Commit 713462c1 authored Jul 19, 2016 by Ting Zheng Committed by Andre Eisenbach Oct 31, 2016

bt address memory copy error in btif_av_state_opening_handler()



[Problem]
In btif_av_state_opening_handler() BTIF_AV_CONNECT_REQ_EVT
handling, it reported the wrong bt address. It happened when remote speaker
connected back and local also tried to initiate the connection almost at the
same time, so that A2dpStateMachine recognized mTargetDevice and mIncomingDevice
as two different deivices. When it was final connected, A2dpStateMachine ignored
the connected event as "ERROR: current, target, or mIncomingDevice not null in
Disconnected".

[Solution]
Modify (bt_bdaddr_t*)p_data to ((btif_av_connect_req_t *)p_data)->target_bda in
btif_av_state_opening_handler() BTIF_AV_CONNECT_REQ_EVT handling. In previous
design, it would copy the address of target_bda and uuid in
btif_av_connect_req_t rather than the real address pointed by target_bda.

Change-Id: Icbc5150016d6f75aa314b5d9e152a2de74f0cfbe
Signed-off-by: Ting Zheng <ting.zheng@mediatek.com>

parent 67cbdb66

system/btif/src/btif_av.cc

+2 −2

Original line number	Diff line number	Diff line
		@@ -554,7 +554,7 @@ static bool btif_av_state_opening_handler(btif_sm_event_t event, void* p_data) {
		case BTIF_AV_CONNECT_REQ_EVT:
		// Check for device, if same device which moved to opening then ignore
		// callback
		if (memcmp((bt_bdaddr_t*)p_data, &(btif_av_cb.peer_bda),
		if (memcmp(((btif_av_connect_req_t *)p_data)->target_bda, &(btif_av_cb.peer_bda),
		sizeof(btif_av_cb.peer_bda)) == 0) {
		BTIF_TRACE_DEBUG(
		"%s: Same device moved to Opening state,ignore Connect Req",
		@@ -565,7 +565,7 @@ static bool btif_av_state_opening_handler(btif_sm_event_t event, void* p_data) {
		BTIF_TRACE_DEBUG("%s: Moved from idle by Incoming Connection request",
		__func__);
		btif_report_connection_state(BTAV_CONNECTION_STATE_DISCONNECTED,
		(bt_bdaddr_t*)p_data);
		((btif_av_connect_req_t *)p_data)->target_bda);
		btif_queue_advance();
		break;
		}