OSDN > Developer > keagan_johansen > Chamber > system-bt > 提交

system-bt
Fork

R/O
HTTP
SSH
HTTPS

提交

Commit MetaInfo

修订版	200dfcc9948b7f6a0939b528dd731f7eb5bfc25a (tree)
时间	2018-05-02 23:45:38
作者	Chih-Wei Huang <cwhuang@linu...>
Commiter	Chih-Wei Huang

Log Message

Merge remote-tracking branch 'cm/cm-14.1' into cm-14.1-x86

更改概述

modified: audio_a2dp_hw/bthost_ipc.c (diff)
modified: bta/pan/bta_pan_act.c (diff)
modified: osi/src/alarm.c (diff)
modified: osi/src/config.c (diff)
modified: stack/avrc/avrc_pars_ct.c (diff)
modified: stack/avrc/avrc_pars_tg.c (diff)
modified: stack/bnep/bnep_main.c (diff)
modified: stack/bnep/bnep_utils.c (diff)
modified: stack/btu/btu_init.c (diff)
modified: stack/sdp/sdp_discovery.c (diff)
modified: stack/sdp/sdp_main.c (diff)
modified: stack/sdp/sdp_server.c (diff)
modified: stack/sdp/sdp_utils.c (diff)
modified: stack/sdp/sdpint.h (diff)
modified: stack/smp/smp_utils.c (diff)

差异

--- a/audio_a2dp_hw/bthost_ipc.c

+++ b/audio_a2dp_hw/bthost_ipc.c

		@@ -198,7 +198,7 @@ static void* a2dp_codec_parser(uint8_t codec_cfg, audio_format_t codec_type)
198	198	sbc_codec.sampling_rate = 44100;
199	199	break;
200	200	case A2D_SBC_SAMP_FREQ_32:
201		- sbc_codec.sampling_rate = 3200;
	201	+ sbc_codec.sampling_rate = 32000;
202	202	break;
203	203	case A2D_SBC_SAMP_FREQ_16:
204	204	sbc_codec.sampling_rate = 16000;

--- a/bta/pan/bta_pan_act.c

+++ b/bta/pan/bta_pan_act.c

		@@ -176,6 +176,11 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
176	176	tBTA_PAN_SCB *p_scb;
177	177	BT_HDR *p_new_buf;
178	178
	179	+ p_scb = bta_pan_scb_by_handle(handle);
	180	+ if (p_scb == NULL) {
	181	+ return;
	182	+ }
	183	+
179	184	if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
180	185	/* offset smaller than data structure in front of actual data */
181	186	if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >

		@@ -183,7 +188,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
183	188	android_errorWriteLog(0x534e4554, "63146237");
184	189	APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
185	190	p_buf->len);
186		- osi_free(p_buf);
187	191	return;
188	192	}
189	193	p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE);

		@@ -191,7 +195,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
191	195	(UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len);
192	196	p_new_buf->len = p_buf->len;
193	197	p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
194		- osi_free(p_buf);
195	198	} else {
196	199	p_new_buf = p_buf;
197	200	}

		@@ -202,11 +205,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
202	205	((tBTA_PAN_DATA_PARAMS *)p_new_buf)->ext = ext;
203	206	((tBTA_PAN_DATA_PARAMS *)p_new_buf)->forward = forward;
204	207
205		- if ((p_scb = bta_pan_scb_by_handle(handle)) == NULL) {
206		- osi_free(p_new_buf);
207		- return;
208		- }
209		-
210	208	fixed_queue_enqueue(p_scb->data_queue, p_new_buf);
211	209	BT_HDR p_event = (BT_HDR )osi_malloc(sizeof(BT_HDR));
212	210	p_event->layer_specific = handle;

--- a/osi/src/alarm.c

+++ b/osi/src/alarm.c

		@@ -64,7 +64,6 @@ typedef struct {
64	64	size_t rescheduled_count;
65	65	size_t total_updates;
66	66	period_ms_t last_update_ms;
67		- stat_t callback_execution;
68	67	stat_t overdue_scheduling;
69	68	stat_t premature_scheduling;
70	69	} alarm_stats_t;

		@@ -134,8 +133,7 @@ static void callback_dispatch(void *context);
134	133	static bool timer_create_internal(const clockid_t clock_id, timer_t *timer);
135	134	static void update_scheduling_stats(alarm_stats_t *stats,
136	135	period_ms_t now_ms,
137		- period_ms_t deadline_ms,
138		- period_ms_t execution_delta_ms);
	136	+ period_ms_t deadline_ms);
139	137
140	138	static void update_stat(stat_t *stat, period_ms_t delta)
141	139	{

		@@ -613,14 +611,12 @@ static void alarm_queue_ready(fixed_queue_t *queue,
613	611	pthread_mutex_lock(&alarm->callback_lock);
614	612	pthread_mutex_unlock(&monitor);
615	613
616		- period_ms_t t0 = now();
617		- callback(data);
618		- period_ms_t t1 = now();
619		-
620	614	// Update the statistics
621		- assert(t1 >= t0);
622		- period_ms_t delta = t1 - t0;
623		- update_scheduling_stats(&alarm->stats, t0, deadline, delta);
	615	+ update_scheduling_stats(&alarm->stats, now(), deadline);
	616	+
	617	+ // NOTE: Do NOT access "alarm" after the callback, as a safety precaution
	618	+ // in case the callback itself deleted the alarm.
	619	+ callback(data);
624	620
625	621	pthread_mutex_unlock(&alarm->callback_lock);
626	622	}

		@@ -694,14 +690,11 @@ static bool timer_create_internal(const clockid_t clock_id, timer_t *timer) {
694	690
695	691	static void update_scheduling_stats(alarm_stats_t *stats,
696	692	period_ms_t now_ms,
697		- period_ms_t deadline_ms,
698		- period_ms_t execution_delta_ms)
	693	+ period_ms_t deadline_ms)
699	694	{
700	695	stats->total_updates++;
701	696	stats->last_update_ms = now_ms;
702	697
703		- update_stat(&stats->callback_execution, execution_delta_ms);
704		-
705	698	if (deadline_ms < now_ms) {
706	699	// Overdue scheduling
707	700	period_ms_t delta_ms = now_ms - deadline_ms;

