Merge "DO NOT MERGE Handle bad packet length in gatts_process_read_req" into mnc-dev

#if BLE_INCLUDED == TRUE

#include <string.h>

#include <log/log.h>

#include "gatt_int.h"

#include "l2c_api.h"

#include "l2c_int.h"

    tGATT_IF gatt_if;

    UINT16  conn_id;

    UNUSED(len);

#if GATT_CONFORMANCE_TESTING == TRUE

    if (gatt_cb.enable_err_rsp && gatt_cb.req_op_code == op_code)

    {

    }

#endif

    if (len < sizeof(flag)) {

      android_errorWriteLog(0x534e4554, "73172115");

      GATT_TRACE_ERROR("%s: invalid length", __func__);

      gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, GATT_REQ_EXEC_WRITE, 0, false);

      return;

    }

    STREAM_TO_UINT8(flag, p);

    /* mask the flag */

    UINT8           sec_flag, key_size, *p;

    UINT16          offset = 0, value_len = 0;

    UNUSED (len);

    if ((p_msg =  (BT_HDR *)GKI_getbuf(buf_len)) == NULL)

    {

        GATT_TRACE_ERROR("gatts_process_find_info failed. no resources.");

    }

    else

    {

        if (op_code == GATT_REQ_READ_BLOB && len < sizeof(UINT16)) {

          /* Error: packet length is too short */

          android_errorWriteWithInfoLog(0x534e4554, "73172115", -1, NULL, 0);

          GATT_TRACE_ERROR("%s: invalid length", __func__);

          gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, op_code, 0, false);

          return;

        }

        if (op_code == GATT_REQ_READ_BLOB)

            STREAM_TO_UINT16(offset, p_data);

    {

        if (p_msg)  GKI_freebuf(p_msg);

        /* in theroy BUSY is not possible(should already been checked), protected check */

        /* in theory BUSY is not possible(should already been checked), protected check */

        if (reason != GATT_PENDING && reason != GATT_BUSY)

            gatt_send_error_rsp (p_tcb, reason, op_code, handle, FALSE);

    }