Loading system/stack/bnep/bnep_main.cc +9 −4 Original line number Diff line number Diff line Loading @@ -34,6 +34,7 @@ #include "l2c_api.h" #include "l2cdefs.h" #include "log/log.h" #include "btm_api.h" #include "btu.h" Loading Loading @@ -478,18 +479,20 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) { org_len = rem_len; new_len = 0; do { if (org_len < 2) break; ext = *p++; length = *p++; p += length; new_len = (length + 2); if (new_len > org_len) break; if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG)) bnep_send_command_not_understood(p_bcb, *p); new_len += (length + 2); if (new_len > org_len) break; org_len -= new_len; } while (ext & 0x80); android_errorWriteLog(0x534e4554, "67863755"); } osi_free(p_buf); Loading Loading @@ -533,6 +536,8 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) { } else { while (extension_present && p && rem_len) { ext_type = *p++; rem_len--; android_errorWriteLog(0x534e4554, "69271284"); extension_present = ext_type >> 7; ext_type &= 0x7F; Loading system/stack/bnep/bnep_utils.cc +23 −0 Original line number Diff line number Diff line Loading @@ -22,6 +22,8 @@ * ******************************************************************************/ #include <cutils/log.h> #include <stdio.h> #include <string.h> #include "bnep_int.h" Loading Loading @@ -754,6 +756,13 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, break; case BNEP_SETUP_CONNECTION_REQUEST_MSG: if (*rem_len < 1) { BNEP_TRACE_ERROR( "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", __func__); android_errorWriteLog(0x534e4554, "69177292"); goto bad_packet_length; } len = *p++; if (*rem_len < ((2 * len) + 1)) { BNEP_TRACE_ERROR( Loading @@ -779,6 +788,13 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, break; case BNEP_FILTER_NET_TYPE_SET_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length", __func__); android_errorWriteLog(0x534e4554, "69177292"); goto bad_packet_length; } BE_STREAM_TO_UINT16(len, p); if (*rem_len < (len + 2)) { BNEP_TRACE_ERROR( Loading @@ -804,6 +820,13 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, break; case BNEP_FILTER_MULTI_ADDR_SET_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length", __func__); android_errorWriteLog(0x534e4554, "69177292"); goto bad_packet_length; } BE_STREAM_TO_UINT16(len, p); if (*rem_len < (len + 2)) { BNEP_TRACE_ERROR( Loading Loading
system/stack/bnep/bnep_main.cc +9 −4 Original line number Diff line number Diff line Loading @@ -34,6 +34,7 @@ #include "l2c_api.h" #include "l2cdefs.h" #include "log/log.h" #include "btm_api.h" #include "btu.h" Loading Loading @@ -478,18 +479,20 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) { org_len = rem_len; new_len = 0; do { if (org_len < 2) break; ext = *p++; length = *p++; p += length; new_len = (length + 2); if (new_len > org_len) break; if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG)) bnep_send_command_not_understood(p_bcb, *p); new_len += (length + 2); if (new_len > org_len) break; org_len -= new_len; } while (ext & 0x80); android_errorWriteLog(0x534e4554, "67863755"); } osi_free(p_buf); Loading Loading @@ -533,6 +536,8 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) { } else { while (extension_present && p && rem_len) { ext_type = *p++; rem_len--; android_errorWriteLog(0x534e4554, "69271284"); extension_present = ext_type >> 7; ext_type &= 0x7F; Loading
system/stack/bnep/bnep_utils.cc +23 −0 Original line number Diff line number Diff line Loading @@ -22,6 +22,8 @@ * ******************************************************************************/ #include <cutils/log.h> #include <stdio.h> #include <string.h> #include "bnep_int.h" Loading Loading @@ -754,6 +756,13 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, break; case BNEP_SETUP_CONNECTION_REQUEST_MSG: if (*rem_len < 1) { BNEP_TRACE_ERROR( "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", __func__); android_errorWriteLog(0x534e4554, "69177292"); goto bad_packet_length; } len = *p++; if (*rem_len < ((2 * len) + 1)) { BNEP_TRACE_ERROR( Loading @@ -779,6 +788,13 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, break; case BNEP_FILTER_NET_TYPE_SET_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length", __func__); android_errorWriteLog(0x534e4554, "69177292"); goto bad_packet_length; } BE_STREAM_TO_UINT16(len, p); if (*rem_len < (len + 2)) { BNEP_TRACE_ERROR( Loading @@ -804,6 +820,13 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, break; case BNEP_FILTER_MULTI_ADDR_SET_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length", __func__); android_errorWriteLog(0x534e4554, "69177292"); goto bad_packet_length; } BE_STREAM_TO_UINT16(len, p); if (*rem_len < (len + 2)) { BNEP_TRACE_ERROR( Loading
