X-Git-Url: http://git.osdn.net/view?a=blobdiff_plain;f=stack%2Fbnep%2Fbnep_main.c;h=b93e551f9c946b2cd0b801f3e524fa1d6fb8c635;hb=0bd01271c4d888453ba375d9442ac27cd66961c9;hp=d0eb36208902542ce1683a1c5f28f3f6b41818ca;hpb=0a8453ba419af4b33f84405f51542d17b0eeb51e;p=android-x86%2Fsystem-bt.git

diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c
index d0eb36208..b93e551f9 100644
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c
@@ -473,6 +473,13 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
     UINT16        protocol = 0;
     UINT8         *p_src_addr, *p_dst_addr;
 
+    if (rem_len == 0)
+    {
+        android_errorWriteLog(0x534e4554, "78286118");
+        GKI_freebuf(p_buf);
+        return;
+    }
+
 
     /* Find CCB based on CID */
     if ((p_bcb = bnepu_find_bcb_by_cid (l2cap_cid)) == NULL)
@@ -519,23 +526,35 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
             UINT16      org_len, new_len;
             /* parse the extension headers and process unknown control headers */
             org_len = rem_len;
-            new_len = 0;
             do {
-                if (org_len < 2) break;
+                if (org_len < 2) {
+                    android_errorWriteLog(0x534e4554, "67863755");
+                    break;
+                }
                 ext     = *p++;
                 length  = *p++;
-                p += length;
 
                 new_len = (length + 2);
-                if (new_len > org_len) break;
+                if (new_len > org_len) {
+                    android_errorWriteLog(0x534e4554, "67863755");
+                    break;
+                }
+
+                if ((ext & 0x7F) == BNEP_EXTENSION_FILTER_CONTROL) {
+                    if (length == 0) {
+                        android_errorWriteLog(0x534e4554, "79164722");
+                        break;
+                    }
+                    if (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG) {
+                        bnep_send_command_not_understood(p_bcb, *p);
+                    }
+                }
 
-                if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))
-                    bnep_send_command_not_understood (p_bcb, *p);
+                p += length;
 
                 org_len -= new_len;
 
             } while (ext & 0x80);
-            android_errorWriteLog(0x534e4554, "67863755");
         }
 
         GKI_freebuf (p_buf);
@@ -589,14 +608,13 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
             {
                 ext_type = *p++;
                 rem_len--;
-                android_errorWriteLog(0x534e4554, "69271284");
                 extension_present = ext_type >> 7;
                 ext_type &= 0x7F;
 
                 /* if unknown extension present stop processing */
-                if (ext_type)
-                    break;
+                if (ext_type != BNEP_EXTENSION_FILTER_CONTROL) break;
 
+                android_errorWriteLog(0x534e4554, "69271284");
                 p = bnep_process_control_packet (p_bcb, p, &rem_len, TRUE);
             }
         }