Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c33be991 authored by Stanley Tng's avatar Stanley Tng
Browse files

Drop LE CoC fragments when frame size is too big 

Drop the LE CoC data fragments when the received fragment size is too
big.

Test: Runs LE CoC SL4A test, BleCocTest.
Bug: 75298652
Change-Id: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
parent 74c03115

system/stack/l2cap/l2c_fcr.cc

+18 −4
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ 
 ******************************************************************************/



#include <base/logging.h>

#include <log/log.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>
@@ -854,8 +855,24 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { 
    p_buf->offset += sizeof(sdu_length);

    p_data->offset = 0;



  } else

  } else {

    p_data = p_ccb->ble_sdu;

    if (p_buf->len > (p_ccb->ble_sdu_length - p_data->len)) {

      L2CAP_TRACE_ERROR("%s: buffer length=%d too big. max=%d. Dropped",

                        __func__, p_data->len,

                        (p_ccb->ble_sdu_length - p_data->len));

      android_errorWriteWithInfoLog(0x534e4554, "75298652", -1, NULL, 0);

      osi_free(p_buf);



      /* Throw away all pending fragments and disconnects */

      p_ccb->is_first_seg = true;

      osi_free(p_ccb->ble_sdu);

      p_ccb->ble_sdu = NULL;

      p_ccb->ble_sdu_length = 0;

      l2cu_disconnect_chnl(p_ccb);

      return;

    }

  }



  memcpy((uint8_t*)(p_data + 1) + p_data->offset + p_data->len,

         (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
@@ -868,9 +885,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { 
    p_ccb->ble_sdu_length = 0;

  } else if (p_data->len < p_ccb->ble_sdu_length) {

    p_ccb->is_first_seg = false;

  } else {

    L2CAP_TRACE_ERROR("%s Length in the SDU messed up", __func__);

    // TODO: reset every thing may be???

  }



  osi_free(p_buf);