system/bt
修订版 | 200dfcc9948b7f6a0939b528dd731f7eb5bfc25a (tree) |
---|---|
时间 | 2018-05-02 23:45:38 |
作者 | Chih-Wei Huang <cwhuang@linu...> |
Commiter | Chih-Wei Huang |
Merge remote-tracking branch 'cm/cm-14.1' into cm-14.1-x86
@@ -198,7 +198,7 @@ static void* a2dp_codec_parser(uint8_t *codec_cfg, audio_format_t *codec_type) | ||
198 | 198 | sbc_codec.sampling_rate = 44100; |
199 | 199 | break; |
200 | 200 | case A2D_SBC_SAMP_FREQ_32: |
201 | - sbc_codec.sampling_rate = 3200; | |
201 | + sbc_codec.sampling_rate = 32000; | |
202 | 202 | break; |
203 | 203 | case A2D_SBC_SAMP_FREQ_16: |
204 | 204 | sbc_codec.sampling_rate = 16000; |
@@ -176,6 +176,11 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, | ||
176 | 176 | tBTA_PAN_SCB *p_scb; |
177 | 177 | BT_HDR *p_new_buf; |
178 | 178 | |
179 | + p_scb = bta_pan_scb_by_handle(handle); | |
180 | + if (p_scb == NULL) { | |
181 | + return; | |
182 | + } | |
183 | + | |
179 | 184 | if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) { |
180 | 185 | /* offset smaller than data structure in front of actual data */ |
181 | 186 | if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > |
@@ -183,7 +188,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, | ||
183 | 188 | android_errorWriteLog(0x534e4554, "63146237"); |
184 | 189 | APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, |
185 | 190 | p_buf->len); |
186 | - osi_free(p_buf); | |
187 | 191 | return; |
188 | 192 | } |
189 | 193 | p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE); |
@@ -191,7 +195,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, | ||
191 | 195 | (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len); |
192 | 196 | p_new_buf->len = p_buf->len; |
193 | 197 | p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS); |
194 | - osi_free(p_buf); | |
195 | 198 | } else { |
196 | 199 | p_new_buf = p_buf; |
197 | 200 | } |
@@ -202,11 +205,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, | ||
202 | 205 | ((tBTA_PAN_DATA_PARAMS *)p_new_buf)->ext = ext; |
203 | 206 | ((tBTA_PAN_DATA_PARAMS *)p_new_buf)->forward = forward; |
204 | 207 | |
205 | - if ((p_scb = bta_pan_scb_by_handle(handle)) == NULL) { | |
206 | - osi_free(p_new_buf); | |
207 | - return; | |
208 | - } | |
209 | - | |
210 | 208 | fixed_queue_enqueue(p_scb->data_queue, p_new_buf); |
211 | 209 | BT_HDR *p_event = (BT_HDR *)osi_malloc(sizeof(BT_HDR)); |
212 | 210 | p_event->layer_specific = handle; |
@@ -64,7 +64,6 @@ typedef struct { | ||
64 | 64 | size_t rescheduled_count; |
65 | 65 | size_t total_updates; |
66 | 66 | period_ms_t last_update_ms; |
67 | - stat_t callback_execution; | |
68 | 67 | stat_t overdue_scheduling; |
69 | 68 | stat_t premature_scheduling; |
70 | 69 | } alarm_stats_t; |
@@ -134,8 +133,7 @@ static void callback_dispatch(void *context); | ||
134 | 133 | static bool timer_create_internal(const clockid_t clock_id, timer_t *timer); |
135 | 134 | static void update_scheduling_stats(alarm_stats_t *stats, |
136 | 135 | period_ms_t now_ms, |
137 | - period_ms_t deadline_ms, | |
138 | - period_ms_t execution_delta_ms); | |
136 | + period_ms_t deadline_ms); | |
139 | 137 | |
140 | 138 | static void update_stat(stat_t *stat, period_ms_t delta) |
141 | 139 | { |
@@ -613,14 +611,12 @@ static void alarm_queue_ready(fixed_queue_t *queue, | ||
613 | 611 | pthread_mutex_lock(&alarm->callback_lock); |
614 | 612 | pthread_mutex_unlock(&monitor); |
615 | 613 | |
616 | - period_ms_t t0 = now(); | |
617 | - callback(data); | |
618 | - period_ms_t t1 = now(); | |
619 | - | |
620 | 614 | // Update the statistics |
621 | - assert(t1 >= t0); | |
622 | - period_ms_t delta = t1 - t0; | |
623 | - update_scheduling_stats(&alarm->stats, t0, deadline, delta); | |
615 | + update_scheduling_stats(&alarm->stats, now(), deadline); | |
616 | + | |
617 | + // NOTE: Do NOT access "alarm" after the callback, as a safety precaution | |
618 | + // in case the callback itself deleted the alarm. | |
619 | + callback(data); | |
624 | 620 | |
625 | 621 | pthread_mutex_unlock(&alarm->callback_lock); |
626 | 622 | } |
@@ -694,14 +690,11 @@ static bool timer_create_internal(const clockid_t clock_id, timer_t *timer) { | ||
694 | 690 | |
695 | 691 | static void update_scheduling_stats(alarm_stats_t *stats, |
696 | 692 | period_ms_t now_ms, |
697 | - period_ms_t deadline_ms, | |
698 | - period_ms_t execution_delta_ms) | |
693 | + period_ms_t deadline_ms) | |
699 | 694 | { |
700 | 695 | stats->total_updates++; |
701 | 696 | stats->last_update_ms = now_ms; |
702 | 697 | |
703 | - update_stat(&stats->callback_execution, execution_delta_ms); | |
704 | - | |
705 | 698 | if (deadline_ms < now_ms) { |
706 | 699 | // Overdue scheduling |
707 | 700 | period_ms_t delta_ms = now_ms - deadline_ms; |
@@ -754,7 +747,7 @@ void alarm_debug_dump(int fd) | ||
754 | 747 | dprintf(fd, "%-51s: %zu / %zu / %zu / %zu\n", |
755 | 748 | " Action counts (sched/resched/exec/cancel)", |
756 | 749 | stats->scheduled_count, stats->rescheduled_count, |
