Add proper checks for PAN & BNEP in BD stack

This patch fixes issues for PAN & BNEP in BD stack identified
by static analysis tool.

Change-Id: I29417dae982abb5cef11379f8d03baad11ffde8b

diff --git a/btif/co/bta_pan_co.c b/btif/co/bta_pan_co.c
index 50e0d8c..d3a9c3c 100644 (file)
--- a/btif/co/bta_pan_co.c
+++ b/btif/co/bta_pan_co.c
@@ -36,6 +36,7 @@
 #include "btif_sock_thread.h"
 #include <string.h>
 #include "btif_util.h"
+#include "btcore/include/bdaddr.h"
 
 /*******************************************************************************
 **
@@ -164,31 +165,37 @@ void bta_pan_co_tx_path(UINT16 handle, UINT8 app_id)
     BOOLEAN            ext;
     BOOLEAN         forward;
 
-    BTIF_TRACE_API("bta_pan_co_tx_path, handle:%d, app_id:%d", handle, app_id);
+    BTIF_TRACE_API("%s, handle:%d, app_id:%d", __func__, handle, app_id);
 
     btpan_conn_t* conn = btpan_find_conn_handle(handle);
-    if(!conn || conn->state != PAN_STATE_OPEN)
+    if (!conn)
     {
-        BTIF_TRACE_ERROR("bta_pan_co_tx_path: cannot find pan connction or conn"
-            "is not opened, conn:%p, conn->state:%d", conn, conn ? conn->state : -1);
+        BTIF_TRACE_ERROR("%s: cannot find pan connection", __func__);
         return;
     }
+    else if(conn->state != PAN_STATE_OPEN)
+    {
+        BTIF_TRACE_ERROR("%s: conn is not opened, conn:%p, conn->state:%d",
+            __func__, conn, conn->state);
+        return;
+    }
+
     do
     {
         /* read next data buffer from pan */
         if ((p_buf = bta_pan_ci_readbuf(handle, src, dst, &protocol,
                                  &ext, &forward)))
         {
-            BTIF_TRACE_DEBUG("bta_pan_co_tx_path, calling btapp_tap_send, "
-                "p_buf->len:%d, offset:%d", p_buf->len, p_buf->offset);
+            bdstr_t bdstr;
+            BTIF_TRACE_DEBUG("%s, calling btapp_tap_send, "
+                "p_buf->len:%d, offset:%d", __func__, p_buf->len, p_buf->offset);
             if(is_empty_eth_addr(conn->eth_addr) && is_valid_bt_eth_addr(src))
             {
-                BTIF_TRACE_DEBUG("pan bt peer addr: %02x:%02x:%02x:%02x:%02x:%02x",
-                    conn->peer[0], conn->peer[1], conn->peer[2],
-                    conn->peer[3],conn->peer[4], conn->peer[5]);
-                BTIF_TRACE_DEBUG("     update its ethernet addr: "
-                    "%02x:%02x:%02x:%02x:%02x:%02x", src[0], src[1], src[2],
-                    src[3],src[4], src[5]);
+                BTIF_TRACE_DEBUG("%s pan bt peer addr: %s", __func__,
+                    bdaddr_to_string((bt_bdaddr_t *)conn->peer, bdstr, sizeof(bdstr)));
+                bdaddr_to_string((bt_bdaddr_t *)src, bdstr, sizeof(bdstr));
+                BTIF_TRACE_DEBUG("%s:     update its ethernet addr: %s", __func__,
+                    bdaddr_to_string((bt_bdaddr_t *)src, bdstr, sizeof(bdstr)));
                 memcpy(conn->eth_addr, src, sizeof(conn->eth_addr));
 
