Allocate buffers of the right size when BT_HDR is included

Bug: 63146105
Test: External script
Change-Id: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
Merged-In: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
(cherry picked from commit d88838a7237cd672d87b6b9cc8d56fff625fd1d5)
(cherry picked from commit b648c7dfe45c57842d58576f558fdf8edff10bec)
(cherry picked from commit 338e0485940ab278e6a2dc12285ba0798b79cfa4)
(cherry picked from commit 510697a0d79ac9816c0e2717c357c3330d89645a)

diff --git a/stack/avdt/avdt_api.c b/stack/avdt/avdt_api.c
index 98ef5f7..5201054 100644 (file)
--- a/stack/avdt/avdt_api.c
+++ b/stack/avdt/avdt_api.c
@@ -1208,7 +1208,7 @@ UINT16 AVDT_SendReport(UINT8 handle, AVDT_REPORT_TYPE type,
         /* build SR - assume fit in one packet */
         p_tbl = avdt_ad_tc_tbl_by_type(AVDT_CHAN_REPORT, p_scb->p_ccb, p_scb);
         if (p_tbl->state == AVDT_AD_ST_OPEN) {
-            BT_HDR *p_pkt = (BT_HDR *)osi_malloc(p_tbl->peer_mtu);
+            BT_HDR *p_pkt = (BT_HDR *)osi_malloc(p_tbl->peer_mtu + sizeof(BT_HDR));
 
             p_pkt->offset = L2CAP_MIN_OFFSET;
             p = (UINT8 *)(p_pkt + 1) + p_pkt->offset;

diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c
index 078a72e..6d3684e 100644 (file)
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c
@@ -575,7 +575,7 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
             p_bcb->con_state != BNEP_STATE_CONNECTED &&
             extension_present && p && rem_len)
         {
-            p_bcb->p_pending_data = (BT_HDR *)osi_malloc(rem_len);
+            p_bcb->p_pending_data = (BT_HDR *)osi_malloc(rem_len + sizeof(BT_HDR));
             memcpy((UINT8 *)(p_bcb->p_pending_data + 1), p, rem_len);
             p_bcb->p_pending_data->len    = rem_len;
             p_bcb->p_pending_data->offset = 0;

diff --git a/stack/l2cap/l2cap_client.c b/stack/l2cap/l2cap_client.c
index 7e8b3cb..cd7edfe 100644 (file)
--- a/stack/l2cap/l2cap_client.c
+++ b/stack/l2cap/l2cap_client.c
@@ -370,7 +370,8 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet) {
   assert(packet != NULL);
 
   // TODO(sharvil): eliminate copy into BT_HDR.
-  BT_HDR *bt_packet = osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET);
+  BT_HDR *bt_packet = osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET +
+                                 sizeof(BT_HDR));
   bt_packet->offset = L2CAP_MIN_OFFSET;
   bt_packet->len = buffer_length(packet);
   memcpy(bt_packet->data + bt_packet->offset, buffer_ptr(packet), buffer_length(packet));
@@ -384,7 +385,8 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet) {
       break;
     }
 
-    BT_HDR *fragment = osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET);
+    BT_HDR *fragment = osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET +
+                                  sizeof(BT_HDR));
     fragment->offset = L2CAP_MIN_OFFSET;
     fragment->len = client->remote_mtu;
     memcpy(fragment->data + fragment->offset, bt_packet->data + bt_packet->offset, client->remote_mtu);

diff --git a/stack/mcap/mca_cact.c b/stack/mcap/mca_cact.c
index 583a342..483169a 100644 (file)
--- a/stack/mcap/mca_cact.c
+++ b/stack/mcap/mca_cact.c
@@ -122,7 +122,7 @@ void mca_ccb_snd_req(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data)
         p_ccb->p_tx_req = p_msg;
         if (!p_ccb->cong)
         {
-            BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU);
+            BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
 
             p_pkt->offset = L2CAP_MIN_OFFSET;
             p = p_start = (UINT8*)(p_pkt + 1) + L2CAP_MIN_OFFSET;
@@ -164,7 +164,7 @@ void mca_ccb_snd_rsp(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data)
     tMCA_CCB_MSG *p_msg = (tMCA_CCB_MSG *)p_data;
     UINT8   *p, *p_start;
     BOOLEAN chk_mdl = FALSE;
-    BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU);
+    BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
 
     MCA_TRACE_DEBUG("%s cong=%d req=%d", __func__, p_ccb->cong, p_msg->op_code);
     /* assume that API functions verified the parameters */