		@@ -754,7 +747,7 @@ void alarm_debug_dump(int fd)
754	747	dprintf(fd, "%-51s: %zu / %zu / %zu / %zu\n",
755	748	" Action counts (sched/resched/exec/cancel)",
756	749	stats->scheduled_count, stats->rescheduled_count,
757		- stats->callback_execution.count, stats->canceled_count);
	750	+ stats->total_updates, stats->canceled_count);
758	751
759	752	dprintf(fd, "%-51s: %zu / %zu\n",
760	753	" Deviation counts (overdue/premature)",

		@@ -767,9 +760,6 @@ void alarm_debug_dump(int fd)
767	760	(unsigned long long) alarm->period,
768	761	(long long)(alarm->deadline - just_now));
769	762
770		- dump_stat(fd, &stats->callback_execution,
771		- " Callback execution time in ms (total/max/avg)");
772		-
773	763	dump_stat(fd, &stats->overdue_scheduling,
774	764	" Overdue scheduling time in ms (total/max/avg)");
775	765

--- a/osi/src/config.c

+++ b/osi/src/config.c

		@@ -34,6 +34,7 @@
34	34	#include "osi/include/allocator.h"
35	35	#include "osi/include/list.h"
36	36	#include "osi/include/log.h"
	37	+#include "log/log.h"
37	38
38	39	typedef struct {
39	40	char *key;

		@@ -221,16 +222,36 @@ void config_set_string(config_t config, const char section, const char *key, c
221	222	}
222	223
223	224	if (sec) {
	225	+ char value_string = (char )value;
	226	+ char *value_no_newline;
	227	+ char *newline = strstr(value_string, "\n");
	228	+ if (newline) {
	229	+ android_errorWriteLog(0x534e4554, "70808273");
	230	+ size_t newline_pos = newline - value_string;
	231	+ value_no_newline = osi_strndup(value_string, newline_pos);
	232	+ if (!value_no_newline) {
	233	+ LOG_ERROR(LOG_TAG,"%s: Unable to allocate memory for value_no_newline", __func__);
	234	+ return;
	235	+ }
	236	+ } else {
	237	+ value_no_newline = value_string;
	238	+ }
224	239	for (const list_node_t *node = list_begin(sec->entries); node != list_end(sec->entries); node = list_next(node)) {
225	240	entry_t *entry = list_node(node);
226	241	if (!strcmp(entry->key, key)) {
227	242	osi_free(entry->value);
228		- entry->value = osi_strdup(value);
	243	+ entry->value = osi_strdup(value_no_newline);
	244	+ if (newline) {
	245	+ osi_free(value_no_newline);
	246	+ }
229	247	return;
230	248	}
231	249	}
232	250
233		- entry_t *entry = entry_new(key, value);
	251	+ entry_t *entry = entry_new(key, value_no_newline);
	252	+ if (newline) {
	253	+ osi_free(value_no_newline);
	254	+ }
234	255	list_append(sec->entries, entry);
235	256	}
236	257	}

--- a/stack/avrc/avrc_pars_ct.c

+++ b/stack/avrc/avrc_pars_ct.c

		@@ -22,6 +22,7 @@
22	22	#include "avrc_defs.h"
23	23	#include "avrc_int.h"
24	24	#include "bt_utils.h"
	25	+#include "log/log.h"
25	26
26	27	/*****************************************************************************
27	28	** Global data

		@@ -227,6 +228,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
227	228	}
228	229	BE_STREAM_TO_UINT8(p_result->list_app_attr.num_attr, p);
229	230	AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->list_app_attr.num_attr);
	231	+
	232	+ if (p_result->list_app_attr.num_attr > AVRC_MAX_APP_ATTR_SIZE) {
	233	+ android_errorWriteLog(0x534e4554, "63146237");
	234	+ p_result->list_app_attr.num_attr = AVRC_MAX_APP_ATTR_SIZE;
	235	+ }
	236	+
230	237	for(int xx = 0; xx < p_result->list_app_attr.num_attr; xx++)
231	238	{
232	239	BE_STREAM_TO_UINT8(p_result->list_app_attr.attrs[xx], p);

		@@ -258,6 +265,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
258	265	tAVRC_APP_SETTING *app_sett =
259	266	(tAVRC_APP_SETTING)osi_malloc(p_result->get_cur_app_val.num_valsizeof(tAVRC_APP_SETTING));
260	267	AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->get_cur_app_val.num_val);
	268	+
	269	+ if (p_result->get_cur_app_val.num_val > AVRC_MAX_APP_ATTR_SIZE) {
	270	+ android_errorWriteLog(0x534e4554, "63146237");
	271	+ p_result->get_cur_app_val.num_val = AVRC_MAX_APP_ATTR_SIZE;
	272	+ }
	273	+
261	274	for (int xx = 0; xx < p_result->get_cur_app_val.num_val; xx++)
262	275	{
263	276	BE_STREAM_TO_UINT8(app_sett[xx].attr_id, p);

		@@ -269,7 +282,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
269	282
270	283	case AVRC_PDU_GET_PLAYER_APP_ATTR_TEXT:
271	284	{
272		- tAVRC_APP_SETTING_TEXT *p_setting_text;
273	285	UINT8 num_attrs;
274	286
275	287	if (len == 0)

		@@ -278,9 +290,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
278	290	break;
279	291	}
280	292	BE_STREAM_TO_UINT8(num_attrs, p);
	293	+ if (num_attrs > AVRC_MAX_APP_ATTR_SIZE) {
	294	+ num_attrs = AVRC_MAX_APP_ATTR_SIZE;
	295	+ }
281	296	AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->get_app_attr_txt.num_attr);
282	297	p_result->get_app_attr_txt.num_attr = num_attrs;
283		- p_setting_text = (tAVRC_APP_SETTING_TEXT)osi_malloc(num_attrs sizeof(tAVRC_APP_SETTING_TEXT));
	298	+ p_result->get_app_attr_txt.p_attrs = (tAVRC_APP_SETTING_TEXT)osi_malloc(num_attrs sizeof(tAVRC_APP_SETTING_TEXT));
284	299	for (int xx = 0; xx < num_attrs; xx++)
285	300	{
286	301	BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].attr_id, p);

