Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e927f981 authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Android (Google) Code Review
Browse files

Merge changes from topic "nyc-dev-check-pkt-when-processing-gatt-reads" into nyc-dr1-dev 

* changes:
  [automerger] DO NOT MERGE Handle bad packet length in gatts_process_read_req am: 89188966
  DO NOT MERGE Handle bad packet length in gatts_process_read_req
parents fc9113aa b2ba1398

system/stack/gatt/gatt_sr.c

+16 −4
Original line number Diff line number Diff line
@@ -27,6 +27,7 @@ 


#if BLE_INCLUDED == TRUE

#include <string.h>

#include <log/log.h>

#include "gatt_int.h"

#include "l2c_api.h"

#include "l2c_int.h"
@@ -330,8 +331,6 @@ void gatt_process_exec_write_req (tGATT_TCB *p_tcb, UINT8 op_code, UINT16 len, U 
    tGATT_IF gatt_if;

    UINT16  conn_id;



    UNUSED(len);



#if GATT_CONFORMANCE_TESTING == TRUE

    if (gatt_cb.enable_err_rsp && gatt_cb.req_op_code == op_code)

    {
@@ -344,6 +343,13 @@ void gatt_process_exec_write_req (tGATT_TCB *p_tcb, UINT8 op_code, UINT16 len, U 
    }

#endif



    if (len < sizeof(flag)) {

        android_errorWriteLog(0x534e4554, "73172115");

        GATT_TRACE_ERROR("%s: invalid length", __func__);

        gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, GATT_REQ_EXEC_WRITE, 0, false);

        return;

    }



    STREAM_TO_UINT8(flag, p);



    /* mask the flag */
@@ -1143,7 +1149,13 @@ static void gatts_process_read_req(tGATT_TCB *p_tcb, tGATT_SR_REG *p_rcb, UINT8 
    UINT16          offset = 0, value_len = 0;

    BT_HDR          *p_msg = (BT_HDR *)osi_calloc(buf_len);



    UNUSED(len);

    if (op_code == GATT_REQ_READ_BLOB && len < sizeof(UINT16)) {

        /* Error: packet length is too short */

        android_errorWriteWithInfoLog(0x534e4554, "73172115", -1, NULL, 0);

        GATT_TRACE_ERROR("%s: invalid length", __func__);

        gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, op_code, 0, false);

        return;

    }



    if (op_code == GATT_REQ_READ_BLOB)

        STREAM_TO_UINT16(offset, p_data);
@@ -1174,7 +1186,7 @@ static void gatts_process_read_req(tGATT_TCB *p_tcb, tGATT_SR_REG *p_rcb, UINT8 
    {

        osi_free(p_msg);



        /* in theroy BUSY is not possible(should already been checked), protected check */

        /* in theory BUSY is not possible(should already been checked), protected check */

        if (reason != GATT_PENDING && reason != GATT_BUSY)

            gatt_send_error_rsp (p_tcb, reason, op_code, handle, FALSE);

    }