X-Git-Url: http://git.osdn.net/view?a=blobdiff_plain;f=bta%2Fpan%2Fbta_pan_act.c;h=b72a318cc067682df57e9c7bc5d3265449844ccd;hb=9f58b5b92316d3e081862927f62bb4049a9a21d6;hp=199547817e4a7f07602e67ea0e62787ebe32400b;hpb=dd9e2bfa4987e22f4eb90049c983040f72ed38ae;p=android-x86%2Fsystem-bt.git

diff --git a/bta/pan/bta_pan_act.c b/bta/pan/bta_pan_act.c
index 199547817..b72a318cc 100644
--- a/bta/pan/bta_pan_act.c
+++ b/bta/pan/bta_pan_act.c
@@ -26,6 +26,8 @@
 
 #if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE)
 
+#include <cutils/log.h>
+
 #include "bta_api.h"
 #include "bta_sys.h"
 #include "bt_common.h"
@@ -174,17 +176,25 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
     tBTA_PAN_SCB *p_scb;
     BT_HDR *p_new_buf;
 
-    if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
-        /* offset smaller than data structure in front of actual data */
-        p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE);
-        memcpy((UINT8 *)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
-               (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len);
-        p_new_buf->len    = p_buf->len;
-        p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
-        osi_free(p_buf);
-    } else {
-        p_new_buf = p_buf;
+    p_scb = bta_pan_scb_by_handle(handle);
+    if (p_scb == NULL)
+    {
+        return;
+    }
+
+    if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
+        PAN_BUF_SIZE) {
+        android_errorWriteLog(0x534e4554, "63146237");
+        APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
+                         p_buf->len);
+        return;
     }
+    p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE);
+    memcpy((UINT8 *)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
+           (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len);
+    p_new_buf->len    = p_buf->len;
+    p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
+
     /* copy params into the space before the data */
     bdcpy(((tBTA_PAN_DATA_PARAMS *)p_new_buf)->src, src);
     bdcpy(((tBTA_PAN_DATA_PARAMS *)p_new_buf)->dst, dst);
@@ -192,11 +202,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
     ((tBTA_PAN_DATA_PARAMS *)p_new_buf)->ext = ext;
     ((tBTA_PAN_DATA_PARAMS *)p_new_buf)->forward = forward;
 
-    if ((p_scb = bta_pan_scb_by_handle(handle)) == NULL) {
-        osi_free(p_new_buf);
-        return;
-    }
-
     fixed_queue_enqueue(p_scb->data_queue, p_new_buf);
     BT_HDR *p_event = (BT_HDR *)osi_malloc(sizeof(BT_HDR));
     p_event->layer_specific = handle;