		@@ -300,7 +315,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
300	315
301	316	case AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT:
302	317	{
303		- tAVRC_APP_SETTING_TEXT *p_setting_text;
304	318	UINT8 num_vals;
305	319
306	320	if (len == 0)

		@@ -309,10 +323,13 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
309	323	break;
310	324	}
311	325	BE_STREAM_TO_UINT8(num_vals, p);
	326	+ if (num_vals > AVRC_MAX_APP_ATTR_SIZE) {
	327	+ num_vals = AVRC_MAX_APP_ATTR_SIZE;
	328	+ }
312	329	p_result->get_app_val_txt.num_attr = num_vals;
313	330	AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->get_app_val_txt.num_attr);
314	331
315		- p_setting_text = (tAVRC_APP_SETTING_TEXT )osi_malloc(num_vals sizeof(tAVRC_APP_SETTING_TEXT));
	332	+ p_result->get_app_val_txt.p_attrs = (tAVRC_APP_SETTING_TEXT )osi_malloc(num_vals sizeof(tAVRC_APP_SETTING_TEXT));
316	333	for (int i = 0; i < num_vals; i++) {
317	334	BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].attr_id, p);
318	335	BE_STREAM_TO_UINT16(p_result->get_app_val_txt.p_attrs[i].charset_id, p);

--- a/stack/avrc/avrc_pars_tg.c

+++ b/stack/avrc/avrc_pars_tg.c

		@@ -21,6 +21,7 @@
21	21	#include "avrc_api.h"
22	22	#include "avrc_defs.h"
23	23	#include "avrc_int.h"
	24	+#include "log/log.h"
24	25
25	26	/*****************************************************************************
26	27	** Global data

		@@ -169,6 +170,12 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR p_msg, tAVRC_COMMAND p_
169	170	status = AVRC_STS_INTERNAL_ERR;
170	171	break;
171	172	}
	173	+
	174	+ if (p_result->get_cur_app_val.num_attr > AVRC_MAX_APP_ATTR_SIZE) {
	175	+ android_errorWriteLog(0x534e4554, "63146237");
	176	+ p_result->get_cur_app_val.num_attr = AVRC_MAX_APP_ATTR_SIZE;
	177	+ }
	178	+
172	179	p_u8 = p_result->get_cur_app_val.attrs;
173	180	for (xx=0, yy=0; xx< p_result->get_cur_app_val.num_attr; xx++)
174	181	{

		@@ -229,6 +236,11 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR p_msg, tAVRC_COMMAND p_
229	236	status = AVRC_STS_INTERNAL_ERR;
230	237	else
231	238	{
	239	+ if (p_result->get_app_val_txt.num_val > AVRC_MAX_APP_ATTR_SIZE) {
	240	+ android_errorWriteLog(0x534e4554, "63146237");
	241	+ p_result->get_app_val_txt.num_val = AVRC_MAX_APP_ATTR_SIZE;
	242	+ }
	243	+
232	244	p_u8 = p_result->get_app_val_txt.vals;
233	245	for (xx=0; xx< p_result->get_app_val_txt.num_val; xx++)
234	246	{

--- a/stack/bnep/bnep_main.c

+++ b/stack/bnep/bnep_main.c

		@@ -35,6 +35,7 @@
35	35
36	36	#include "l2c_api.h"
37	37	#include "l2cdefs.h"
	38	+#include "log/log.h"
38	39
39	40	#include "btu.h"
40	41	#include "btm_api.h"

		@@ -495,6 +496,12 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
495	496	type = *p++;
496	497	extension_present = type >> 7;
497	498	type &= 0x7f;
	499	+ if (type >= sizeof(bnep_frame_hdr_sizes) / sizeof(bnep_frame_hdr_sizes[0])) {
	500	+ BNEP_TRACE_EVENT("BNEP - rcvd frame, bad type: 0x%02x", type);
	501	+ android_errorWriteLog(0x534e4554, "68818034");
	502	+ osi_free(p_buf);
	503	+ return;
	504	+ }
498	505	if ((rem_len <= bnep_frame_hdr_sizes[type]) \|\| (rem_len > BNEP_MTU_SIZE))
499	506	{
500	507	BNEP_TRACE_EVENT ("BNEP - rcvd frame, bad len: %d type: 0x%02x", p_buf->len, type);

		@@ -524,20 +531,20 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
524	531	org_len = rem_len;
525	532	new_len = 0;
526	533	do {
527		-
	534	+ if (org_len < 2) break;
528	535	ext = *p++;
529	536	length = *p++;
530	537	p += length;
531	538
	539	+ new_len = (length + 2);
	540	+ if (new_len > org_len) break;
	541	+
532	542	if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))
533	543	bnep_send_command_not_understood (p_bcb, *p);
534	544
535		- new_len += (length + 2);
536		-
537		- if (new_len > org_len)
538		- break;
539		-
	545	+ org_len -= new_len;
540	546	} while (ext & 0x80);
	547	+ android_errorWriteLog(0x534e4554, "67863755");
541	548	}
542	549
543	550	osi_free(p_buf);

		@@ -586,6 +593,8 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
586	593	while (extension_present && p && rem_len)
587	594	{
588	595	ext_type = *p++;
	596	+ rem_len--;
	597	+ android_errorWriteLog(0x534e4554, "69271284");
589	598	extension_present = ext_type >> 7;
590	599	ext_type &= 0x7F;
591	600

		@@ -657,6 +666,7 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
657	666	if (bnep_cb.p_data_buf_cb)
658	667	{
659	668	(*bnep_cb.p_data_buf_cb)(p_bcb->handle, p_src_addr, p_dst_addr, protocol, p_buf, fw_ext_present);
	669	+ osi_free(p_buf);
660	670	}
661	671	else if (bnep_cb.p_data_ind_cb)
662	672	{

