Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7d701422 authored by Hemant Gupta's avatar Hemant Gupta Committed by Andre Eisenbach
Browse files

Add proper checks for PAN & BNEP in BD stack 

This patch fixes issues for PAN & BNEP in BD stack identified
by static analysis tool.

Change-Id: I29417dae982abb5cef11379f8d03baad11ffde8b
parent a0275c0b

system/btif/co/bta_pan_co.c

+19 −12
Original line number Diff line number Diff line
@@ -36,6 +36,7 @@ 
#include "btif_sock_thread.h"

#include <string.h>

#include "btif_util.h"

#include "btcore/include/bdaddr.h"



/*******************************************************************************

**
@@ -164,31 +165,37 @@ void bta_pan_co_tx_path(UINT16 handle, UINT8 app_id) 
    BOOLEAN            ext;

    BOOLEAN         forward;



    BTIF_TRACE_API("bta_pan_co_tx_path, handle:%d, app_id:%d", handle, app_id);

    BTIF_TRACE_API("%s, handle:%d, app_id:%d", __func__, handle, app_id);



    btpan_conn_t* conn = btpan_find_conn_handle(handle);

    if(!conn || conn->state != PAN_STATE_OPEN)

    if (!conn)

    {

        BTIF_TRACE_ERROR("bta_pan_co_tx_path: cannot find pan connction or conn"

            "is not opened, conn:%p, conn->state:%d", conn, conn ? conn->state : -1);

        BTIF_TRACE_ERROR("%s: cannot find pan connection", __func__);

        return;

    }

    else if(conn->state != PAN_STATE_OPEN)

    {

        BTIF_TRACE_ERROR("%s: conn is not opened, conn:%p, conn->state:%d",

            __func__, conn, conn->state);

        return;

    }



    do

    {

        /* read next data buffer from pan */

        if ((p_buf = bta_pan_ci_readbuf(handle, src, dst, &protocol,

                                 &ext, &forward)))

        {

            BTIF_TRACE_DEBUG("bta_pan_co_tx_path, calling btapp_tap_send, "

                "p_buf->len:%d, offset:%d", p_buf->len, p_buf->offset);

            bdstr_t bdstr;

            BTIF_TRACE_DEBUG("%s, calling btapp_tap_send, "

                "p_buf->len:%d, offset:%d", __func__, p_buf->len, p_buf->offset);

            if(is_empty_eth_addr(conn->eth_addr) && is_valid_bt_eth_addr(src))

            {

                BTIF_TRACE_DEBUG("pan bt peer addr: %02x:%02x:%02x:%02x:%02x:%02x",

                    conn->peer[0], conn->peer[1], conn->peer[2],

                    conn->peer[3],conn->peer[4], conn->peer[5]);

                BTIF_TRACE_DEBUG("     update its ethernet addr: "

                    "%02x:%02x:%02x:%02x:%02x:%02x", src[0], src[1], src[2],

                    src[3],src[4], src[5]);

                BTIF_TRACE_DEBUG("%s pan bt peer addr: %s", __func__,

                    bdaddr_to_string((bt_bdaddr_t *)conn->peer, bdstr, sizeof(bdstr)));

                bdaddr_to_string((bt_bdaddr_t *)src, bdstr, sizeof(bdstr));

                BTIF_TRACE_DEBUG("%s:     update its ethernet addr: %s", __func__,

                    bdaddr_to_string((bt_bdaddr_t *)src, bdstr, sizeof(bdstr)));

                memcpy(conn->eth_addr, src, sizeof(conn->eth_addr));



            }

system/btif/include/btif_pan_internal.h

+1 −0
Original line number Diff line number Diff line
@@ -38,6 +38,7 @@ 
#define PANU_SERVICE_NAME "Android Network User"

#define TAP_IF_NAME "bt-pan"

#define ETH_ADDR_LEN        6

#define TAP_MAX_PKT_WRITE_LEN 2000

#ifndef PAN_SECURITY

#define PAN_SECURITY (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_OUT_ENCRYPT)

#endif

system/btif/src/btif_pan.c

+2 −2
Original line number Diff line number Diff line
@@ -441,9 +441,9 @@ int btpan_tap_send(int tap_fd, const BD_ADDR src, const BD_ADDR dst, UINT16 prot 
        memcpy(&eth_hdr.h_dest, dst, ETH_ADDR_LEN);

        memcpy(&eth_hdr.h_src, src, ETH_ADDR_LEN);

        eth_hdr.h_proto = htons(proto);

        char packet[2000];

        char packet[TAP_MAX_PKT_WRITE_LEN + sizeof(tETH_HDR)];

        memcpy(packet, &eth_hdr, sizeof(tETH_HDR));

        if (len > 2000)

        if (len > TAP_MAX_PKT_WRITE_LEN)

        {

            LOG_ERROR("btpan_tap_send eth packet size:%d is exceeded limit!", len);

            return -1;

system/stack/bnep/bnep_main.c

+2 −2
Original line number Diff line number Diff line
@@ -370,8 +370,8 @@ static void bnep_disconnect_ind (UINT16 l2cap_cid, BOOLEAN ack_needed) 
    }

    else

    {

        if (((p_bcb->con_flags & BNEP_FLAGS_IS_ORIG) && (bnep_cb.p_conn_state_cb)) ||

            p_bcb->con_flags & BNEP_FLAGS_CONN_COMPLETED)

        if ((bnep_cb.p_conn_state_cb) && ((p_bcb->con_flags & BNEP_FLAGS_IS_ORIG) ||

            (p_bcb->con_flags & BNEP_FLAGS_CONN_COMPLETED)))

            (*bnep_cb.p_conn_state_cb) (p_bcb->handle, p_bcb->rem_bda, BNEP_CONN_FAILED, FALSE);

    }

system/stack/bnep/bnep_utils.c

+9 −3
Original line number Diff line number Diff line
@@ -174,10 +174,11 @@ void bnep_send_conn_req (tBNEP_CONN *p_bcb) 
    BT_HDR  *p_buf;

    UINT8   *p, *p_start;



    BNEP_TRACE_DEBUG ("BNEP sending setup req with dst uuid %x", p_bcb->dst_uuid.uu.uuid16);

    BNEP_TRACE_DEBUG ("%s: sending setup req with dst uuid %x",

        __func__, p_bcb->dst_uuid.uu.uuid16);

    if ((p_buf = (BT_HDR *)GKI_getpoolbuf (BNEP_POOL_ID)) == NULL)

    {

        BNEP_TRACE_ERROR ("BNEP - not able to send connection request");

        BNEP_TRACE_ERROR ("%s: not able to send connection request", __func__);

        return;

    }
@@ -202,13 +203,18 @@ void bnep_send_conn_req (tBNEP_CONN *p_bcb) 
        UINT32_TO_BE_STREAM (p, p_bcb->dst_uuid.uu.uuid32);

        UINT32_TO_BE_STREAM (p, p_bcb->src_uuid.uu.uuid32);

    }

    else

    else if (p_bcb->dst_uuid.len == 16)

    {

        memcpy (p, p_bcb->dst_uuid.uu.uuid128, p_bcb->dst_uuid.len);

        p += p_bcb->dst_uuid.len;

        memcpy (p, p_bcb->src_uuid.uu.uuid128, p_bcb->dst_uuid.len);

        p += p_bcb->dst_uuid.len;

    }

    else

    {

        BNEP_TRACE_ERROR ("%s: uuid: %x, invalid length: %x",

            __func__, p_bcb->dst_uuid.uu.uuid16, p_bcb->dst_uuid.len);

    }



    p_buf->len = (UINT16)(p - p_start);