Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c819b854 authored by liuchao's avatar liuchao
Browse files

Fix strlcpy length passing in bta hl 

In struture tBTA_HL_API_UPDATE & tBTA_HL_API_REGISTER both
have XXX_LEN + 1 in the arry defination. When passing XXX_LEN,
strlcpy will max copy XXX_LEN - 1 and when the real string len
reach the XXX_LEN , the last char will be unexpected filled
with /0

Test: build & unittest
Change-Id: Ib6ccb9c40196ca84ee9e10556820e36a6dde0d35
parent 37df554a

system/bta/hl/bta_hl_api.cc

+8 −6
Original line number Diff line number Diff line
@@ -114,18 +114,20 @@ void BTA_HlUpdate(uint8_t app_id, tBTA_HL_REG_PARAM* p_reg_param, 
        (p_reg_param->sec_mask | BTA_SEC_AUTHENTICATE | BTA_SEC_ENCRYPT);

    p_buf->p_cback = p_cback;

    if (p_reg_param->p_srv_name)

      strlcpy(p_buf->srv_name, p_reg_param->p_srv_name, BTA_SERVICE_NAME_LEN);

      strlcpy(p_buf->srv_name, p_reg_param->p_srv_name,

              sizeof(p_buf->srv_name));

    else

      p_buf->srv_name[0] = 0;



    if (p_reg_param->p_srv_desp)

      strlcpy(p_buf->srv_desp, p_reg_param->p_srv_desp, BTA_SERVICE_DESP_LEN);

      strlcpy(p_buf->srv_desp, p_reg_param->p_srv_desp,

              sizeof(p_buf->srv_desp));

    else

      p_buf->srv_desp[0] = 0;



    if (p_reg_param->p_provider_name)

      strlcpy(p_buf->provider_name, p_reg_param->p_provider_name,

              BTA_PROVIDER_NAME_LEN);

              sizeof(p_buf->provider_name));

    else

      p_buf->provider_name[0] = 0;

  }
@@ -159,18 +161,18 @@ void BTA_HlRegister(uint8_t app_id, tBTA_HL_REG_PARAM* p_reg_param, 
  p_buf->p_cback = p_cback;



  if (p_reg_param->p_srv_name)

    strlcpy(p_buf->srv_name, p_reg_param->p_srv_name, BTA_SERVICE_NAME_LEN);

    strlcpy(p_buf->srv_name, p_reg_param->p_srv_name, sizeof(p_buf->srv_name));

  else

    p_buf->srv_name[0] = 0;



  if (p_reg_param->p_srv_desp)

    strlcpy(p_buf->srv_desp, p_reg_param->p_srv_desp, BTA_SERVICE_DESP_LEN);

    strlcpy(p_buf->srv_desp, p_reg_param->p_srv_desp, sizeof(p_buf->srv_desp));

  else

    p_buf->srv_desp[0] = 0;



  if (p_reg_param->p_provider_name)

    strlcpy(p_buf->provider_name, p_reg_param->p_provider_name,

            BTA_PROVIDER_NAME_LEN);

            sizeof(p_buf->provider_name));

  else

    p_buf->provider_name[0] = 0;

system/bta/hl/bta_hl_main.cc

+3 −3
Original line number Diff line number Diff line
@@ -678,11 +678,11 @@ static void bta_hl_api_register(tBTA_HL_CB* p_cb, tBTA_HL_DATA* p_data) { 
        p_acb->sec_mask = p_data->api_reg.sec_mask;

        p_acb->dev_type = p_data->api_reg.dev_type;

        strlcpy(p_acb->srv_name, p_data->api_reg.srv_name,

                BTA_SERVICE_NAME_LEN);

                sizeof(p_acb->srv_name));

        strlcpy(p_acb->srv_desp, p_data->api_reg.srv_desp,

                BTA_SERVICE_DESP_LEN);

                sizeof(p_acb->srv_desp));

        strlcpy(p_acb->provider_name, p_data->api_reg.provider_name,

                BTA_PROVIDER_NAME_LEN);

                sizeof(p_acb->provider_name));

        bta_hl_cb.p_alloc_psm = L2CA_AllocatePSM;

        p_acb->ctrl_psm = bta_hl_cb.p_alloc_psm();

        p_acb->data_psm = bta_hl_cb.p_alloc_psm();