Check LE advertising data length before caching advertising records am:...

#include <stdio.h>

#include <stddef.h>

#include <log/log.h>

#include "bt_types.h"

#include "bt_utils.h"

#include "btm_ble_api.h"

** Returns          void

**

*******************************************************************************/

void btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, UINT8 evt_type)

BOOLEAN btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, UINT8 evt_type)

{

    tBTM_BLE_INQ_CB     *p_le_inq_cb = &btm_cb.ble_ctr_cb.inq_var;

    UINT8 *p_cache;

        STREAM_TO_UINT8(length, p);

        while ( length && ((p_le_inq_cb->adv_len + length + 1) <= BTM_BLE_CACHE_ADV_DATA_MAX))

        {

            /* adv record size must be smaller than the total adv data size */

            if ((length + 1) > data_len) {

                BTM_TRACE_ERROR("BTM - got incorrect LE advertising data");

                android_errorWriteLog(0x534e4554, "33899337");

                return FALSE;

            }

            /* copy from the length byte & data into cache */

            memcpy(p_cache, p-1, length+1);

            /* reduce the total data size by size of data copied */

            data_len -= length + 1;

            /* advance the cache pointer past data */

            p_cache += length+1;

            /* increment cache length */

            STREAM_TO_UINT8(length, p);

        }

    }

    return TRUE;

    /* parse service UUID from adv packet and save it in inq db eir_uuid */

    /* TODO */

        BTM_TRACE_WARNING("EIR data too long %d. discard", data_len);

        return FALSE;

    }

    btm_ble_cache_adv_data(p_cur, data_len, p, evt_type);

    if (!btm_ble_cache_adv_data(p_cur, data_len, p, evt_type)) {

        return FALSE;

    }

    p1 = (p + data_len);

    STREAM_TO_UINT8 (rssi, p1);