--- a/stack/bnep/bnep_utils.c

+++ b/stack/bnep/bnep_utils.c

		@@ -22,6 +22,8 @@
22	22	*
23	23	******************************************************************************/
24	24
	25	+#include <cutils/log.h>
	26	+
25	27	#include <stdio.h>
26	28	#include <string.h>
27	29	#include "bt_common.h"

		@@ -804,6 +806,13 @@ UINT8 bnep_process_control_packet (tBNEP_CONN p_bcb, UINT8 p, UINT16 rem_len
804	806	break;
805	807
806	808	case BNEP_SETUP_CONNECTION_REQUEST_MSG:
	809	+ if (*rem_len < 1) {
	810	+ BNEP_TRACE_ERROR(
	811	+ "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
	812	+ __func__);
	813	+ android_errorWriteLog(0x534e4554, "69177292");
	814	+ goto bad_packet_length;
	815	+ }
807	816	len = *p++;
808	817	if (rem_len < ((2 len) + 1)) {
809	818	BNEP_TRACE_ERROR(

		@@ -831,6 +840,13 @@ UINT8 bnep_process_control_packet (tBNEP_CONN p_bcb, UINT8 p, UINT16 rem_len
831	840	break;
832	841
833	842	case BNEP_FILTER_NET_TYPE_SET_MSG:
	843	+ if (*rem_len < 2) {
	844	+ BNEP_TRACE_ERROR(
	845	+ "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",
	846	+ __func__);
	847	+ android_errorWriteLog(0x534e4554, "69177292");
	848	+ goto bad_packet_length;
	849	+ }
834	850	BE_STREAM_TO_UINT16 (len, p);
835	851	if (*rem_len < (len + 2))
836	852	{

		@@ -857,6 +873,13 @@ UINT8 bnep_process_control_packet (tBNEP_CONN p_bcb, UINT8 p, UINT16 rem_len
857	873	break;
858	874
859	875	case BNEP_FILTER_MULTI_ADDR_SET_MSG:
	876	+ if (*rem_len < 2) {
	877	+ BNEP_TRACE_ERROR(
	878	+ "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",
	879	+ __func__);
	880	+ android_errorWriteLog(0x534e4554, "69177292");
	881	+ goto bad_packet_length;
	882	+ }
860	883	BE_STREAM_TO_UINT16 (len, p);
861	884	if (*rem_len < (len + 2))
862	885	{

--- a/stack/btu/btu_init.c

+++ b/stack/btu/btu_init.c

		@@ -115,6 +115,8 @@ void btu_free_core(void)
115	115	/* Free the mandatory core stack components */
116	116	l2c_free();
117	117
	118	+ sdp_free();
	119	+
118	120	#if BLE_INCLUDED == TRUE
119	121	gatt_free();
120	122	#endif

--- a/stack/sdp/sdp_discovery.c

+++ b/stack/sdp/sdp_discovery.c

		@@ -29,6 +29,7 @@
29	29	#include "bt_target.h"
30	30	#include "bt_common.h"
31	31	#include "l2cdefs.h"
	32	+#include "log/log.h"
32	33	#include "hcidefs.h"
33	34	#include "hcimsgs.h"
34	35	#include "sdp_api.h"

		@@ -45,9 +46,12 @@
45	46	/* L O C A L F U N C T I O N P R O T O T Y P E S */
46	47	/********************************************************************************/
47	48	#if SDP_CLIENT_ENABLED == TRUE
48		-static void process_service_search_rsp (tCONN_CB p_ccb, UINT8 p_reply);
49		-static void process_service_attr_rsp (tCONN_CB p_ccb, UINT8 p_reply);
50		-static void process_service_search_attr_rsp (tCONN_CB p_ccb, UINT8 p_reply);
	49	+static void process_service_search_rsp (tCONN_CB* p_ccb, uint8_t* p_reply,
	50	+ uint8_t* p_reply_end);
	51	+static void process_service_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply,
	52	+ uint8_t* p_reply_end);
	53	+static void process_service_search_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply,
	54	+ uint8_t* p_reply_end);
51	55	static UINT8 save_attr_seq (tCONN_CB p_ccb, UINT8 p, UINT8 p_msg_end);
52	56	static tSDP_DISC_REC add_record (tSDP_DISCOVERY_DB p_db, BD_ADDR p_bda);
53	57	static UINT8 add_attr (UINT8 p, tSDP_DISCOVERY_DB p_db, tSDP_DISC_REC p_rec,

		@@ -197,7 +201,7 @@ void sdp_disc_connected (tCONN_CB *p_ccb)
197	201	{
198	202	p_ccb->disc_state = SDP_DISC_WAIT_SEARCH_ATTR;
199	203
200		- process_service_search_attr_rsp (p_ccb, NULL);
	204	+ process_service_search_attr_rsp (p_ccb, NULL, NULL);
201	205	}
202	206	else
203	207	{

		@@ -235,6 +239,7 @@ void sdp_disc_server_rsp (tCONN_CB p_ccb, BT_HDR p_msg)
235	239
236	240	/* Got a reply!! Check what we got back */
237	241	p = (UINT8 *)(p_msg + 1) + p_msg->offset;
	242	+ uint8_t* p_end = p + p_msg->len;
238	243
239	244	BE_STREAM_TO_UINT8 (rsp_pdu, p);
240	245

		@@ -245,7 +250,7 @@ void sdp_disc_server_rsp (tCONN_CB p_ccb, BT_HDR p_msg)
245	250	case SDP_PDU_SERVICE_SEARCH_RSP:
246	251	if (p_ccb->disc_state == SDP_DISC_WAIT_HANDLES)
247	252	{
248		- process_service_search_rsp (p_ccb, p);
	253	+ process_service_search_rsp (p_ccb, p, p_end);
249	254	invalid_pdu = FALSE;
250	255	}
251	256	break;