             }

diff --git a/btif/include/btif_pan_internal.h b/btif/include/btif_pan_internal.h
index 64bab99..fad5577 100644 (file)
--- a/btif/include/btif_pan_internal.h
+++ b/btif/include/btif_pan_internal.h
@@ -38,6 +38,7 @@
 #define PANU_SERVICE_NAME "Android Network User"
 #define TAP_IF_NAME "bt-pan"
 #define ETH_ADDR_LEN        6
+#define TAP_MAX_PKT_WRITE_LEN 2000
 #ifndef PAN_SECURITY
 #define PAN_SECURITY (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_OUT_ENCRYPT)
 #endif

diff --git a/btif/src/btif_pan.c b/btif/src/btif_pan.c
index 5b71e20..c3dec2a 100644 (file)
--- a/btif/src/btif_pan.c
+++ b/btif/src/btif_pan.c
@@ -441,9 +441,9 @@ int btpan_tap_send(int tap_fd, const BD_ADDR src, const BD_ADDR dst, UINT16 prot
         memcpy(&eth_hdr.h_dest, dst, ETH_ADDR_LEN);
         memcpy(&eth_hdr.h_src, src, ETH_ADDR_LEN);
         eth_hdr.h_proto = htons(proto);
-        char packet[2000];
+        char packet[TAP_MAX_PKT_WRITE_LEN + sizeof(tETH_HDR)];
         memcpy(packet, &eth_hdr, sizeof(tETH_HDR));
-        if (len > 2000)
+        if (len > TAP_MAX_PKT_WRITE_LEN)
         {
             LOG_ERROR("btpan_tap_send eth packet size:%d is exceeded limit!", len);
             return -1;

diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c
index b298840..7676811 100644 (file)
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c
@@ -370,8 +370,8 @@ static void bnep_disconnect_ind (UINT16 l2cap_cid, BOOLEAN ack_needed)
     }
     else
     {
-        if (((p_bcb->con_flags & BNEP_FLAGS_IS_ORIG) && (bnep_cb.p_conn_state_cb)) ||
-            p_bcb->con_flags & BNEP_FLAGS_CONN_COMPLETED)
+        if ((bnep_cb.p_conn_state_cb) && ((p_bcb->con_flags & BNEP_FLAGS_IS_ORIG) ||
+            (p_bcb->con_flags & BNEP_FLAGS_CONN_COMPLETED)))
             (*bnep_cb.p_conn_state_cb) (p_bcb->handle, p_bcb->rem_bda, BNEP_CONN_FAILED, FALSE);
     }
 

diff --git a/stack/bnep/bnep_utils.c b/stack/bnep/bnep_utils.c
index 8c76b00..1db329d 100644 (file)
--- a/stack/bnep/bnep_utils.c
+++ b/stack/bnep/bnep_utils.c
@@ -174,10 +174,11 @@ void bnep_send_conn_req (tBNEP_CONN *p_bcb)
     BT_HDR  *p_buf;
     UINT8   *p, *p_start;
 
-    BNEP_TRACE_DEBUG ("BNEP sending setup req with dst uuid %x", p_bcb->dst_uuid.uu.uuid16);
+    BNEP_TRACE_DEBUG ("%s: sending setup req with dst uuid %x",
+        __func__, p_bcb->dst_uuid.uu.uuid16);
     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (BNEP_POOL_ID)) == NULL)
     {
-        BNEP_TRACE_ERROR ("BNEP - not able to send connection request");
+        BNEP_TRACE_ERROR ("%s: not able to send connection request", __func__);
         return;
     }
 
@@ -202,13 +203,18 @@ void bnep_send_conn_req (tBNEP_CONN *p_bcb)
         UINT32_TO_BE_STREAM (p, p_bcb->dst_uuid.uu.uuid32);
         UINT32_TO_BE_STREAM (p, p_bcb->src_uuid.uu.uuid32);
     }
-    else
+    else if (p_bcb->dst_uuid.len == 16)
     {
         memcpy (p, p_bcb->dst_uuid.uu.uuid128, p_bcb->dst_uuid.len);
         p += p_bcb->dst_uuid.len;
         memcpy (p, p_bcb->src_uuid.uu.uuid128, p_bcb->dst_uuid.len);
         p += p_bcb->dst_uuid.len;
     }
+    else
+    {
+        BNEP_TRACE_ERROR ("%s: uuid: %x, invalid length: %x",
+            __func__, p_bcb->dst_uuid.uu.uuid16, p_bcb->dst_uuid.len);
+    }
 
     p_buf->len = (UINT16)(p - p_start);