anthias:17614185:Bluetooth: Getbuf returning invalid buffer pointer

b/17623865

Getbuff is checking for the pool which can accommodate
requested size, but it changing the pool with a restricted
check and not checking for the free memory size in that pool.

Added a check to avoid return the wrong pool free buf pointer
and avoid gki get_buffer overflow.

Change-Id: I142870c989fc37f49c2d9b411d5eddbfba59bd9d

diff --git a/gki/common/gki_buffer.c b/gki/common/gki_buffer.c
index bcf6f06..3a96614 100644 (file)
--- a/gki/common/gki_buffer.c
+++ b/gki/common/gki_buffer.c
@@ -402,7 +402,11 @@ void *GKI_getbuf (UINT16 size)
         if (((UINT16)1 << p_cb->pool_list[i]) & p_cb->pool_access_mask)
             continue;
 
-        Q = &p_cb->freeq[p_cb->pool_list[i]];
+        if ( size <= p_cb->freeq[p_cb->pool_list[i]].size )
+            Q = &p_cb->freeq[p_cb->pool_list[i]];
+        else
+            continue;
+
         if(Q->cur_cnt < Q->total)
         {
 // btla-specific ++