Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ab456c84 authored by Keith Mok's avatar Keith Mok Committed by Automerger Merge Worker
Browse files

Merge "Add length check when copy AVDT and AVCT packet" into tm-dev am: 18b18341 

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/19680038



Change-Id: Ic1b1e1a46f773597a31c7f508710b76a7a99f80e
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 209065e5 18b18341

system/stack/avct/avct_lcb_act.cc

+7 −1
Original line number Original line Diff line number Diff line
@@ -94,13 +94,19 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) { 
    if (p_lcb->p_rx_msg != NULL)

    if (p_lcb->p_rx_msg != NULL)

      AVCT_TRACE_WARNING("Got start during reassembly");

      AVCT_TRACE_WARNING("Got start during reassembly");





    osi_free(p_lcb->p_rx_msg);

    osi_free_and_reset((void**)&p_lcb->p_rx_msg);





    /*

    /*

     * Allocate bigger buffer for reassembly. As lower layers are

     * Allocate bigger buffer for reassembly. As lower layers are

     * not aware of possible packet size after reassembly, they

     * not aware of possible packet size after reassembly, they

     * would have allocated smaller buffer.

     * would have allocated smaller buffer.

     */

     */

    if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {

      android_errorWriteLog(0x534e4554, "232023771");

      osi_free(p_buf);

      p_ret = NULL;

      return p_ret;

    }

    p_lcb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);

    p_lcb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);

    memcpy(p_lcb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);

    memcpy(p_lcb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);

system/stack/avdt/avdt_msg.cc

+4 −2
Original line number Original line Diff line number Diff line
@@ -1251,11 +1251,13 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) { 
     * not aware of possible packet size after reassembly, they

     * not aware of possible packet size after reassembly, they

     * would have allocated smaller buffer.

     * would have allocated smaller buffer.

     */

     */

    p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);

    if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {

    if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {

      android_errorWriteLog(0x534e4554, "232023771");

      android_errorWriteLog(0x534e4554, "232023771");

      return NULL;

      osi_free(p_buf);

      p_ret = NULL;

      return p_ret;

    }

    }

    p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);

    memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);

    memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);





    /* Free original buffer */

    /* Free original buffer */