757 | - stats->callback_execution.count, stats->canceled_count); | |
750 | + stats->total_updates, stats->canceled_count); | |
758 | 751 | |
759 | 752 | dprintf(fd, "%-51s: %zu / %zu\n", |
760 | 753 | " Deviation counts (overdue/premature)", |
@@ -767,9 +760,6 @@ void alarm_debug_dump(int fd) | ||
767 | 760 | (unsigned long long) alarm->period, |
768 | 761 | (long long)(alarm->deadline - just_now)); |
769 | 762 | |
770 | - dump_stat(fd, &stats->callback_execution, | |
771 | - " Callback execution time in ms (total/max/avg)"); | |
772 | - | |
773 | 763 | dump_stat(fd, &stats->overdue_scheduling, |
774 | 764 | " Overdue scheduling time in ms (total/max/avg)"); |
775 | 765 |
@@ -34,6 +34,7 @@ | ||
34 | 34 | #include "osi/include/allocator.h" |
35 | 35 | #include "osi/include/list.h" |
36 | 36 | #include "osi/include/log.h" |
37 | +#include "log/log.h" | |
37 | 38 | |
38 | 39 | typedef struct { |
39 | 40 | char *key; |
@@ -221,16 +222,36 @@ void config_set_string(config_t *config, const char *section, const char *key, c | ||
221 | 222 | } |
222 | 223 | |
223 | 224 | if (sec) { |
225 | + char *value_string = (char *)value; | |
226 | + char *value_no_newline; | |
227 | + char *newline = strstr(value_string, "\n"); | |
228 | + if (newline) { | |
229 | + android_errorWriteLog(0x534e4554, "70808273"); | |
230 | + size_t newline_pos = newline - value_string; | |
231 | + value_no_newline = osi_strndup(value_string, newline_pos); | |
232 | + if (!value_no_newline) { | |
233 | + LOG_ERROR(LOG_TAG,"%s: Unable to allocate memory for value_no_newline", __func__); | |
234 | + return; | |
235 | + } | |
236 | + } else { | |
237 | + value_no_newline = value_string; | |
238 | + } | |
224 | 239 | for (const list_node_t *node = list_begin(sec->entries); node != list_end(sec->entries); node = list_next(node)) { |
225 | 240 | entry_t *entry = list_node(node); |
226 | 241 | if (!strcmp(entry->key, key)) { |
227 | 242 | osi_free(entry->value); |
228 | - entry->value = osi_strdup(value); | |
243 | + entry->value = osi_strdup(value_no_newline); | |
244 | + if (newline) { | |
245 | + osi_free(value_no_newline); | |
246 | + } | |
229 | 247 | return; |
230 | 248 | } |
231 | 249 | } |
232 | 250 | |
233 | - entry_t *entry = entry_new(key, value); | |
251 | + entry_t *entry = entry_new(key, value_no_newline); | |
252 | + if (newline) { | |
253 | + osi_free(value_no_newline); | |
254 | + } | |
234 | 255 | list_append(sec->entries, entry); |
235 | 256 | } |
236 | 257 | } |
@@ -22,6 +22,7 @@ | ||
22 | 22 | #include "avrc_defs.h" |
23 | 23 | #include "avrc_int.h" |
24 | 24 | #include "bt_utils.h" |
25 | +#include "log/log.h" | |
25 | 26 | |
26 | 27 | /***************************************************************************** |
27 | 28 | ** Global data |
@@ -227,6 +228,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( | ||
227 | 228 | } |
228 | 229 | BE_STREAM_TO_UINT8(p_result->list_app_attr.num_attr, p); |
229 | 230 | AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->list_app_attr.num_attr); |
231 | + | |
232 | + if (p_result->list_app_attr.num_attr > AVRC_MAX_APP_ATTR_SIZE) { | |
233 | + android_errorWriteLog(0x534e4554, "63146237"); | |
234 | + p_result->list_app_attr.num_attr = AVRC_MAX_APP_ATTR_SIZE; | |
235 | + } | |
236 | + | |
230 | 237 | for(int xx = 0; xx < p_result->list_app_attr.num_attr; xx++) |
231 | 238 | { |
232 | 239 | BE_STREAM_TO_UINT8(p_result->list_app_attr.attrs[xx], p); |
@@ -258,6 +265,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( | ||
258 | 265 | tAVRC_APP_SETTING *app_sett = |
259 | 266 | (tAVRC_APP_SETTING*)osi_malloc(p_result->get_cur_app_val.num_val*sizeof(tAVRC_APP_SETTING)); |
260 | 267 | AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->get_cur_app_val.num_val); |
268 | + | |
269 | + if (p_result->get_cur_app_val.num_val > AVRC_MAX_APP_ATTR_SIZE) { | |
270 | + android_errorWriteLog(0x534e4554, "63146237"); | |
271 | + p_result->get_cur_app_val.num_val = AVRC_MAX_APP_ATTR_SIZE; | |
272 | + } | |
273 | + | |
261 | 274 | for (int xx = 0; xx < p_result->get_cur_app_val.num_val; xx++) |
262 | 275 | { |
263 | 276 | BE_STREAM_TO_UINT8(app_sett[xx].attr_id, p); |
@@ -269,7 +282,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( | ||
269 | 282 | |
270 | 283 | case AVRC_PDU_GET_PLAYER_APP_ATTR_TEXT: |
271 | 284 | { |
272 | - tAVRC_APP_SETTING_TEXT *p_setting_text; | |
273 | 285 | UINT8 num_attrs; |
274 | 286 | |
275 | 287 | if (len == 0) |
@@ -278,9 +290,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( | ||
278 | 290 | break; |
279 | 291 | } |
280 | 292 | BE_STREAM_TO_UINT8(num_attrs, p); |
293 | + if (num_attrs > AVRC_MAX_APP_ATTR_SIZE) { | |
294 | + num_attrs = AVRC_MAX_APP_ATTR_SIZE; | |
295 | + } | |
281 | 296 | AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->get_app_attr_txt.num_attr); |
282 | 297 | p_result->get_app_attr_txt.num_attr = num_attrs; |
