Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b60ef5a4 authored by Subramanian Srinivasan's avatar Subramanian Srinivasan Committed by Andre Eisenbach
Browse files

Fix payload size for GATT Read by type request 

Payload size for GATT Read by type request for UUID32 and UUID128
are incorrectly allocated. This leads to memory overflow when
Read by type request is sent for them and eventually results
in crash during free. This change makes sure that the payload
can accomodate upto 128 bit UUID.

This crash is observed while running TC_GAR_CL_BV_03_C Qual test
case.

Bug: 29011042
Change-Id: Ib2b41b769b394670099f4549f204e2972f7df876
(cherry picked from commit 7da98621a4dfa8196b8d20e8955ad508f540e5d9)
parent c0811609

system/stack/gatt/att_protocol.c

+5 −3
Original line number Diff line number Diff line
@@ -31,6 +31,8 @@ 


#define GATT_HDR_FIND_TYPE_VALUE_LEN    21

#define GATT_OP_CODE_SIZE   1

#define GATT_START_END_HANDLE_SIZE    4



/**********************************************************************

**   ATT protocl message building utility                              *

***********************************************************************/
@@ -125,10 +127,10 @@ BT_HDR *attp_build_err_cmd(UINT8 cmd_code, UINT16 err_handle, UINT8 reason) 
*******************************************************************************/

BT_HDR *attp_build_browse_cmd(UINT8 op_code, UINT16 s_hdl, UINT16 e_hdl, tBT_UUID uuid)

{

    UINT8 *p;

    BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 8 + L2CAP_MIN_OFFSET);

    const size_t payload_size = (GATT_OP_CODE_SIZE) + (GATT_START_END_HANDLE_SIZE) + (LEN_UUID_128);

    BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);



    p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;

    UINT8 *p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;

    /* Describe the built message location and size */

    p_buf->offset = L2CAP_MIN_OFFSET;

    p_buf->len = GATT_OP_CODE_SIZE + 4;