[automerger] DO NOT MERGE process_l2cap_cmd: Fix OOB am: 896111aac6 am: 73dfa5fee8 (95195fbb) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/l2cap/l2c_main.c

+30 −6

Original line number	Original line	Diff line number	Diff line
	@@ -488,7 +488,11 @@ static void process_l2cap_cmd (tL2C_LCB p_lcb, UINT8 p, UINT16 pkt_len)
	{		{
	case L2CAP_CFG_TYPE_MTU:		case L2CAP_CFG_TYPE_MTU:
	cfg_info.mtu_present = TRUE;		cfg_info.mtu_present = TRUE;
	if (p + 2 > p_next_cmd) {		if (cfg_len != 2) {
			android_errorWriteLog(0x534e4554, "119870451");
			return;
			}
			if (p + cfg_len > p_next_cmd) {
	android_errorWriteLog(0x534e4554, "74202041");		android_errorWriteLog(0x534e4554, "74202041");
	return;		return;
	}		}
	@@ -497,7 +501,11 @@ static void process_l2cap_cmd (tL2C_LCB p_lcb, UINT8 p, UINT16 pkt_len)

	case L2CAP_CFG_TYPE_FLUSH_TOUT:		case L2CAP_CFG_TYPE_FLUSH_TOUT:
	cfg_info.flush_to_present = TRUE;		cfg_info.flush_to_present = TRUE;
	if (p + 2 > p_next_cmd) {		if (cfg_len != 2) {
			android_errorWriteLog(0x534e4554, "119870451");
			return;
			}
			if (p + cfg_len > p_next_cmd) {
	android_errorWriteLog(0x534e4554, "74202041");		android_errorWriteLog(0x534e4554, "74202041");
	return;		return;
	}		}
	@@ -506,7 +514,11 @@ static void process_l2cap_cmd (tL2C_LCB p_lcb, UINT8 p, UINT16 pkt_len)

	case L2CAP_CFG_TYPE_QOS:		case L2CAP_CFG_TYPE_QOS:
	cfg_info.qos_present = TRUE;		cfg_info.qos_present = TRUE;
	if (p + 2 + 5 * 4 > p_next_cmd) {		if (cfg_len != 2 + 5 * 4) {
			android_errorWriteLog(0x534e4554, "119870451");
			return;
			}
			if (p + cfg_len > p_next_cmd) {
	android_errorWriteLog(0x534e4554, "74202041");		android_errorWriteLog(0x534e4554, "74202041");
	return;		return;
	}		}
	@@ -521,7 +533,11 @@ static void process_l2cap_cmd (tL2C_LCB p_lcb, UINT8 p, UINT16 pkt_len)

	case L2CAP_CFG_TYPE_FCR:		case L2CAP_CFG_TYPE_FCR:
	cfg_info.fcr_present = TRUE;		cfg_info.fcr_present = TRUE;
	if (p + 3 + 3 * 2 > p_next_cmd) {		if (cfg_len != 3 + 3 * 2) {
			android_errorWriteLog(0x534e4554, "119870451");
			return;
			}
			if (p + cfg_len > p_next_cmd) {
	android_errorWriteLog(0x534e4554, "74202041");		android_errorWriteLog(0x534e4554, "74202041");
	return;		return;
	}		}
	@@ -535,7 +551,11 @@ static void process_l2cap_cmd (tL2C_LCB p_lcb, UINT8 p, UINT16 pkt_len)

	case L2CAP_CFG_TYPE_FCS:		case L2CAP_CFG_TYPE_FCS:
	cfg_info.fcs_present = TRUE;		cfg_info.fcs_present = TRUE;
	if (p + 1 > p_next_cmd) {		if (cfg_len != 1) {
			android_errorWriteLog(0x534e4554, "119870451");
			return;
			}
			if (p + cfg_len > p_next_cmd) {
	android_errorWriteLog(0x534e4554, "74202041");		android_errorWriteLog(0x534e4554, "74202041");
	return;		return;
	}		}
	@@ -544,7 +564,11 @@ static void process_l2cap_cmd (tL2C_LCB p_lcb, UINT8 p, UINT16 pkt_len)

	case L2CAP_CFG_TYPE_EXT_FLOW:		case L2CAP_CFG_TYPE_EXT_FLOW:
	cfg_info.ext_flow_spec_present = TRUE;		cfg_info.ext_flow_spec_present = TRUE;
	if (p + 2 + 2 + 3 * 4 > p_next_cmd) {		if (cfg_len != 1 + 2 + 3 * 4) {
			android_errorWriteLog(0x534e4554, "119870451");
			return;
			}
			if (p + cfg_len > p_next_cmd) {
	android_errorWriteLog(0x534e4554, "74202041");		android_errorWriteLog(0x534e4554, "74202041");
	return;		return;
	}		}

system/stack/l2cap/l2c_utils.c

+3 −0

Original line number	Original line	Diff line number	Diff line
	@@ -859,6 +859,9 @@ void l2cu_send_peer_config_rej (tL2C_CCB p_ccb, UINT8 p_data, UINT16 data_len,
	case L2CAP_CFG_TYPE_MTU:		case L2CAP_CFG_TYPE_MTU:
	case L2CAP_CFG_TYPE_FLUSH_TOUT:		case L2CAP_CFG_TYPE_FLUSH_TOUT:
	case L2CAP_CFG_TYPE_QOS:		case L2CAP_CFG_TYPE_QOS:
			case L2CAP_CFG_TYPE_FCR:
			case L2CAP_CFG_TYPE_FCS:
			case L2CAP_CFG_TYPE_EXT_FLOW:
	p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;		p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
	break;		break;