283 | - p_setting_text = (tAVRC_APP_SETTING_TEXT*)osi_malloc(num_attrs * sizeof(tAVRC_APP_SETTING_TEXT)); | |
298 | + p_result->get_app_attr_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_malloc(num_attrs * sizeof(tAVRC_APP_SETTING_TEXT)); | |
284 | 299 | for (int xx = 0; xx < num_attrs; xx++) |
285 | 300 | { |
286 | 301 | BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].attr_id, p); |
@@ -300,7 +315,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( | ||
300 | 315 | |
301 | 316 | case AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT: |
302 | 317 | { |
303 | - tAVRC_APP_SETTING_TEXT *p_setting_text; | |
304 | 318 | UINT8 num_vals; |
305 | 319 | |
306 | 320 | if (len == 0) |
@@ -309,10 +323,13 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( | ||
309 | 323 | break; |
310 | 324 | } |
311 | 325 | BE_STREAM_TO_UINT8(num_vals, p); |
326 | + if (num_vals > AVRC_MAX_APP_ATTR_SIZE) { | |
327 | + num_vals = AVRC_MAX_APP_ATTR_SIZE; | |
328 | + } | |
312 | 329 | p_result->get_app_val_txt.num_attr = num_vals; |
313 | 330 | AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->get_app_val_txt.num_attr); |
314 | 331 | |
315 | - p_setting_text = (tAVRC_APP_SETTING_TEXT *)osi_malloc(num_vals * sizeof(tAVRC_APP_SETTING_TEXT)); | |
332 | + p_result->get_app_val_txt.p_attrs = (tAVRC_APP_SETTING_TEXT *)osi_malloc(num_vals * sizeof(tAVRC_APP_SETTING_TEXT)); | |
316 | 333 | for (int i = 0; i < num_vals; i++) { |
317 | 334 | BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].attr_id, p); |
318 | 335 | BE_STREAM_TO_UINT16(p_result->get_app_val_txt.p_attrs[i].charset_id, p); |
@@ -21,6 +21,7 @@ | ||
21 | 21 | #include "avrc_api.h" |
22 | 22 | #include "avrc_defs.h" |
23 | 23 | #include "avrc_int.h" |
24 | +#include "log/log.h" | |
24 | 25 | |
25 | 26 | /***************************************************************************** |
26 | 27 | ** Global data |
@@ -169,6 +170,12 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_ | ||
169 | 170 | status = AVRC_STS_INTERNAL_ERR; |
170 | 171 | break; |
171 | 172 | } |
173 | + | |
174 | + if (p_result->get_cur_app_val.num_attr > AVRC_MAX_APP_ATTR_SIZE) { | |
175 | + android_errorWriteLog(0x534e4554, "63146237"); | |
176 | + p_result->get_cur_app_val.num_attr = AVRC_MAX_APP_ATTR_SIZE; | |
177 | + } | |
178 | + | |
172 | 179 | p_u8 = p_result->get_cur_app_val.attrs; |
173 | 180 | for (xx=0, yy=0; xx< p_result->get_cur_app_val.num_attr; xx++) |
174 | 181 | { |
@@ -229,6 +236,11 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_ | ||
229 | 236 | status = AVRC_STS_INTERNAL_ERR; |
230 | 237 | else |
231 | 238 | { |
239 | + if (p_result->get_app_val_txt.num_val > AVRC_MAX_APP_ATTR_SIZE) { | |
240 | + android_errorWriteLog(0x534e4554, "63146237"); | |
241 | + p_result->get_app_val_txt.num_val = AVRC_MAX_APP_ATTR_SIZE; | |
242 | + } | |
243 | + | |
232 | 244 | p_u8 = p_result->get_app_val_txt.vals; |
233 | 245 | for (xx=0; xx< p_result->get_app_val_txt.num_val; xx++) |
234 | 246 | { |
@@ -35,6 +35,7 @@ | ||
35 | 35 | |
36 | 36 | #include "l2c_api.h" |
37 | 37 | #include "l2cdefs.h" |
38 | +#include "log/log.h" | |
38 | 39 | |
39 | 40 | #include "btu.h" |
40 | 41 | #include "btm_api.h" |
@@ -495,6 +496,12 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) | ||
495 | 496 | type = *p++; |
496 | 497 | extension_present = type >> 7; |
497 | 498 | type &= 0x7f; |
499 | + if (type >= sizeof(bnep_frame_hdr_sizes) / sizeof(bnep_frame_hdr_sizes[0])) { | |
500 | + BNEP_TRACE_EVENT("BNEP - rcvd frame, bad type: 0x%02x", type); | |
501 | + android_errorWriteLog(0x534e4554, "68818034"); | |
502 | + osi_free(p_buf); | |
503 | + return; | |
504 | + } | |
498 | 505 | if ((rem_len <= bnep_frame_hdr_sizes[type]) || (rem_len > BNEP_MTU_SIZE)) |
499 | 506 | { |
500 | 507 | BNEP_TRACE_EVENT ("BNEP - rcvd frame, bad len: %d type: 0x%02x", p_buf->len, type); |
@@ -524,20 +531,20 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) | ||
524 | 531 | org_len = rem_len; |
525 | 532 | new_len = 0; |
526 | 533 | do { |
527 | - | |
534 | + if (org_len < 2) break; | |
528 | 535 | ext = *p++; |
529 | 536 | length = *p++; |
530 | 537 | p += length; |
531 | 538 | |
539 | + new_len = (length + 2); | |
540 | + if (new_len > org_len) break; | |
541 | + | |
532 | 542 | if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG)) |
533 | 543 | bnep_send_command_not_understood (p_bcb, *p); |
534 | 544 | |
535 | - new_len += (length + 2); | |
536 | - | |
537 | - if (new_len > org_len) | |
538 | - break; | |
539 | - | |
545 | + org_len -= new_len; | |
540 | 546 | } while (ext & 0x80); |
547 | + android_errorWriteLog(0x534e4554, "67863755"); | |
541 | 548 | } |
542 | 549 | |
543 | 550 | osi_free(p_buf); |
@@ -586,6 +593,8 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) | ||
586 | 593 | while (extension_present && p && rem_len) |
587 | 594 | { |
588 | 595 | ext_type = *p++; |
596 | + rem_len--; | |
597 | + android_errorWriteLog(0x534e4554, "69271284"); | |
589 | 598 | extension_present = ext_type >> 7; |