		@@ -253,7 +258,7 @@ void sdp_disc_server_rsp (tCONN_CB p_ccb, BT_HDR p_msg)
253	258	case SDP_PDU_SERVICE_ATTR_RSP:
254	259	if (p_ccb->disc_state == SDP_DISC_WAIT_ATTR)
255	260	{
256		- process_service_attr_rsp (p_ccb, p);
	261	+ process_service_attr_rsp (p_ccb, p, p_end);
257	262	invalid_pdu = FALSE;
258	263	}
259	264	break;

		@@ -261,7 +266,7 @@ void sdp_disc_server_rsp (tCONN_CB p_ccb, BT_HDR p_msg)
261	266	case SDP_PDU_SERVICE_SEARCH_ATTR_RSP:
262	267	if (p_ccb->disc_state == SDP_DISC_WAIT_SEARCH_ATTR)
263	268	{
264		- process_service_search_attr_rsp (p_ccb, p);
	269	+ process_service_search_attr_rsp (p_ccb, p, p_end);
265	270	invalid_pdu = FALSE;
266	271	}
267	272	break;

		@@ -284,7 +289,8 @@ void sdp_disc_server_rsp (tCONN_CB p_ccb, BT_HDR p_msg)
284	289	** Returns void
285	290	**
286	291	*******************************************************************************/
287		-static void process_service_search_rsp (tCONN_CB p_ccb, UINT8 p_reply)
	292	+static void process_service_search_rsp (tCONN_CB* p_ccb, uint8_t* p_reply,
	293	+ uint8_t* p_reply_end)
288	294	{
289	295	UINT16 xx;
290	296	UINT16 total, cur_handles, orig;

		@@ -321,6 +327,11 @@ static void process_service_search_rsp (tCONN_CB p_ccb, UINT8 p_reply)
321	327	sdp_disconnect (p_ccb, SDP_INVALID_CONT_STATE);
322	328	return;
323	329	}
	330	+ if (p_reply + cont_len > p_reply_end) {
	331	+ android_errorWriteLog(0x534e4554, "68161546");
	332	+ sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
	333	+ return;
	334	+ }
324	335	/* stay in the same state */
325	336	sdp_snd_service_search_req(p_ccb, cont_len, p_reply);
326	337	}

		@@ -330,7 +341,7 @@ static void process_service_search_rsp (tCONN_CB p_ccb, UINT8 p_reply)
330	341	p_ccb->disc_state = SDP_DISC_WAIT_ATTR;
331	342
332	343	/* Kick off the first attribute request */
333		- process_service_attr_rsp (p_ccb, NULL);
	344	+ process_service_attr_rsp (p_ccb, NULL, NULL);
334	345	}
335	346	}
336	347

		@@ -405,7 +416,8 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
405	416	** Returns void
406	417	**
407	418	*******************************************************************************/
408		-static void process_service_attr_rsp (tCONN_CB p_ccb, UINT8 p_reply)
	419	+static void process_service_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply,
	420	+ uint8_t* p_reply_end)
409	421	{
410	422	UINT8 p_start, p_param_len;
411	423	UINT16 param_len, list_byte_count;

		@@ -512,8 +524,12 @@ static void process_service_attr_rsp (tCONN_CB p_ccb, UINT8 p_reply)
512	524	/* Was this a continuation request ? */
513	525	if (cont_request_needed)
514	526	{
515		- memcpy (p, p_reply, *p_reply + 1);
516		- p += *p_reply + 1;
	527	+ if ((p_reply + *p_reply + 1) <= p_reply_end) {
	528	+ memcpy(p, p_reply, *p_reply + 1);
	529	+ p += *p_reply + 1;
	530	+ } else {
	531	+ android_errorWriteLog(0x534e4554, "68161546");
	532	+ }
517	533	}
518	534	else
519	535	UINT8_TO_BE_STREAM (p, 0);

		@@ -551,7 +567,8 @@ static void process_service_attr_rsp (tCONN_CB p_ccb, UINT8 p_reply)
551	567	** Returns void
552	568	**
553	569	*******************************************************************************/
554		-static void process_service_search_attr_rsp (tCONN_CB p_ccb, UINT8 p_reply)
	570	+static void process_service_search_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply,
	571	+ uint8_t* p_reply_end)
555	572	{
556	573	UINT8 p, p_start, p_end, p_param_len;
557	574	UINT8 type;

		@@ -651,8 +668,12 @@ static void process_service_search_attr_rsp (tCONN_CB p_ccb, UINT8 p_reply)
651	668	/* No continuation for first request */
652	669	if (p_reply)
653	670	{
654		- memcpy (p, p_reply, *p_reply + 1);
655		- p += *p_reply + 1;
	671	+ if ((p_reply + *p_reply + 1) <= p_reply_end) {
	672	+ memcpy(p, p_reply, *p_reply + 1);
	673	+ p += *p_reply + 1;
	674	+ } else {
	675	+ android_errorWriteLog(0x534e4554, "68161546");
	676	+ }
656	677	}
657	678	else
658	679	UINT8_TO_BE_STREAM (p, 0);

--- a/stack/sdp/sdp_main.c

+++ b/stack/sdp/sdp_main.c

		@@ -85,6 +85,10 @@ void sdp_init (void)
85	85	/* Clears all structures and local SDP database (if Server is enabled) */
86	86	memset (&sdp_cb, 0, sizeof (tSDP_CB));
87	87
	88	+ for (int i = 0; i < SDP_MAX_CONNECTIONS; i++) {
	89	+ sdp_cb.ccb[i].sdp_conn_timer = alarm_new("sdp.sdp_conn_timer");
	90	+ }
	91	+
88	92	/* Initialize the L2CAP configuration. We only care about MTU and flush */
89	93	sdp_cb.l2cap_my_cfg.mtu_present = TRUE;
90	94	sdp_cb.l2cap_my_cfg.mtu = SDP_MTU_SIZE;

