DO NOT MERGE HID Host: Check L2CAP packet data length

[android-x86/system-bt.git] / stack / hid / hidh_conn.c

diff --git a/stack/hid/hidh_conn.c b/stack/hid/hidh_conn.c
index 95996d4..39ba8bc 100644 (file)
--- a/stack/hid/hidh_conn.c
+++ b/stack/hid/hidh_conn.c
@@ -29,6 +29,7 @@
 
 #include "bt_common.h"
 #include "bt_types.h"
+#include "log/log.h"
 
 #include "l2cdefs.h"
 #include "l2c_api.h"
@@ -816,10 +817,17 @@ static void hidh_l2cif_data_ind (UINT16 l2cap_cid, BT_HDR *p_msg)
     if (p_hcon == NULL)
     {
         HIDH_TRACE_WARNING ("HID-Host Rcvd L2CAP data, unknown CID: 0x%x", l2cap_cid);
-        osi_freebuf(p_msg);
+        osi_free(p_msg);
         return;
     }
 
+    if (p_msg->len < 1)
+    {
+        HIDH_TRACE_WARNING ("HID-Host Rcvd L2CAP data, invalid length");
+        osi_free(p_msg);
+        android_errorWriteLog(0x534e4554, "80493272");
+        return;
+    }
 
     ttype    = HID_GET_TRANS_FROM_HDR(*p_data);
     param    = HID_GET_PARAM_FROM_HDR(*p_data);
@@ -834,7 +842,7 @@ static void hidh_l2cif_data_ind (UINT16 l2cap_cid, BT_HDR *p_msg)
     {
     case HID_TRANS_HANDSHAKE:
         hh_cb.callback(dhandle,  hh_cb.devices[dhandle].addr, HID_HDEV_EVT_HANDSHAKE, param, NULL);
-        osi_freebuf(p_msg);
+        osi_free(p_msg);
         break;
 
     case HID_TRANS_CONTROL:
@@ -849,7 +857,7 @@ static void hidh_l2cif_data_ind (UINT16 l2cap_cid, BT_HDR *p_msg)
         default:
             break;
         }
-        osi_freebuf(p_msg);
+        osi_free(p_msg);
         break;
 
 
@@ -866,7 +874,7 @@ static void hidh_l2cif_data_ind (UINT16 l2cap_cid, BT_HDR *p_msg)
         break;
 
     default:
-        osi_freebuf(p_msg);
+        osi_free(p_msg);
         break;
     }
 }
@@ -896,13 +904,13 @@ tHID_STATUS hidh_conn_snd_data (UINT8 dhandle, UINT8 trans_type, UINT8 param,
 
     if (!BTM_IsAclConnectionUp(hh_cb.devices[dhandle].addr, BT_TRANSPORT_BR_EDR))
     {
-        osi_freebuf(buf);
+        osi_free(buf);
         return HID_ERR_NO_CONNECTION;
     }
 
     if (p_hcon->conn_flags & HID_CONN_FLAGS_CONGESTED)
     {
-        osi_freebuf(buf);
+        osi_free(buf);
         return HID_ERR_CONGESTED;
     }
 
@@ -935,9 +943,7 @@ tHID_STATUS hidh_conn_snd_data (UINT8 dhandle, UINT8 trans_type, UINT8 param,
     {
         if ( buf == NULL || blank_datc )
         {
-            p_buf = (BT_HDR *)osi_getbuf(buf_size);
-            if (p_buf == NULL)
-                return (HID_ERR_NO_RESOURCES);
+            p_buf = (BT_HDR *)osi_malloc(buf_size);
 
             p_buf->offset = L2CAP_MIN_OFFSET;
             seg_req = FALSE;
@@ -947,9 +953,7 @@ tHID_STATUS hidh_conn_snd_data (UINT8 dhandle, UINT8 trans_type, UINT8 param,
         }
         else if ( (buf->len > (p_hcon->rem_mtu_size - 1)))
         {
-            p_buf = (BT_HDR *)osi_getbuf(buf_size);
-            if (p_buf == NULL)
-                return (HID_ERR_NO_RESOURCES);
+            p_buf = (BT_HDR *)osi_malloc(buf_size);
 
             p_buf->offset = L2CAP_MIN_OFFSET;
             seg_req = TRUE;