590 | 599 | ext_type &= 0x7F; |
591 | 600 |
@@ -657,6 +666,7 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) | ||
657 | 666 | if (bnep_cb.p_data_buf_cb) |
658 | 667 | { |
659 | 668 | (*bnep_cb.p_data_buf_cb)(p_bcb->handle, p_src_addr, p_dst_addr, protocol, p_buf, fw_ext_present); |
669 | + osi_free(p_buf); | |
660 | 670 | } |
661 | 671 | else if (bnep_cb.p_data_ind_cb) |
662 | 672 | { |
@@ -22,6 +22,8 @@ | ||
22 | 22 | * |
23 | 23 | ******************************************************************************/ |
24 | 24 | |
25 | +#include <cutils/log.h> | |
26 | + | |
25 | 27 | #include <stdio.h> |
26 | 28 | #include <string.h> |
27 | 29 | #include "bt_common.h" |
@@ -804,6 +806,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len | ||
804 | 806 | break; |
805 | 807 | |
806 | 808 | case BNEP_SETUP_CONNECTION_REQUEST_MSG: |
809 | + if (*rem_len < 1) { | |
810 | + BNEP_TRACE_ERROR( | |
811 | + "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", | |
812 | + __func__); | |
813 | + android_errorWriteLog(0x534e4554, "69177292"); | |
814 | + goto bad_packet_length; | |
815 | + } | |
807 | 816 | len = *p++; |
808 | 817 | if (*rem_len < ((2 * len) + 1)) { |
809 | 818 | BNEP_TRACE_ERROR( |
@@ -831,6 +840,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len | ||
831 | 840 | break; |
832 | 841 | |
833 | 842 | case BNEP_FILTER_NET_TYPE_SET_MSG: |
843 | + if (*rem_len < 2) { | |
844 | + BNEP_TRACE_ERROR( | |
845 | + "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length", | |
846 | + __func__); | |
847 | + android_errorWriteLog(0x534e4554, "69177292"); | |
848 | + goto bad_packet_length; | |
849 | + } | |
834 | 850 | BE_STREAM_TO_UINT16 (len, p); |
835 | 851 | if (*rem_len < (len + 2)) |
836 | 852 | { |
@@ -857,6 +873,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len | ||
857 | 873 | break; |
858 | 874 | |
859 | 875 | case BNEP_FILTER_MULTI_ADDR_SET_MSG: |
876 | + if (*rem_len < 2) { | |
877 | + BNEP_TRACE_ERROR( | |
878 | + "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length", | |
879 | + __func__); | |
880 | + android_errorWriteLog(0x534e4554, "69177292"); | |
881 | + goto bad_packet_length; | |
882 | + } | |
860 | 883 | BE_STREAM_TO_UINT16 (len, p); |
861 | 884 | if (*rem_len < (len + 2)) |
862 | 885 | { |
@@ -115,6 +115,8 @@ void btu_free_core(void) | ||
115 | 115 | /* Free the mandatory core stack components */ |
116 | 116 | l2c_free(); |
117 | 117 | |
118 | + sdp_free(); | |
119 | + | |
118 | 120 | #if BLE_INCLUDED == TRUE |
119 | 121 | gatt_free(); |
120 | 122 | #endif |
@@ -29,6 +29,7 @@ | ||
29 | 29 | #include "bt_target.h" |
30 | 30 | #include "bt_common.h" |
31 | 31 | #include "l2cdefs.h" |
32 | +#include "log/log.h" | |
32 | 33 | #include "hcidefs.h" |
33 | 34 | #include "hcimsgs.h" |
34 | 35 | #include "sdp_api.h" |
@@ -45,9 +46,12 @@ | ||
45 | 46 | /* L O C A L F U N C T I O N P R O T O T Y P E S */ |
46 | 47 | /********************************************************************************/ |
47 | 48 | #if SDP_CLIENT_ENABLED == TRUE |
48 | -static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply); | |
49 | -static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply); | |
50 | -static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply); | |
49 | +static void process_service_search_rsp (tCONN_CB* p_ccb, uint8_t* p_reply, | |
50 | + uint8_t* p_reply_end); | |
51 | +static void process_service_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply, | |
52 | + uint8_t* p_reply_end); | |
53 | +static void process_service_search_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply, | |
54 | + uint8_t* p_reply_end); | |
51 | 55 | static UINT8 *save_attr_seq (tCONN_CB *p_ccb, UINT8 *p, UINT8 *p_msg_end); |
52 | 56 | static tSDP_DISC_REC *add_record (tSDP_DISCOVERY_DB *p_db, BD_ADDR p_bda); |
53 | 57 | static UINT8 *add_attr (UINT8 *p, tSDP_DISCOVERY_DB *p_db, tSDP_DISC_REC *p_rec, |
@@ -197,7 +201,7 @@ void sdp_disc_connected (tCONN_CB *p_ccb) | ||
197 | 201 | { |
198 | 202 | p_ccb->disc_state = SDP_DISC_WAIT_SEARCH_ATTR; |
199 | 203 | |
200 | - process_service_search_attr_rsp (p_ccb, NULL); | |
204 | + process_service_search_attr_rsp (p_ccb, NULL, NULL); | |
201 | 205 | } |
202 | 206 | else |
203 | 207 | { |
@@ -235,6 +239,7 @@ void sdp_disc_server_rsp (tCONN_CB *p_ccb, BT_HDR *p_msg) | ||
235 | 239 | |
236 | 240 | /* Got a reply!! Check what we got back */ |
237 | 241 | p = (UINT8 *)(p_msg + 1) + p_msg->offset; |
242 | + uint8_t* p_end = p + p_msg->len; | |
238 | 243 | |
239 | 244 | BE_STREAM_TO_UINT8 (rsp_pdu, p); |
240 | 245 |
@@ -245,7 +250,7 @@ void sdp_disc_server_rsp (tCONN_CB *p_ccb, BT_HDR *p_msg) | ||
245 | 250 | case SDP_PDU_SERVICE_SEARCH_RSP: |
246 | 251 | if (p_ccb->disc_state == SDP_DISC_WAIT_HANDLES) |
247 | 252 | { |
248 | - process_service_search_rsp (p_ccb, p); | |
253 | + process_service_search_rsp (p_ccb, p, p_end); | |
249 | 254 | invalid_pdu = FALSE; |
250 | 255 | } |