		@@ -139,6 +143,13 @@ void sdp_init (void)
139	143	}
140	144	}
141	145
	146	+void sdp_free(void) {
	147	+ for (int i = 0; i < SDP_MAX_CONNECTIONS; i++) {
	148	+ alarm_free(sdp_cb.ccb[i].sdp_conn_timer);
	149	+ sdp_cb.ccb[i].sdp_conn_timer = NULL;
	150	+ }
	151	+}
	152	+
142	153	#if (defined(SDP_DEBUG) && SDP_DEBUG == TRUE)
143	154	/*******************************************************************************
144	155	**

--- a/stack/sdp/sdp_server.c

+++ b/stack/sdp/sdp_server.c

		@@ -23,6 +23,7 @@
23	23	*
24	24	******************************************************************************/
25	25
	26	+#include <cutils/log.h>
26	27	#include <stdlib.h>
27	28	#include <string.h>
28	29	#include <stdio.h>

		@@ -387,11 +388,25 @@ void sdp_server_handle_client_req (tCONN_CB p_ccb, BT_HDR p_msg)
387	388	alarm_set_on_queue(p_ccb->sdp_conn_timer, SDP_INACT_TIMEOUT_MS,
388	389	sdp_conn_timer_timeout, p_ccb, btu_general_alarm_queue);
389	390
	391	+ if (p_req + sizeof(pdu_id) + sizeof(trans_num) > p_req_end) {
	392	+ android_errorWriteLog(0x534e4554, "69384124");
	393	+ trans_num = 0;
	394	+ sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,
	395	+ SDP_TEXT_BAD_HEADER);
	396	+ }
	397	+
390	398	/* The first byte in the message is the pdu type */
391	399	pdu_id = *p_req++;
392	400
393	401	/* Extract the transaction number and parameter length */
394	402	BE_STREAM_TO_UINT16 (trans_num, p_req);
	403	+
	404	+ if (p_req + sizeof(param_len) > p_req_end) {
	405	+ android_errorWriteLog(0x534e4554, "69384124");
	406	+ sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,
	407	+ SDP_TEXT_BAD_HEADER);
	408	+ }
	409	+
395	410	BE_STREAM_TO_UINT16 (param_len, p_req);
396	411
397	412	if ((p_req + param_len) != p_req_end)

		@@ -456,17 +471,14 @@ static void process_service_search (tCONN_CB *p_ccb, UINT16 trans_num,
456	471	}
457	472
458	473	/* Get the max replies we can send. Cap it at our max anyways. */
459		- BE_STREAM_TO_UINT16 (max_replies, p_req);
460		-
461		- if (max_replies > SDP_MAX_RECORDS)
462		- max_replies = SDP_MAX_RECORDS;
463		-
464		-
465		- if ((!p_req) \|\| (p_req > p_req_end))
466		- {
	474	+ if (p_req + sizeof(max_replies) + sizeof(uint8_t) > p_req_end) {
	475	+ android_errorWriteLog(0x534e4554, "69384124");
467	476	sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_MAX_RECORDS_LIST);
468	477	return;
469	478	}
	479	+ BE_STREAM_TO_UINT16(max_replies, p_req);
	480	+
	481	+ if (max_replies > SDP_MAX_RECORDS) max_replies = SDP_MAX_RECORDS;
470	482
471	483
472	484	/* Get a list of handles that match the UUIDs given to us */

		@@ -483,8 +495,8 @@ static void process_service_search (tCONN_CB *p_ccb, UINT16 trans_num,
483	495	/* Check if this is a continuation request */
484	496	if (*p_req)
485	497	{
486		- if (*p_req++ != SDP_CONTINUATION_LEN \|\| (p_req >= p_req_end))
487		- {
	498	+ if (*p_req++ != SDP_CONTINUATION_LEN \|\|
	499	+ (p_req + sizeof(cont_offset) > p_req_end)) {
488	500	sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE,
489	501	SDP_TEXT_BAD_CONT_LEN);
490	502	return;

		@@ -602,15 +614,15 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
602	614	BOOLEAN is_avrcp_ca_bit_reset = FALSE;
603	615	UINT16 attr_len;
604	616
605		- /* Extract the record handle */
606		- BE_STREAM_TO_UINT32 (rec_handle, p_req);
607		-
608		- if (p_req > p_req_end)
609		- {
	617	+ if (p_req + sizeof(rec_handle) + sizeof(max_list_len) > p_req_end) {
	618	+ android_errorWriteLog(0x534e4554, "69384124");
610	619	sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_SERV_REC_HDL, SDP_TEXT_BAD_HANDLE);
611	620	return;
612	621	}
613	622
	623	+ /* Extract the record handle */
	624	+ BE_STREAM_TO_UINT32(rec_handle, p_req);
	625	+
614	626	/* Get the max list length we can send. Cap it at MTU size minus overhead */
615	627	BE_STREAM_TO_UINT16 (max_list_len, p_req);
616	628

		@@ -619,8 +631,8 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
619	631
620	632	p_req = sdpu_extract_attr_seq (p_req, param_len, &attr_seq);
621	633
622		- if ((!p_req) \|\| (!attr_seq.num_attr) \|\| (p_req > p_req_end))
623		- {
	634	+ if ((!p_req) \|\| (!attr_seq.num_attr) \|\|
	635	+ (p_req + sizeof(uint8_t) > p_req_end)) {
624	636	sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_ATTR_LIST);
625	637	return;
626	638	}

		@@ -635,13 +647,20 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
635	647	return;
636	648	}
637	649
	650	+ if (max_list_len < 4) {
	651	+ sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL);
	652	+ android_errorWriteLog(0x534e4554, "68776054");
	653	+ return;
	654	+ }
	655	+
638	656	/* Free and reallocate buffer */
639	657	osi_free(p_ccb->rsp_list);
640	658	p_ccb->rsp_list = (UINT8 *)osi_malloc(max_list_len);
641	659
642	660	/* Check if this is a continuation request */
643	661	if (*p_req) {
644		- if (*p_req++ != SDP_CONTINUATION_LEN) {
	662	+ if (*p_req++ != SDP_CONTINUATION_LEN \|\|
	663	+ (p_req + sizeof(cont_offset) > p_req_end)) {
645	664	sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
646	665	SDP_TEXT_BAD_CONT_LEN);
647	666	return;

