[automerger] DO NOT MERGE Handle bad packet length in gatts_process_read_req... (a30e029a) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/gatt/gatt_sr.c

+16 −4

Original line number	Diff line number	Diff line
		@@ -27,6 +27,7 @@

		#if BLE_INCLUDED == TRUE
		#include <string.h>
		#include <log/log.h>
		#include "gatt_int.h"
		#include "l2c_api.h"
		#include "l2c_int.h"
		@@ -330,8 +331,6 @@ void gatt_process_exec_write_req (tGATT_TCB *p_tcb, UINT8 op_code, UINT16 len, U
		tGATT_IF gatt_if;
		UINT16 conn_id;

		UNUSED(len);

		#if GATT_CONFORMANCE_TESTING == TRUE
		if (gatt_cb.enable_err_rsp && gatt_cb.req_op_code == op_code)
		{
		@@ -344,6 +343,13 @@ void gatt_process_exec_write_req (tGATT_TCB *p_tcb, UINT8 op_code, UINT16 len, U
		}
		#endif

		if (len < sizeof(flag)) {
		android_errorWriteLog(0x534e4554, "73172115");
		GATT_TRACE_ERROR("%s: invalid length", __func__);
		gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, GATT_REQ_EXEC_WRITE, 0, false);
		return;
		}

		STREAM_TO_UINT8(flag, p);

		/* mask the flag */
		@@ -1143,7 +1149,13 @@ static void gatts_process_read_req(tGATT_TCB p_tcb, tGATT_SR_REG p_rcb, UINT8
		UINT16 offset = 0, value_len = 0;
		BT_HDR p_msg = (BT_HDR )osi_calloc(buf_len);

		UNUSED(len);
		if (op_code == GATT_REQ_READ_BLOB && len < sizeof(UINT16)) {
		/* Error: packet length is too short */
		android_errorWriteWithInfoLog(0x534e4554, "73172115", -1, NULL, 0);
		GATT_TRACE_ERROR("%s: invalid length", __func__);
		gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, op_code, 0, false);
		return;
		}

		if (op_code == GATT_REQ_READ_BLOB)
		STREAM_TO_UINT16(offset, p_data);
		@@ -1174,7 +1186,7 @@ static void gatts_process_read_req(tGATT_TCB p_tcb, tGATT_SR_REG p_rcb, UINT8
		{
		osi_free(p_msg);

		/* in theroy BUSY is not possible(should already been checked), protected check */
		/* in theory BUSY is not possible(should already been checked), protected check */
		if (reason != GATT_PENDING && reason != GATT_BUSY)
		gatt_send_error_rsp (p_tcb, reason, op_code, handle, FALSE);
		}