251 | 256 | break; |
@@ -253,7 +258,7 @@ void sdp_disc_server_rsp (tCONN_CB *p_ccb, BT_HDR *p_msg) | ||
253 | 258 | case SDP_PDU_SERVICE_ATTR_RSP: |
254 | 259 | if (p_ccb->disc_state == SDP_DISC_WAIT_ATTR) |
255 | 260 | { |
256 | - process_service_attr_rsp (p_ccb, p); | |
261 | + process_service_attr_rsp (p_ccb, p, p_end); | |
257 | 262 | invalid_pdu = FALSE; |
258 | 263 | } |
259 | 264 | break; |
@@ -261,7 +266,7 @@ void sdp_disc_server_rsp (tCONN_CB *p_ccb, BT_HDR *p_msg) | ||
261 | 266 | case SDP_PDU_SERVICE_SEARCH_ATTR_RSP: |
262 | 267 | if (p_ccb->disc_state == SDP_DISC_WAIT_SEARCH_ATTR) |
263 | 268 | { |
264 | - process_service_search_attr_rsp (p_ccb, p); | |
269 | + process_service_search_attr_rsp (p_ccb, p, p_end); | |
265 | 270 | invalid_pdu = FALSE; |
266 | 271 | } |
267 | 272 | break; |
@@ -284,7 +289,8 @@ void sdp_disc_server_rsp (tCONN_CB *p_ccb, BT_HDR *p_msg) | ||
284 | 289 | ** Returns void |
285 | 290 | ** |
286 | 291 | *******************************************************************************/ |
287 | -static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) | |
292 | +static void process_service_search_rsp (tCONN_CB* p_ccb, uint8_t* p_reply, | |
293 | + uint8_t* p_reply_end) | |
288 | 294 | { |
289 | 295 | UINT16 xx; |
290 | 296 | UINT16 total, cur_handles, orig; |
@@ -321,6 +327,11 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) | ||
321 | 327 | sdp_disconnect (p_ccb, SDP_INVALID_CONT_STATE); |
322 | 328 | return; |
323 | 329 | } |
330 | + if (p_reply + cont_len > p_reply_end) { | |
331 | + android_errorWriteLog(0x534e4554, "68161546"); | |
332 | + sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE); | |
333 | + return; | |
334 | + } | |
324 | 335 | /* stay in the same state */ |
325 | 336 | sdp_snd_service_search_req(p_ccb, cont_len, p_reply); |
326 | 337 | } |
@@ -330,7 +341,7 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) | ||
330 | 341 | p_ccb->disc_state = SDP_DISC_WAIT_ATTR; |
331 | 342 | |
332 | 343 | /* Kick off the first attribute request */ |
333 | - process_service_attr_rsp (p_ccb, NULL); | |
344 | + process_service_attr_rsp (p_ccb, NULL, NULL); | |
334 | 345 | } |
335 | 346 | } |
336 | 347 |
@@ -405,7 +416,8 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset) | ||
405 | 416 | ** Returns void |
406 | 417 | ** |
407 | 418 | *******************************************************************************/ |
408 | -static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) | |
419 | +static void process_service_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply, | |
420 | + uint8_t* p_reply_end) | |
409 | 421 | { |
410 | 422 | UINT8 *p_start, *p_param_len; |
411 | 423 | UINT16 param_len, list_byte_count; |
@@ -512,8 +524,12 @@ static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) | ||
512 | 524 | /* Was this a continuation request ? */ |
513 | 525 | if (cont_request_needed) |
514 | 526 | { |
515 | - memcpy (p, p_reply, *p_reply + 1); | |
516 | - p += *p_reply + 1; | |
527 | + if ((p_reply + *p_reply + 1) <= p_reply_end) { | |
528 | + memcpy(p, p_reply, *p_reply + 1); | |
529 | + p += *p_reply + 1; | |
530 | + } else { | |
531 | + android_errorWriteLog(0x534e4554, "68161546"); | |
532 | + } | |
517 | 533 | } |
518 | 534 | else |
519 | 535 | UINT8_TO_BE_STREAM (p, 0); |
@@ -551,7 +567,8 @@ static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) | ||
551 | 567 | ** Returns void |
552 | 568 | ** |
553 | 569 | *******************************************************************************/ |
554 | -static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) | |
570 | +static void process_service_search_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply, | |
571 | + uint8_t* p_reply_end) | |
555 | 572 | { |
556 | 573 | UINT8 *p, *p_start, *p_end, *p_param_len; |
557 | 574 | UINT8 type; |
@@ -651,8 +668,12 @@ static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) | ||
651 | 668 | /* No continuation for first request */ |
652 | 669 | if (p_reply) |
653 | 670 | { |
654 | - memcpy (p, p_reply, *p_reply + 1); | |
655 | - p += *p_reply + 1; | |
671 | + if ((p_reply + *p_reply + 1) <= p_reply_end) { | |
672 | + memcpy(p, p_reply, *p_reply + 1); | |
673 | + p += *p_reply + 1; | |
674 | + } else { | |
675 | + android_errorWriteLog(0x534e4554, "68161546"); | |
676 | + } | |
656 | 677 | } |
657 | 678 | else |
658 | 679 | UINT8_TO_BE_STREAM (p, 0); |
@@ -85,6 +85,10 @@ void sdp_init (void) | ||
85 | 85 | /* Clears all structures and local SDP database (if Server is enabled) */ |
86 | 86 | memset (&sdp_cb, 0, sizeof (tSDP_CB)); |
87 | 87 | |
88 | + for (int i = 0; i < SDP_MAX_CONNECTIONS; i++) { | |
89 | + sdp_cb.ccb[i].sdp_conn_timer = alarm_new("sdp.sdp_conn_timer"); | |
90 | + } | |
91 | + | |
88 | 92 | /* Initialize the L2CAP configuration. We only care about MTU and flush */ |
89 | 93 | sdp_cb.l2cap_my_cfg.mtu_present = TRUE; |
90 | 94 | sdp_cb.l2cap_my_cfg.mtu = SDP_MTU_SIZE; |