		@@ -938,8 +957,8 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
938	957	/* Extract the UUID sequence to search for */
939	958	p_req = sdpu_extract_uid_seq (p_req, param_len, &uid_seq);
940	959
941		- if ((!p_req) \|\| (!uid_seq.num_uids))
942		- {
	960	+ if ((!p_req) \|\| (!uid_seq.num_uids) \|\|
	961	+ (p_req + sizeof(uint16_t) > p_req_end)) {
943	962	sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_UUID_LIST);
944	963	return;
945	964	}

		@@ -952,21 +971,28 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
952	971
953	972	p_req = sdpu_extract_attr_seq (p_req, param_len, &attr_seq);
954	973
955		- if ((!p_req) \|\| (!attr_seq.num_attr))
956		- {
	974	+ if ((!p_req) \|\| (!attr_seq.num_attr) \|\|
	975	+ (p_req + sizeof(uint8_t) > p_req_end)) {
957	976	sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_ATTR_LIST);
958	977	return;
959	978	}
960	979
961	980	memcpy(&attr_seq_sav, &attr_seq, sizeof(tSDP_ATTR_SEQ)) ;
962	981
	982	+ if (max_list_len < 4) {
	983	+ sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL);
	984	+ android_errorWriteLog(0x534e4554, "68817966");
	985	+ return;
	986	+ }
	987	+
963	988	/* Free and reallocate buffer */
964	989	osi_free(p_ccb->rsp_list);
965	990	p_ccb->rsp_list = (UINT8 *)osi_malloc(max_list_len);
966	991
967	992	/* Check if this is a continuation request */
968	993	if (*p_req) {
969		- if (*p_req++ != SDP_CONTINUATION_LEN) {
	994	+ if (*p_req++ != SDP_CONTINUATION_LEN \|\|
	995	+ (p_req + sizeof(uint16_t) > p_req_end)) {
970	996	sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
971	997	SDP_TEXT_BAD_CONT_LEN);
972	998	return;

--- a/stack/sdp/sdp_utils.c

+++ b/stack/sdp/sdp_utils.c

		@@ -120,8 +120,9 @@ tCONN_CB *sdpu_allocate_ccb (void)
120	120	{
121	121	if (p_ccb->con_state == SDP_STATE_IDLE)
122	122	{
	123	+ alarm_t* alarm = p_ccb->sdp_conn_timer;
123	124	memset(p_ccb, 0, sizeof(tCONN_CB));
124		- p_ccb->sdp_conn_timer = alarm_new("sdp.sdp_conn_timer");
	125	+ p_ccb->sdp_conn_timer = alarm;
125	126	return (p_ccb);
126	127	}
127	128	}

		@@ -143,8 +144,7 @@ tCONN_CB *sdpu_allocate_ccb (void)
143	144	void sdpu_release_ccb (tCONN_CB *p_ccb)
144	145	{
145	146	/* Ensure timer is stopped */
146		- alarm_free(p_ccb->sdp_conn_timer);
147		- p_ccb->sdp_conn_timer = NULL;
	147	+ alarm_cancel(p_ccb->sdp_conn_timer);
148	148
149	149	/* Drop any response pointer we may be holding */
150	150	p_ccb->con_state = SDP_STATE_IDLE;

		@@ -406,6 +406,8 @@ UINT8 sdpu_extract_uid_seq (UINT8 p, UINT16 param_len, tSDP_UUID_SEQ *p_seq)
406	406	p_seq->num_uids = 0;
407	407
408	408	/* A UID sequence is composed of a bunch of UIDs. */
	409	+ if (sizeof(descr) > param_len) return (NULL);
	410	+ param_len -= sizeof(descr);
409	411
410	412	BE_STREAM_TO_UINT8 (descr, p);
411	413	type = descr >> 3;

		@@ -426,19 +428,25 @@ UINT8 sdpu_extract_uid_seq (UINT8 p, UINT16 param_len, tSDP_UUID_SEQ *p_seq)
426	428	seq_len = 16;
427	429	break;
428	430	case SIZE_IN_NEXT_BYTE:
	431	+ if (sizeof(uint8_t) > param_len) return (NULL);
	432	+ param_len -= sizeof(uint8_t);
429	433	BE_STREAM_TO_UINT8 (seq_len, p);
430	434	break;
431	435	case SIZE_IN_NEXT_WORD:
	436	+ if (sizeof(uint16_t) > param_len) return (NULL);
	437	+ param_len -= sizeof(uint16_t);
432	438	BE_STREAM_TO_UINT16 (seq_len, p);
433	439	break;
434	440	case SIZE_IN_NEXT_LONG:
	441	+ if (sizeof(uint32_t) > param_len) return (NULL);
	442	+ param_len -= sizeof(uint32_t);
435	443	BE_STREAM_TO_UINT32 (seq_len, p);
436	444	break;
437	445	default:
438	446	return (NULL);
439	447	}
440	448
441		- if (seq_len >= param_len)
	449	+ if (seq_len > param_len)
442	450	return (NULL);
443	451
444	452	p_seq_end = p + seq_len;

		@@ -465,12 +473,15 @@ UINT8 sdpu_extract_uid_seq (UINT8 p, UINT16 param_len, tSDP_UUID_SEQ *p_seq)
465	473	uuid_len = 16;
466	474	break;
467	475	case SIZE_IN_NEXT_BYTE:
	476	+ if (p + sizeof(uint8_t) > p_seq_end) return NULL;
468	477	BE_STREAM_TO_UINT8 (uuid_len, p);
469	478	break;
470	479	case SIZE_IN_NEXT_WORD:
	480	+ if (p + sizeof(uint16_t) > p_seq_end) return NULL;
471	481	BE_STREAM_TO_UINT16 (uuid_len, p);
472	482	break;
473	483	case SIZE_IN_NEXT_LONG:
	484	+ if (p + sizeof(uint32_t) > p_seq_end) return NULL;
474	485	BE_STREAM_TO_UINT32 (uuid_len, p);
475	486	break;
476	487	default:

