Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b993e557 authored by Kim Schulz's avatar Kim Schulz Committed by Zhihai Xu
Browse files

Fixes for problems found with coverity analyzer 

- fixed UNINITIALIZED variable (hdl) in bta_hh_act.c :220
- fixed possible RESOURCE LEAK in btif_config_util.cpp in relation to open_file_map() if file is fd size=0
- fixed possible RESOURCE LEAK in create_socket_server() in uipc:196 (s not closed)
- fixed possible OVERRUN in  l2c_csm.c, (l2c_csm_config), array "l2cb.fixed_reg" of 4 20-byte elements at element index 60 (byte offset 1200) using index "p_ccb->local_cid - 3" (which evaluates to 60)
- fixed possible OVERRUN in btm_pm.c, (btm_pm_reset) array "btm_cb.acl_db" of 7 288-byte elements at element index 7 (byte offset 2016) using index "btm_cb.pm_pend_link" (which evaluates to 7).
- fixed possible OVERRUN in btif_storage.c, (btif_storage_add_device_to_autopair_blacklist) array "input_value" of 20 bytes by passing it to a function which accesses it at byte offset 20 using argument "20U".
patch set 2:
- fixed {}
Patch set 3:
- fixed review commment in stack/btm/btm_pm.c:379

bug: 10777562
Change-Id: I2a6d57f93acaaf9b25c49a6a29cb60d0e1e3c5d8
parent 285ec59a

system/bta/dm/bta_dm_act.c

+6 −6
Original line number Diff line number Diff line
@@ -839,14 +839,14 @@ void bta_dm_bond (tBTA_DM_MSG *p_data) 
    if (bta_dm_cb.p_sec_cback && (status != BTM_CMD_STARTED))

    {



        p_name = BTM_SecReadDevName(p_data->bond.bd_addr);

        if (!p_name)

            p_name = "";



        memset(&sec_event, 0, sizeof(tBTA_DM_SEC));

        bdcpy(sec_event.auth_cmpl.bd_addr, p_data->bond.bd_addr);

        p_name = BTM_SecReadDevName(p_data->bond.bd_addr);

        if (p_name != NULL)

        {

            memcpy(sec_event.auth_cmpl.bd_name, p_name, (BD_NAME_LEN-1));

            sec_event.auth_cmpl.bd_name[BD_NAME_LEN-1] = 0;

        }



/*      taken care of by memset [above]

        sec_event.auth_cmpl.key_present = FALSE;

system/bta/hh/bta_hh_act.c

+4 −0
Original line number Diff line number Diff line
@@ -222,6 +222,10 @@ static void bta_hh_sdp_cback(UINT16 result, UINT16 attr_mask, 
                    p_cb->app_id = 0;

                }

            } 

            else

            {

                hdl = p_cb->hid_handle;

            }

            /* else : incoming connection after SDP should update the SDP information as well */



            if (p_cb->app_id != 0)

system/btif/src/btif_config_util.cpp

+6 −0
Original line number Diff line number Diff line
@@ -470,6 +470,8 @@ static int load_bluez_cfg_value(const char* adapter_path, const char* file_name) 
    {

        error("open_file_map fail, fd:%d, path:%s, size:%d", fd, path, size);

        //debug("out");

        if (fd >= 0)

            close(fd);

        return FALSE;

    }

    //get local bt device name from bluez config
@@ -539,6 +541,8 @@ static int load_bluez_dev_value(const char* adapter_path, const char* bd_addr, 
    {

        error("open_file_map fail, fd:%d, path:%s, size:%d", fd, path, size);

        //debug("out");

        if (fd >= 0)

            close(fd);

        return FALSE;

    }

    int line_size = 0;
@@ -597,6 +601,8 @@ int load_bluez_linkkeys(const char* adapter_path) 
    {

        error("open_file_map fail, fd:%d, path:%s, size:%d", fd, path, size);

        //debug("out");

        if (fd >= 0)

            close(fd);

        return FALSE;

    }

    int pos = 0;

system/btif/src/btif_storage.c

+3 −2
Original line number Diff line number Diff line
@@ -1684,8 +1684,9 @@ bt_status_t btif_storage_add_device_to_autopair_blacklist(bt_bdaddr_t *remote_bd 
    char input_value [20];



    bd2str(remote_bd_addr, &bdstr);

    strncpy(input_value, (char*)bdstr, 20);

    strncat(input_value,BTIF_AUTO_PAIR_CONF_VALUE_SEPARATOR, 20);

    strlcpy(input_value, (char*)bdstr, sizeof(input_value));

    strlcat(input_value,BTIF_AUTO_PAIR_CONF_VALUE_SEPARATOR, sizeof(input_value));



    int line_size = sizeof(linebuf);

    if(btif_config_get_str("Local", BTIF_STORAGE_PATH_AUTOPAIR_BLACKLIST,

                            BTIF_STORAGE_KEY_AUTOPAIR_DYNAMIC_BLACKLIST_ADDR, linebuf, &line_size))

system/stack/btm/btm_pm.c

+4 −3
Original line number Diff line number Diff line
@@ -369,8 +369,6 @@ void btm_pm_reset(void) 
        cb = btm_cb.pm_reg_db[btm_cb.pm_pend_id].cback;

    }



    /* no command pending */

    btm_cb.pm_pend_link = MAX_L2CAP_LINKS;



    /* clear the register record */

    for(xx=0; xx<BTM_MAX_PM_RECORDS; xx++)
@@ -378,8 +376,11 @@ void btm_pm_reset(void) 
        btm_cb.pm_reg_db[xx].mask = BTM_PM_REC_NOT_USED;

    }



    if(cb != NULL)

    if(cb != NULL && btm_cb.pm_pend_link < MAX_L2CAP_LINKS)

        (*cb)(btm_cb.acl_db[btm_cb.pm_pend_link].remote_addr, BTM_PM_STS_ERROR, BTM_DEV_RESET, 0);



    /* no command pending */

    btm_cb.pm_pend_link = MAX_L2CAP_LINKS;

}



/*******************************************************************************