@@ -139,6 +143,13 @@ void sdp_init (void) | ||
139 | 143 | } |
140 | 144 | } |
141 | 145 | |
146 | +void sdp_free(void) { | |
147 | + for (int i = 0; i < SDP_MAX_CONNECTIONS; i++) { | |
148 | + alarm_free(sdp_cb.ccb[i].sdp_conn_timer); | |
149 | + sdp_cb.ccb[i].sdp_conn_timer = NULL; | |
150 | + } | |
151 | +} | |
152 | + | |
142 | 153 | #if (defined(SDP_DEBUG) && SDP_DEBUG == TRUE) |
143 | 154 | /******************************************************************************* |
144 | 155 | ** |
@@ -23,6 +23,7 @@ | ||
23 | 23 | * |
24 | 24 | ******************************************************************************/ |
25 | 25 | |
26 | +#include <cutils/log.h> | |
26 | 27 | #include <stdlib.h> |
27 | 28 | #include <string.h> |
28 | 29 | #include <stdio.h> |
@@ -387,11 +388,25 @@ void sdp_server_handle_client_req (tCONN_CB *p_ccb, BT_HDR *p_msg) | ||
387 | 388 | alarm_set_on_queue(p_ccb->sdp_conn_timer, SDP_INACT_TIMEOUT_MS, |
388 | 389 | sdp_conn_timer_timeout, p_ccb, btu_general_alarm_queue); |
389 | 390 | |
391 | + if (p_req + sizeof(pdu_id) + sizeof(trans_num) > p_req_end) { | |
392 | + android_errorWriteLog(0x534e4554, "69384124"); | |
393 | + trans_num = 0; | |
394 | + sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, | |
395 | + SDP_TEXT_BAD_HEADER); | |
396 | + } | |
397 | + | |
390 | 398 | /* The first byte in the message is the pdu type */ |
391 | 399 | pdu_id = *p_req++; |
392 | 400 | |
393 | 401 | /* Extract the transaction number and parameter length */ |
394 | 402 | BE_STREAM_TO_UINT16 (trans_num, p_req); |
403 | + | |
404 | + if (p_req + sizeof(param_len) > p_req_end) { | |
405 | + android_errorWriteLog(0x534e4554, "69384124"); | |
406 | + sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, | |
407 | + SDP_TEXT_BAD_HEADER); | |
408 | + } | |
409 | + | |
395 | 410 | BE_STREAM_TO_UINT16 (param_len, p_req); |
396 | 411 | |
397 | 412 | if ((p_req + param_len) != p_req_end) |
@@ -456,17 +471,14 @@ static void process_service_search (tCONN_CB *p_ccb, UINT16 trans_num, | ||
456 | 471 | } |
457 | 472 | |
458 | 473 | /* Get the max replies we can send. Cap it at our max anyways. */ |
459 | - BE_STREAM_TO_UINT16 (max_replies, p_req); | |
460 | - | |
461 | - if (max_replies > SDP_MAX_RECORDS) | |
462 | - max_replies = SDP_MAX_RECORDS; | |
463 | - | |
464 | - | |
465 | - if ((!p_req) || (p_req > p_req_end)) | |
466 | - { | |
474 | + if (p_req + sizeof(max_replies) + sizeof(uint8_t) > p_req_end) { | |
475 | + android_errorWriteLog(0x534e4554, "69384124"); | |
467 | 476 | sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_MAX_RECORDS_LIST); |
468 | 477 | return; |
469 | 478 | } |
479 | + BE_STREAM_TO_UINT16(max_replies, p_req); | |
480 | + | |
481 | + if (max_replies > SDP_MAX_RECORDS) max_replies = SDP_MAX_RECORDS; | |
470 | 482 | |
471 | 483 | |
472 | 484 | /* Get a list of handles that match the UUIDs given to us */ |
@@ -483,8 +495,8 @@ static void process_service_search (tCONN_CB *p_ccb, UINT16 trans_num, | ||
483 | 495 | /* Check if this is a continuation request */ |
484 | 496 | if (*p_req) |
485 | 497 | { |
486 | - if (*p_req++ != SDP_CONTINUATION_LEN || (p_req >= p_req_end)) | |
487 | - { | |
498 | + if (*p_req++ != SDP_CONTINUATION_LEN || | |
499 | + (p_req + sizeof(cont_offset) > p_req_end)) { | |
488 | 500 | sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE, |
489 | 501 | SDP_TEXT_BAD_CONT_LEN); |
490 | 502 | return; |
@@ -602,15 +614,15 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, | ||
602 | 614 | BOOLEAN is_avrcp_ca_bit_reset = FALSE; |
603 | 615 | UINT16 attr_len; |
604 | 616 | |
605 | - /* Extract the record handle */ | |
606 | - BE_STREAM_TO_UINT32 (rec_handle, p_req); | |
607 | - | |
608 | - if (p_req > p_req_end) | |
609 | - { | |
617 | + if (p_req + sizeof(rec_handle) + sizeof(max_list_len) > p_req_end) { | |
618 | + android_errorWriteLog(0x534e4554, "69384124"); | |
610 | 619 | sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_SERV_REC_HDL, SDP_TEXT_BAD_HANDLE); |
611 | 620 | return; |
612 | 621 | } |
613 | 622 | |
623 | + /* Extract the record handle */ | |
624 | + BE_STREAM_TO_UINT32(rec_handle, p_req); | |
625 | + | |
614 | 626 | /* Get the max list length we can send. Cap it at MTU size minus overhead */ |
615 | 627 | BE_STREAM_TO_UINT16 (max_list_len, p_req); |
616 | 628 |
@@ -619,8 +631,8 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, | ||
619 | 631 | |
620 | 632 | p_req = sdpu_extract_attr_seq (p_req, param_len, &attr_seq); |
621 | 633 | |
622 | - if ((!p_req) || (!attr_seq.num_attr) || (p_req > p_req_end)) | |
623 | - { | |
634 | + if ((!p_req) || (!attr_seq.num_attr) || | |
635 | + (p_req + sizeof(uint8_t) > p_req_end)) { | |
624 | 636 | sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_ATTR_LIST); |
625 | 637 | return; |
626 | 638 | } |
@@ -635,13 +647,20 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, | ||
635 | 647 | return; |
636 | 648 | } |
637 | 649 | |