		@@ -478,8 +489,8 @@ UINT8 sdpu_extract_uid_seq (UINT8 p, UINT16 param_len, tSDP_UUID_SEQ *p_seq)
478	489	}
479	490
480	491	/* If UUID length is valid, copy it across */
481		- if ((uuid_len == 2) \|\| (uuid_len == 4) \|\| (uuid_len == 16))
482		- {
	492	+ if (((uuid_len == 2) \|\| (uuid_len == 4) \|\| (uuid_len == 16)) &&
	493	+ (p + uuid_len <= p_seq_end)) {
483	494	p_seq->uuid_entry[p_seq->num_uids].len = (UINT16) uuid_len;
484	495	BE_STREAM_TO_ARRAY (p, p_seq->uuid_entry[p_seq->num_uids].value, (int)uuid_len);
485	496	p_seq->num_uids++;

		@@ -520,33 +531,41 @@ UINT8 sdpu_extract_attr_seq (UINT8 p, UINT16 param_len, tSDP_ATTR_SEQ *p_seq)
520	531	p_seq->num_attr = 0;
521	532
522	533	/* Get attribute sequence info */
	534	+ if (param_len < sizeof(descr)) return NULL;
	535	+ param_len -= sizeof(descr);
523	536	BE_STREAM_TO_UINT8 (descr, p);
524	537	type = descr >> 3;
525	538	size = descr & 7;
526	539
527	540	if (type != DATA_ELE_SEQ_DESC_TYPE)
528		- return (p);
	541	+ return NULL;
529	542
530	543	switch (size)
531	544	{
532	545	case SIZE_IN_NEXT_BYTE:
	546	+ if (param_len < sizeof(uint8_t)) return NULL;
	547	+ param_len -= sizeof(uint8_t);
533	548	BE_STREAM_TO_UINT8 (list_len, p);
534	549	break;
535	550
536	551	case SIZE_IN_NEXT_WORD:
	552	+ if (param_len < sizeof(uint16_t)) return NULL;
	553	+ param_len -= sizeof(uint16_t);
537	554	BE_STREAM_TO_UINT16 (list_len, p);
538	555	break;
539	556
540	557	case SIZE_IN_NEXT_LONG:
	558	+ if (param_len < sizeof(uint32_t)) return NULL;
	559	+ param_len -= sizeof(uint32_t);
541	560	BE_STREAM_TO_UINT32 (list_len, p);
542	561	break;
543	562
544	563	default:
545		- return (p);
	564	+ return NULL;
546	565	}
547	566
548	567	if (list_len > param_len)
549		- return (p);
	568	+ return NULL;
550	569
551	570	p_end_list = p + list_len;
552	571

		@@ -558,7 +577,7 @@ UINT8 sdpu_extract_attr_seq (UINT8 p, UINT16 param_len, tSDP_ATTR_SEQ *p_seq)
558	577	size = descr & 7;
559	578
560	579	if (type != UINT_DESC_TYPE)
561		- return (p);
	580	+ return NULL;
562	581
563	582	switch (size)
564	583	{

		@@ -569,20 +588,24 @@ UINT8 sdpu_extract_attr_seq (UINT8 p, UINT16 param_len, tSDP_ATTR_SEQ *p_seq)
569	588	attr_len = 4;
570	589	break;
571	590	case SIZE_IN_NEXT_BYTE:
	591	+ if (p + sizeof(uint8_t) > p_end_list) return NULL;
572	592	BE_STREAM_TO_UINT8 (attr_len, p);
573	593	break;
574	594	case SIZE_IN_NEXT_WORD:
	595	+ if (p + sizeof(uint16_t) > p_end_list) return NULL;
575	596	BE_STREAM_TO_UINT16 (attr_len, p);
576	597	break;
577	598	case SIZE_IN_NEXT_LONG:
	599	+ if (p + sizeof(uint32_t) > p_end_list) return NULL;
578	600	BE_STREAM_TO_UINT32 (attr_len, p);
579	601	break;
580	602	default:
581		- return (NULL);
	603	+ return NULL;
582	604	break;
583	605	}
584	606
585	607	/* Attribute length must be 2-bytes or 4-bytes for a paired entry. */
	608	+ if (p + attr_len > p_end_list) return NULL;
586	609	if (attr_len == 2)
587	610	{
588	611	BE_STREAM_TO_UINT16 (p_seq->attr_entry[p_seq->num_attr].start, p);

--- a/stack/sdp/sdpint.h

+++ b/stack/sdp/sdpint.h

		@@ -247,6 +247,7 @@ extern tSDP_CB *sdp_cb_ptr;
247	247
248	248	/* Functions provided by sdp_main.c */
249	249	extern void sdp_init (void);
	250	+extern void sdp_free(void);
250	251	extern void sdp_disconnect (tCONN_CB*p_ccb, UINT16 reason);
251	252
252	253	#if (defined(SDP_DEBUG) && SDP_DEBUG == TRUE)

--- a/stack/smp/smp_utils.c

+++ b/stack/smp/smp_utils.c

		@@ -297,8 +297,7 @@ BOOLEAN smp_send_msg_to_L2CAP(BD_ADDR rem_bda, BT_HDR *p_toL2CAP)
297	297	if ((l2cap_ret = L2CA_SendFixedChnlData (fixed_cid, rem_bda, p_toL2CAP)) == L2CAP_DW_FAILED)
298	298	{
299	299	smp_cb.total_tx_unacked -= 1;
300		- SMP_TRACE_ERROR("SMP failed to pass msg:0x%0x to L2CAP",
301		- ((UINT8 )(p_toL2CAP + 1) + p_toL2CAP->offset));
	300	+ SMP_TRACE_ERROR("SMP failed to pass msg to L2CAP");
302	301	return FALSE;
303	302	}
304	303	else

system-bt Fork

提交

标签

Frequently used words (click to add to your profile)

Commit MetaInfo

Log Message

更改概述

差异

system-bt
Fork