AV_FEAT_RCCT.

**

**

** Returns          void

** Returns          void

**

**

*******************************************************************************/

*******************************************************************************/

void BTA_AvRemoteVendorUniqueCmd(UINT8 rc_handle, UINT8 label, tBTA_AV_STATE key_state,

void BTA_AvRemoteVendorUniqueCmd(UINT8 rc_handle, UINT8 label,

                                 UINT8* p_msg, UINT8 buf_len)

                                 tBTA_AV_STATE key_state, UINT8* p_msg,

                                 UINT8 buf_len)

{

{

    tBTA_AV_API_REMOTE_CMD *p_buf =

    tBTA_AV_API_REMOTE_CMD *p_buf =

        (tBTA_AV_API_REMOTE_CMD *) osi_getbuf(sizeof(tBTA_AV_API_REMOTE_CMD));

      (tBTA_AV_API_REMOTE_CMD *)osi_getbuf(sizeof(tBTA_AV_API_REMOTE_CMD) +

    assert(p_buf);

                                           buf_len);

    p_buf->label = label;

    p_buf->hdr.event = BTA_AV_API_REMOTE_CMD_EVT;

    p_buf->hdr.event = BTA_AV_API_REMOTE_CMD_EVT;

    p_buf->hdr.layer_specific = rc_handle;

    p_buf->hdr.layer_specific = rc_handle;

    p_buf->msg.op_id = AVRC_ID_VENDOR;

    p_buf->msg.op_id = AVRC_ID_VENDOR;

    p_buf->msg.state = key_state;

    p_buf->msg.state = key_state;

    p_buf->msg.p_pass_data = p_msg;

    p_buf->msg.pass_len = buf_len;

    p_buf->msg.pass_len = buf_len;

    p_buf->label = label;

    if (p_msg == NULL) {

        p_buf->msg.p_pass_data = NULL;

    } else {

        p_buf->msg.p_pass_data = (UINT8 *)(p_buf + 1);

        memcpy(p_buf->msg.p_pass_data, p_msg, buf_len);

    }

    bta_sys_sendmsg(p_buf);

    bta_sys_sendmsg(p_buf);

}

}

system/btif/src/btif_rc.c

+3 −3
Original line number Original line Diff line number Diff line
@@ -3969,14 +3969,14 @@ static bt_status_t send_groupnavigation_cmd(bt_bdaddr_t *bd_addr, uint8_t key_co 
    {

    {

        bt_status_t tran_status = get_transaction(&p_transaction);

        bt_status_t tran_status = get_transaction(&p_transaction);

        if ((BT_STATUS_SUCCESS == tran_status) && (NULL != p_transaction)) {

        if ((BT_STATUS_SUCCESS == tran_status) && (NULL != p_transaction)) {

             UINT8* p_buf = (UINT8 *)osi_getbuf(AVRC_PASS_THRU_GROUP_LEN);

             UINT8 buffer[AVRC_PASS_THRU_GROUP_LEN] = {0};

             UINT8* start = p_buf;

             UINT8* start = buffer;

             UINT24_TO_BE_STREAM(start, AVRC_CO_METADATA);

             UINT24_TO_BE_STREAM(start, AVRC_CO_METADATA);

             *(start)++ = 0;

             *(start)++ = 0;

             UINT8_TO_BE_STREAM(start, key_code);

             UINT8_TO_BE_STREAM(start, key_code);

             BTA_AvRemoteVendorUniqueCmd(btif_rc_cb.rc_handle,

             BTA_AvRemoteVendorUniqueCmd(btif_rc_cb.rc_handle,

                                         p_transaction->lbl,

                                         p_transaction->lbl,

                                         (tBTA_AV_STATE)key_state, p_buf,

                                         (tBTA_AV_STATE)key_state, buffer,

                                         AVRC_PASS_THRU_GROUP_LEN);

                                         AVRC_PASS_THRU_GROUP_LEN);

             status =  BT_STATUS_SUCCESS;

             status =  BT_STATUS_SUCCESS;

             BTIF_TRACE_DEBUG("%s: succesfully sent group_navigation command to BTA",

             BTIF_TRACE_DEBUG("%s: succesfully sent group_navigation command to BTA",

system/stack/avrc/avrc_api.c

+0 −1
Original line number Original line Diff line number Diff line
@@ -872,7 +872,6 @@ static BT_HDR * avrc_pass_msg(tAVRC_MSG_PASS *p_msg) 
            {

            {

                memcpy(p_data, p_msg->p_pass_data, p_msg->pass_len);

                memcpy(p_data, p_msg->p_pass_data, p_msg->pass_len);

                p_data += p_msg->pass_len;

                p_data += p_msg->pass_len;

                osi_freebuf(p_msg->p_pass_data);

            }

            }

        }

        }

        else /* set msg len to 0 for other op_id */

        else /* set msg len to 0 for other op_id */