650 | + if (max_list_len < 4) { | |
651 | + sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL); | |
652 | + android_errorWriteLog(0x534e4554, "68776054"); | |
653 | + return; | |
654 | + } | |
655 | + | |
638 | 656 | /* Free and reallocate buffer */ |
639 | 657 | osi_free(p_ccb->rsp_list); |
640 | 658 | p_ccb->rsp_list = (UINT8 *)osi_malloc(max_list_len); |
641 | 659 | |
642 | 660 | /* Check if this is a continuation request */ |
643 | 661 | if (*p_req) { |
644 | - if (*p_req++ != SDP_CONTINUATION_LEN) { | |
662 | + if (*p_req++ != SDP_CONTINUATION_LEN || | |
663 | + (p_req + sizeof(cont_offset) > p_req_end)) { | |
645 | 664 | sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE, |
646 | 665 | SDP_TEXT_BAD_CONT_LEN); |
647 | 666 | return; |
@@ -938,8 +957,8 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, | ||
938 | 957 | /* Extract the UUID sequence to search for */ |
939 | 958 | p_req = sdpu_extract_uid_seq (p_req, param_len, &uid_seq); |
940 | 959 | |
941 | - if ((!p_req) || (!uid_seq.num_uids)) | |
942 | - { | |
960 | + if ((!p_req) || (!uid_seq.num_uids) || | |
961 | + (p_req + sizeof(uint16_t) > p_req_end)) { | |
943 | 962 | sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_UUID_LIST); |
944 | 963 | return; |
945 | 964 | } |
@@ -952,21 +971,28 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, | ||
952 | 971 | |
953 | 972 | p_req = sdpu_extract_attr_seq (p_req, param_len, &attr_seq); |
954 | 973 | |
955 | - if ((!p_req) || (!attr_seq.num_attr)) | |
956 | - { | |
974 | + if ((!p_req) || (!attr_seq.num_attr) || | |
975 | + (p_req + sizeof(uint8_t) > p_req_end)) { | |
957 | 976 | sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_ATTR_LIST); |
958 | 977 | return; |
959 | 978 | } |
960 | 979 | |
961 | 980 | memcpy(&attr_seq_sav, &attr_seq, sizeof(tSDP_ATTR_SEQ)) ; |
962 | 981 | |
982 | + if (max_list_len < 4) { | |
983 | + sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL); | |
984 | + android_errorWriteLog(0x534e4554, "68817966"); | |
985 | + return; | |
986 | + } | |
987 | + | |
963 | 988 | /* Free and reallocate buffer */ |
964 | 989 | osi_free(p_ccb->rsp_list); |
965 | 990 | p_ccb->rsp_list = (UINT8 *)osi_malloc(max_list_len); |
966 | 991 | |
967 | 992 | /* Check if this is a continuation request */ |
968 | 993 | if (*p_req) { |
969 | - if (*p_req++ != SDP_CONTINUATION_LEN) { | |
994 | + if (*p_req++ != SDP_CONTINUATION_LEN || | |
995 | + (p_req + sizeof(uint16_t) > p_req_end)) { | |
970 | 996 | sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE, |
971 | 997 | SDP_TEXT_BAD_CONT_LEN); |
972 | 998 | return; |
@@ -120,8 +120,9 @@ tCONN_CB *sdpu_allocate_ccb (void) | ||
120 | 120 | { |
121 | 121 | if (p_ccb->con_state == SDP_STATE_IDLE) |
122 | 122 | { |
123 | + alarm_t* alarm = p_ccb->sdp_conn_timer; | |
123 | 124 | memset(p_ccb, 0, sizeof(tCONN_CB)); |
124 | - p_ccb->sdp_conn_timer = alarm_new("sdp.sdp_conn_timer"); | |
125 | + p_ccb->sdp_conn_timer = alarm; | |
125 | 126 | return (p_ccb); |
126 | 127 | } |
127 | 128 | } |
@@ -143,8 +144,7 @@ tCONN_CB *sdpu_allocate_ccb (void) | ||
143 | 144 | void sdpu_release_ccb (tCONN_CB *p_ccb) |
144 | 145 | { |
145 | 146 | /* Ensure timer is stopped */ |
146 | - alarm_free(p_ccb->sdp_conn_timer); | |
147 | - p_ccb->sdp_conn_timer = NULL; | |
147 | + alarm_cancel(p_ccb->sdp_conn_timer); | |
148 | 148 | |
149 | 149 | /* Drop any response pointer we may be holding */ |
150 | 150 | p_ccb->con_state = SDP_STATE_IDLE; |
@@ -406,6 +406,8 @@ UINT8 *sdpu_extract_uid_seq (UINT8 *p, UINT16 param_len, tSDP_UUID_SEQ *p_seq) | ||
406 | 406 | p_seq->num_uids = 0; |
407 | 407 | |
408 | 408 | /* A UID sequence is composed of a bunch of UIDs. */ |
409 | + if (sizeof(descr) > param_len) return (NULL); | |
410 | + param_len -= sizeof(descr); | |
409 | 411 | |
410 | 412 | BE_STREAM_TO_UINT8 (descr, p); |
411 | 413 | type = descr >> 3; |
@@ -426,19 +428,25 @@ UINT8 *sdpu_extract_uid_seq (UINT8 *p, UINT16 param_len, tSDP_UUID_SEQ *p_seq) | ||
426 | 428 | seq_len = 16; |
427 | 429 | break; |
428 | 430 | case SIZE_IN_NEXT_BYTE: |
431 | + if (sizeof(uint8_t) > param_len) return (NULL); | |
432 | + param_len -= sizeof(uint8_t); | |
429 | 433 | BE_STREAM_TO_UINT8 (seq_len, p); |
430 | 434 | break; |
431 | 435 | case SIZE_IN_NEXT_WORD: |
436 | + if (sizeof(uint16_t) > param_len) return (NULL); | |
437 | + param_len -= sizeof(uint16_t); | |
432 | 438 | BE_STREAM_TO_UINT16 (seq_len, p); |
433 | 439 | break; |
434 | 440 | case SIZE_IN_NEXT_LONG: |
441 | + if (sizeof(uint32_t) > param_len) return (NULL); | |
442 | + param_len -= sizeof(uint32_t); | |
435 | 443 | BE_STREAM_TO_UINT32 (seq_len, p); |
436 | 444 | break; |
437 | 445 | default: |
438 | 446 | return (NULL); |
439 | 447 | } |
440 | 448 | |
441 | - if (seq_len >= param_len) | |
449 | + if (seq_len > param_len) | |
442 | 450 | return (NULL); |
443 | 451 | |
444 | 452 | p_seq_end = p + seq_len; |
@@ -465,12 +473,15 @@ UINT8 *sdpu_extract_uid_seq (UINT8 *p, UINT16 param_len, tSDP_UUID_SEQ *p_seq) | ||
