Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eb3850dd authored by Bhakthavatsala Raghavendra's avatar Bhakthavatsala Raghavendra
Browse files

Fix L2cap buffer length check against MPS for the first k-frame 

Test: mmm packages/module/Bluetooth
Bug: 323923764
Bug: 386382446
Flag: com.android.bluetooth.flags.fix_buf_len_check_for_first_k_frame

Change-Id: I4546016ee142aacf16848914688bff1a4cc31351
parent 7f007c1e

system/stack/l2cap/l2c_fcr.cc

+12 −2
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ 
 ******************************************************************************/



#include <bluetooth/log.h>

#include <com_android_bluetooth_flags.h>

#include <stdlib.h>

#include <string.h>
@@ -683,10 +684,19 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { 
  uint16_t sdu_length;

  BT_HDR* p_data = NULL;



  uint16_t local_mps = p_ccb->local_conn_cfg.mps;

  if (com::android::bluetooth::flags::fix_buf_len_check_for_first_k_frame()) {

    if (p_ccb->is_first_seg) {

      // for the first k-frame, donot consider sdu_length

      // as part of the information payload

      local_mps = p_ccb->local_conn_cfg.mps + sizeof(sdu_length);

    }

  }



  /* Buffer length should not exceed local mps */

  if (p_buf->len > p_ccb->local_conn_cfg.mps) {

  if (p_buf->len > local_mps) {

    log::error("buffer length={} exceeds local mps={}. Drop and disconnect.", p_buf->len,

               p_ccb->local_conn_cfg.mps);

               local_mps);



    /* Discard the buffer and disconnect*/

    osi_free(p_buf);