Merge "DO NOT MERGE Fix unexpected behavior in reading BNEP packets" into mnc-dev am: ae339de11c (7de7acec) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/bnep/bnep_main.c

+9 −5

Original line number	Original line	Diff line number	Diff line
	@@ -35,6 +35,7 @@

	#include "l2c_api.h"		#include "l2c_api.h"
	#include "l2cdefs.h"		#include "l2cdefs.h"
			#include "log/log.h"

	#include "btu.h"		#include "btu.h"
	#include "btm_api.h"		#include "btm_api.h"
	@@ -514,20 +515,21 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
	org_len = rem_len;		org_len = rem_len;
	new_len = 0;		new_len = 0;
	do {		do {
			if (org_len < 2) break;
	ext = *p++;		ext = *p++;
	length = *p++;		length = *p++;
	p += length;		p += length;

			new_len = (length + 2);
			if (new_len > org_len) break;

	if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))		if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))
	bnep_send_command_not_understood (p_bcb, *p);		bnep_send_command_not_understood (p_bcb, *p);

	new_len += (length + 2);		org_len -= new_len;

	if (new_len > org_len)
	break;

	} while (ext & 0x80);		} while (ext & 0x80);
			android_errorWriteLog(0x534e4554, "67863755");
	}		}

	GKI_freebuf (p_buf);		GKI_freebuf (p_buf);
	@@ -580,6 +582,8 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
	while (extension_present && p && rem_len)		while (extension_present && p && rem_len)
	{		{
	ext_type = *p++;		ext_type = *p++;
			rem_len--;
			android_errorWriteLog(0x534e4554, "69271284");
	extension_present = ext_type >> 7;		extension_present = ext_type >> 7;
	ext_type &= 0x7F;		ext_type &= 0x7F;

system/stack/bnep/bnep_utils.c

+23 −0

Original line number	Original line	Diff line number	Diff line
	@@ -22,6 +22,8 @@
	*		*
	******************************************************************************/		******************************************************************************/

			#include <cutils/log.h>

	#include <stdio.h>		#include <stdio.h>
	#include <string.h>		#include <string.h>
	#include "gki.h"		#include "gki.h"
	@@ -828,6 +830,13 @@ UINT8 bnep_process_control_packet (tBNEP_CONN p_bcb, UINT8 p, UINT16 rem_len

	case BNEP_SETUP_CONNECTION_REQUEST_MSG:		case BNEP_SETUP_CONNECTION_REQUEST_MSG:
	len = *p++;		len = *p++;
			if (*rem_len < 1) {
			BNEP_TRACE_ERROR(
			"%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
			__func__);
			android_errorWriteLog(0x534e4554, "69177292");
			goto bad_packet_length;
			}
	if (rem_len < ((2 len) + 1)) {		if (rem_len < ((2 len) + 1)) {
	BNEP_TRACE_ERROR(		BNEP_TRACE_ERROR(
	"%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",		"%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
	@@ -854,6 +863,13 @@ UINT8 bnep_process_control_packet (tBNEP_CONN p_bcb, UINT8 p, UINT16 rem_len
	break;		break;

	case BNEP_FILTER_NET_TYPE_SET_MSG:		case BNEP_FILTER_NET_TYPE_SET_MSG:
			if (*rem_len < 2) {
			BNEP_TRACE_ERROR(
			"%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",
			__func__);
			android_errorWriteLog(0x534e4554, "69177292");
			goto bad_packet_length;
			}
	BE_STREAM_TO_UINT16 (len, p);		BE_STREAM_TO_UINT16 (len, p);
	if (*rem_len < (len + 2))		if (*rem_len < (len + 2))
	{		{
	@@ -880,6 +896,13 @@ UINT8 bnep_process_control_packet (tBNEP_CONN p_bcb, UINT8 p, UINT16 rem_len
	break;		break;

	case BNEP_FILTER_MULTI_ADDR_SET_MSG:		case BNEP_FILTER_MULTI_ADDR_SET_MSG:
			if (*rem_len < 2) {
			BNEP_TRACE_ERROR(
			"%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",
			__func__);
			android_errorWriteLog(0x534e4554, "69177292");
			goto bad_packet_length;
			}
	BE_STREAM_TO_UINT16 (len, p);		BE_STREAM_TO_UINT16 (len, p);
	if (*rem_len < (len + 2))		if (*rem_len < (len + 2))
	{		{