465 | 473 | uuid_len = 16; |
466 | 474 | break; |
467 | 475 | case SIZE_IN_NEXT_BYTE: |
476 | + if (p + sizeof(uint8_t) > p_seq_end) return NULL; | |
468 | 477 | BE_STREAM_TO_UINT8 (uuid_len, p); |
469 | 478 | break; |
470 | 479 | case SIZE_IN_NEXT_WORD: |
480 | + if (p + sizeof(uint16_t) > p_seq_end) return NULL; | |
471 | 481 | BE_STREAM_TO_UINT16 (uuid_len, p); |
472 | 482 | break; |
473 | 483 | case SIZE_IN_NEXT_LONG: |
484 | + if (p + sizeof(uint32_t) > p_seq_end) return NULL; | |
474 | 485 | BE_STREAM_TO_UINT32 (uuid_len, p); |
475 | 486 | break; |
476 | 487 | default: |
@@ -478,8 +489,8 @@ UINT8 *sdpu_extract_uid_seq (UINT8 *p, UINT16 param_len, tSDP_UUID_SEQ *p_seq) | ||
478 | 489 | } |
479 | 490 | |
480 | 491 | /* If UUID length is valid, copy it across */ |
481 | - if ((uuid_len == 2) || (uuid_len == 4) || (uuid_len == 16)) | |
482 | - { | |
492 | + if (((uuid_len == 2) || (uuid_len == 4) || (uuid_len == 16)) && | |
493 | + (p + uuid_len <= p_seq_end)) { | |
483 | 494 | p_seq->uuid_entry[p_seq->num_uids].len = (UINT16) uuid_len; |
484 | 495 | BE_STREAM_TO_ARRAY (p, p_seq->uuid_entry[p_seq->num_uids].value, (int)uuid_len); |
485 | 496 | p_seq->num_uids++; |
@@ -520,33 +531,41 @@ UINT8 *sdpu_extract_attr_seq (UINT8 *p, UINT16 param_len, tSDP_ATTR_SEQ *p_seq) | ||
520 | 531 | p_seq->num_attr = 0; |
521 | 532 | |
522 | 533 | /* Get attribute sequence info */ |
534 | + if (param_len < sizeof(descr)) return NULL; | |
535 | + param_len -= sizeof(descr); | |
523 | 536 | BE_STREAM_TO_UINT8 (descr, p); |
524 | 537 | type = descr >> 3; |
525 | 538 | size = descr & 7; |
526 | 539 | |
527 | 540 | if (type != DATA_ELE_SEQ_DESC_TYPE) |
528 | - return (p); | |
541 | + return NULL; | |
529 | 542 | |
530 | 543 | switch (size) |
531 | 544 | { |
532 | 545 | case SIZE_IN_NEXT_BYTE: |
546 | + if (param_len < sizeof(uint8_t)) return NULL; | |
547 | + param_len -= sizeof(uint8_t); | |
533 | 548 | BE_STREAM_TO_UINT8 (list_len, p); |
534 | 549 | break; |
535 | 550 | |
536 | 551 | case SIZE_IN_NEXT_WORD: |
552 | + if (param_len < sizeof(uint16_t)) return NULL; | |
553 | + param_len -= sizeof(uint16_t); | |
537 | 554 | BE_STREAM_TO_UINT16 (list_len, p); |
538 | 555 | break; |
539 | 556 | |
540 | 557 | case SIZE_IN_NEXT_LONG: |
558 | + if (param_len < sizeof(uint32_t)) return NULL; | |
559 | + param_len -= sizeof(uint32_t); | |
541 | 560 | BE_STREAM_TO_UINT32 (list_len, p); |
542 | 561 | break; |
543 | 562 | |
544 | 563 | default: |
545 | - return (p); | |
564 | + return NULL; | |
546 | 565 | } |
547 | 566 | |
548 | 567 | if (list_len > param_len) |
549 | - return (p); | |
568 | + return NULL; | |
550 | 569 | |
551 | 570 | p_end_list = p + list_len; |
552 | 571 |
@@ -558,7 +577,7 @@ UINT8 *sdpu_extract_attr_seq (UINT8 *p, UINT16 param_len, tSDP_ATTR_SEQ *p_seq) | ||
558 | 577 | size = descr & 7; |
559 | 578 | |
560 | 579 | if (type != UINT_DESC_TYPE) |
561 | - return (p); | |
580 | + return NULL; | |
562 | 581 | |
563 | 582 | switch (size) |
564 | 583 | { |
@@ -569,20 +588,24 @@ UINT8 *sdpu_extract_attr_seq (UINT8 *p, UINT16 param_len, tSDP_ATTR_SEQ *p_seq) | ||
569 | 588 | attr_len = 4; |
570 | 589 | break; |
571 | 590 | case SIZE_IN_NEXT_BYTE: |
591 | + if (p + sizeof(uint8_t) > p_end_list) return NULL; | |
572 | 592 | BE_STREAM_TO_UINT8 (attr_len, p); |
573 | 593 | break; |
574 | 594 | case SIZE_IN_NEXT_WORD: |
595 | + if (p + sizeof(uint16_t) > p_end_list) return NULL; | |
575 | 596 | BE_STREAM_TO_UINT16 (attr_len, p); |
576 | 597 | break; |
577 | 598 | case SIZE_IN_NEXT_LONG: |
599 | + if (p + sizeof(uint32_t) > p_end_list) return NULL; | |
578 | 600 | BE_STREAM_TO_UINT32 (attr_len, p); |
579 | 601 | break; |
580 | 602 | default: |
581 | - return (NULL); | |
603 | + return NULL; | |
582 | 604 | break; |
583 | 605 | } |
584 | 606 | |
585 | 607 | /* Attribute length must be 2-bytes or 4-bytes for a paired entry. */ |
608 | + if (p + attr_len > p_end_list) return NULL; | |
586 | 609 | if (attr_len == 2) |
587 | 610 | { |
588 | 611 | BE_STREAM_TO_UINT16 (p_seq->attr_entry[p_seq->num_attr].start, p); |
@@ -247,6 +247,7 @@ extern tSDP_CB *sdp_cb_ptr; | ||
247 | 247 | |
248 | 248 | /* Functions provided by sdp_main.c */ |
249 | 249 | extern void sdp_init (void); |
250 | +extern void sdp_free(void); | |
250 | 251 | extern void sdp_disconnect (tCONN_CB*p_ccb, UINT16 reason); |
251 | 252 | |
252 | 253 | #if (defined(SDP_DEBUG) && SDP_DEBUG == TRUE) |
@@ -297,8 +297,7 @@ BOOLEAN smp_send_msg_to_L2CAP(BD_ADDR rem_bda, BT_HDR *p_toL2CAP) | ||
297 | 297 | if ((l2cap_ret = L2CA_SendFixedChnlData (fixed_cid, rem_bda, p_toL2CAP)) == L2CAP_DW_FAILED) |
298 | 298 | { |
299 | 299 | smp_cb.total_tx_unacked -= 1; |
300 | - SMP_TRACE_ERROR("SMP failed to pass msg:0x%0x to L2CAP", | |
301 | - *((UINT8 *)(p_toL2CAP + 1) + p_toL2CAP->offset)); | |
300 | + SMP_TRACE_ERROR("SMP failed to pass msg to L2CAP"); | |
302 | 301 | return FALSE; |
303 | 302 | } |
304 | 303 | else |