#if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE)
+#include <cutils/log.h>
+
#include "bta_api.h"
#include "bta_sys.h"
#include "bt_common.h"
tBTA_PAN_SCB *p_scb;
BT_HDR *p_new_buf;
- if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
- /* offset smaller than data structure in front of actual data */
- p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE);
- memcpy((UINT8 *)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
- (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len);
- p_new_buf->len = p_buf->len;
- p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
- osi_free(p_buf);
- } else {
- p_new_buf = p_buf;
+ p_scb = bta_pan_scb_by_handle(handle);
+ if (p_scb == NULL)
+ {
+ return;
+ }
+
+ if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
+ PAN_BUF_SIZE) {
+ android_errorWriteLog(0x534e4554, "63146237");
+ APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
+ p_buf->len);
+ return;
}
+ p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE);
+ memcpy((UINT8 *)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
+ (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len);
+ p_new_buf->len = p_buf->len;
+ p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
+
/* copy params into the space before the data */
bdcpy(((tBTA_PAN_DATA_PARAMS *)p_new_buf)->src, src);
bdcpy(((tBTA_PAN_DATA_PARAMS *)p_new_buf)->dst, dst);
((tBTA_PAN_DATA_PARAMS *)p_new_buf)->ext = ext;
((tBTA_PAN_DATA_PARAMS *)p_new_buf)->forward = forward;
- if ((p_scb = bta_pan_scb_by_handle(handle)) == NULL) {
- osi_free(p_new_buf);
- return;
- }
-
fixed_queue_enqueue(p_scb->data_queue, p_new_buf);
BT_HDR *p_event = (BT_HDR *)osi_malloc(sizeof(BT_HDR));
p_event->layer_specific = handle;
OSDN Git Service
