Memory overwrite due to HDP doesn't allocate enough buffer

author Jacob Lee <jacob.lee@mediatek.com>

Fri, 11 Sep 2015 06:06:48 +0000 (14:06 +0800)

committer Scott James Remnant <keybuk@google.com>

Mon, 23 Nov 2015 20:41:13 +0000 (12:41 -0800)
author Jacob Lee <jacob.lee@mediatek.com>
Fri, 11 Sep 2015 06:06:48 +0000 (14:06 +0800)
committer Scott James Remnant <keybuk@google.com>
Mon, 23 Nov 2015 20:41:13 +0000 (12:41 -0800)
diff --git a/bta/hl/bta_hl_act.c b/bta/hl/bta_hl_act.c

index 8ea2146..bf250b0 100644 (file)
--- a/bta/hl/bta_hl_act.c
+++ b/bta/hl/bta_hl_act.c
@@ -499,7 +499,9 @@ void bta_hl_dch_send_data(UINT8 app_idx, UINT8 mcl_idx, UINT8 mdl_idx,
  
      if (!(p_dcb->cout_oper & BTA_HL_CO_GET_TX_DATA_MASK))
      {
-        if ((p_dcb->p_tx_pkt = bta_hl_get_buf(p_data->api_send_data.pkt_size)) != NULL)
+        // p_dcb->chnl_cfg.fcs may be BTA_HL_MCA_USE_FCS (0x11) or BTA_HL_MCA_NO_FCS (0x10) or BTA_HL_DEFAULT_SOURCE_FCS (1)
+        BOOLEAN fcs_use = (BOOLEAN) (p_dcb->chnl_cfg.fcs & BTA_HL_MCA_FCS_USE_MASK);
+        if ((p_dcb->p_tx_pkt = bta_hl_get_buf(p_data->api_send_data.pkt_size, fcs_use)) != NULL)
          {
              bta_hl_co_get_tx_data( p_acb->app_id,
                                     p_dcb->mdl_handle,
diff --git a/bta/hl/bta_hl_int.h b/bta/hl/bta_hl_int.h

index 28ed06b..51cb7b0 100644 (file)
--- a/bta/hl/bta_hl_int.h
+++ b/bta/hl/bta_hl_int.h
@@ -57,6 +57,7 @@ typedef UINT16 (tBTA_HL_ALLOCATE_PSM) (void);
  #define BTA_HL_L2C_USE_FCS              1
  #define BTA_HL_L2C_NO_FCS               0
  #define BTA_HL_DEFAULT_SOURCE_FCS       BTA_HL_L2C_USE_FCS
+#define BTA_HL_MCA_FCS_USE_MASK         MCA_FCS_USE_MASK
  
  /* SDP Operations */
  #define BTA_HL_SDP_OP_NONE                  0
@@ -710,7 +711,7 @@ extern "C"
      extern UINT8 bta_hl_set_tx_win_size(UINT16 mtu, UINT16 mps);
      extern UINT16 bta_hl_set_mps(UINT16 mtu);
      extern void bta_hl_clean_mdl_cb(UINT8 app_idx, UINT8 mcl_idx, UINT8 mdl_idx);
-    extern BT_HDR * bta_hl_get_buf(UINT16 data_size);
+    extern BT_HDR * bta_hl_get_buf(UINT16 data_size, BOOLEAN fcs_use);
      extern BOOLEAN bta_hl_find_service_in_db( UINT8 app_idx, UINT8 mcl_idx,
                                                UINT16 service_uuid,
                                                tSDP_DISC_REC **pp_rec );
diff --git a/bta/hl/bta_hl_main.c b/bta/hl/bta_hl_main.c

index af5152f..8adf050 100644 (file)
--- a/bta/hl/bta_hl_main.c
+++ b/bta/hl/bta_hl_main.c
@@ -1344,7 +1344,8 @@ static void bta_hl_api_dch_echo_test(tBTA_HL_CB *p_cb, tBTA_HL_DATA *p_data)
                      if ((p_data->api_dch_echo_test.local_cfg == BTA_HL_DCH_CFG_RELIABLE) ||
                          (p_data->api_dch_echo_test.local_cfg == BTA_HL_DCH_CFG_STREAMING))
                      {
-                        if ((p_dcb->p_echo_tx_pkt = bta_hl_get_buf(p_data->api_dch_echo_test.pkt_size)) != NULL )
+                        BOOLEAN fcs_use = (BOOLEAN) (p_dcb->chnl_cfg.fcs & BTA_HL_MCA_FCS_USE_MASK);
+                        if ((p_dcb->p_echo_tx_pkt = bta_hl_get_buf(p_data->api_dch_echo_test.pkt_size, fcs_use)) != NULL )
                          {
                              if (bta_hl_set_ctrl_psm_for_dch(app_idx, mcl_idx, mdl_idx, p_data->api_dch_open.ctrl_psm))
                              {
diff --git a/bta/hl/bta_hl_utils.c b/bta/hl/bta_hl_utils.c

index e73f742..f34d818 100644 (file)
--- a/bta/hl/bta_hl_utils.c
+++ b/bta/hl/bta_hl_utils.c
@@ -266,11 +266,16 @@ void bta_hl_clean_mdl_cb(UINT8 app_idx, UINT8 mcl_idx, UINT8 mdl_idx)
  ** Returns      BT_HDR *.
  **
  *******************************************************************************/
-BT_HDR * bta_hl_get_buf(UINT16 data_size)
+BT_HDR * bta_hl_get_buf(UINT16 data_size, BOOLEAN fcs_use)
  {
      BT_HDR *p_new;
      UINT16 size = data_size + L2CAP_MIN_OFFSET + BT_HDR_SIZE;
  
+    if (fcs_use)
+    {
+        size += L2CAP_FCS_LEN;
+    }
+
      p_new = (BT_HDR *)osi_getbuf(size);
      if (p_new)
      {
author	Jacob Lee <jacob.lee@mediatek.com>
	Fri, 11 Sep 2015 06:06:48 +0000 (14:06 +0800)
committer	Scott James Remnant <keybuk@google.com>
	Mon, 23 Nov 2015 20:41:13 +0000 (12:41 -0800)
bta/hl/bta_hl_act.c		patch \| blob \| history
bta/hl/bta_hl_int.h		patch \| blob \| history
bta/hl/bta_hl_main.c		patch \| blob \| history
bta/hl/bta_hl_utils.c		patch \| blob \| history