Loading system/stack/bnep/bnep_main.c +9 −5 Original line number Diff line number Diff line Loading @@ -35,6 +35,7 @@ #include "l2c_api.h" #include "l2cdefs.h" #include "log/log.h" #include "btu.h" #include "btm_api.h" Loading Loading @@ -514,20 +515,21 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) org_len = rem_len; new_len = 0; do { if (org_len < 2) break; ext = *p++; length = *p++; p += length; new_len = (length + 2); if (new_len > org_len) break; if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG)) bnep_send_command_not_understood (p_bcb, *p); new_len += (length + 2); if (new_len > org_len) break; org_len -= new_len; } while (ext & 0x80); android_errorWriteLog(0x534e4554, "67863755"); } GKI_freebuf (p_buf); Loading Loading @@ -580,6 +582,8 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) while (extension_present && p && rem_len) { ext_type = *p++; rem_len--; android_errorWriteLog(0x534e4554, "69271284"); extension_present = ext_type >> 7; ext_type &= 0x7F; Loading system/stack/bnep/bnep_utils.c +23 −0 Original line number Diff line number Diff line Loading @@ -22,6 +22,8 @@ * ******************************************************************************/ #include <cutils/log.h> #include <stdio.h> #include <string.h> #include "gki.h" Loading Loading @@ -828,6 +830,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len case BNEP_SETUP_CONNECTION_REQUEST_MSG: len = *p++; if (*rem_len < 1) { BNEP_TRACE_ERROR( "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", __func__); android_errorWriteLog(0x534e4554, "69177292"); goto bad_packet_length; } if (*rem_len < ((2 * len) + 1)) { BNEP_TRACE_ERROR( "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", Loading @@ -854,6 +863,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; case BNEP_FILTER_NET_TYPE_SET_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length", __func__); android_errorWriteLog(0x534e4554, "69177292"); goto bad_packet_length; } BE_STREAM_TO_UINT16 (len, p); if (*rem_len < (len + 2)) { Loading @@ -880,6 +896,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; case BNEP_FILTER_MULTI_ADDR_SET_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length", __func__); android_errorWriteLog(0x534e4554, "69177292"); goto bad_packet_length; } BE_STREAM_TO_UINT16 (len, p); if (*rem_len < (len + 2)) { Loading Loading
system/stack/bnep/bnep_main.c +9 −5 Original line number Diff line number Diff line Loading @@ -35,6 +35,7 @@ #include "l2c_api.h" #include "l2cdefs.h" #include "log/log.h" #include "btu.h" #include "btm_api.h" Loading Loading @@ -514,20 +515,21 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) org_len = rem_len; new_len = 0; do { if (org_len < 2) break; ext = *p++; length = *p++; p += length; new_len = (length + 2); if (new_len > org_len) break; if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG)) bnep_send_command_not_understood (p_bcb, *p); new_len += (length + 2); if (new_len > org_len) break; org_len -= new_len; } while (ext & 0x80); android_errorWriteLog(0x534e4554, "67863755"); } GKI_freebuf (p_buf); Loading Loading @@ -580,6 +582,8 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) while (extension_present && p && rem_len) { ext_type = *p++; rem_len--; android_errorWriteLog(0x534e4554, "69271284"); extension_present = ext_type >> 7; ext_type &= 0x7F; Loading
system/stack/bnep/bnep_utils.c +23 −0 Original line number Diff line number Diff line Loading @@ -22,6 +22,8 @@ * ******************************************************************************/ #include <cutils/log.h> #include <stdio.h> #include <string.h> #include "gki.h" Loading Loading @@ -828,6 +830,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len case BNEP_SETUP_CONNECTION_REQUEST_MSG: len = *p++; if (*rem_len < 1) { BNEP_TRACE_ERROR( "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", __func__); android_errorWriteLog(0x534e4554, "69177292"); goto bad_packet_length; } if (*rem_len < ((2 * len) + 1)) { BNEP_TRACE_ERROR( "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", Loading @@ -854,6 +863,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; case BNEP_FILTER_NET_TYPE_SET_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length", __func__); android_errorWriteLog(0x534e4554, "69177292"); goto bad_packet_length; } BE_STREAM_TO_UINT16 (len, p); if (*rem_len < (len + 2)) { Loading @@ -880,6 +896,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; case BNEP_FILTER_MULTI_ADDR_SET_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length", __func__); android_errorWriteLog(0x534e4554, "69177292"); goto bad_packet_length; } BE_STREAM_TO_UINT16 (len, p); if (*rem_len < (len + 2)) { Loading
