Merge "SDP: Pass the bounds to process_service_*_rsp" into mnc-dev

diff --git a/bta/pan/bta_pan_act.c b/bta/pan/bta_pan_act.c
index b63acd1..4601799 100644 (file)
--- a/bta/pan/bta_pan_act.c
+++ b/bta/pan/bta_pan_act.c
@@ -206,6 +206,12 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
     BT_HDR * p_event;
     BT_HDR *p_new_buf;
 
+    p_scb = bta_pan_scb_by_handle(handle);
+    if (p_scb == NULL)
+    {
+        return;
+    }
+
     if ( sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset )
     {
         if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
@@ -213,7 +219,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
             android_errorWriteLog(0x534e4554, "63146237");
             APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
                              p_buf->len);
-            GKI_freebuf(p_buf);
             return;
         }
 
@@ -222,7 +227,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
         if(!p_new_buf)
         {
             APPL_TRACE_WARNING("Cannot get a PAN GKI buffer");
-            GKI_freebuf( p_buf );
             return;
         }
         else
@@ -230,7 +234,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
             memcpy( (UINT8 *)(p_new_buf+1)+sizeof(tBTA_PAN_DATA_PARAMS), (UINT8 *)(p_buf+1)+p_buf->offset, p_buf->len );
             p_new_buf->len    = p_buf->len;
             p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
-            GKI_freebuf( p_buf );
         }
     }
     else
@@ -244,14 +247,6 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
     ((tBTA_PAN_DATA_PARAMS *)p_new_buf)->ext = ext;
     ((tBTA_PAN_DATA_PARAMS *)p_new_buf)->forward = forward;
 
-
-    if((p_scb = bta_pan_scb_by_handle(handle)) == NULL)
-    {
-
-        GKI_freebuf( p_new_buf );
-        return;
-    }
-
     GKI_enqueue(&p_scb->data_queue, p_new_buf);
     if ((p_event = (BT_HDR *) GKI_getbuf(sizeof(BT_HDR))) != NULL)
     {

diff --git a/stack/avrc/avrc_pars_tg.c b/stack/avrc/avrc_pars_tg.c
index b709c0f..f419872 100644 (file)
--- a/stack/avrc/avrc_pars_tg.c
+++ b/stack/avrc/avrc_pars_tg.c
@@ -21,6 +21,7 @@
 #include "avrc_api.h"
 #include "avrc_defs.h"
 #include "avrc_int.h"
+#include "log/log.h"
 
 /*****************************************************************************
 **  Global data
@@ -108,6 +109,12 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
             status = AVRC_STS_INTERNAL_ERR;
             break;
         }
+
+        if (p_result->get_cur_app_val.num_attr > AVRC_MAX_APP_ATTR_SIZE) {
+          android_errorWriteLog(0x534e4554, "63146237");
+          p_result->get_cur_app_val.num_attr = AVRC_MAX_APP_ATTR_SIZE;
+        }
+
         p_u8 = p_result->get_cur_app_val.attrs;
         for (xx=0, yy=0; xx< p_result->get_cur_app_val.num_attr; xx++)
         {
@@ -166,6 +173,11 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
                     status = AVRC_STS_INTERNAL_ERR;
                 else
                 {
+                    if (p_result->get_app_val_txt.num_val > AVRC_MAX_APP_ATTR_SIZE) {
+                        android_errorWriteLog(0x534e4554, "63146237");
+                        p_result->get_app_val_txt.num_val = AVRC_MAX_APP_ATTR_SIZE;
+                    }
+
                     p_u8 = p_result->get_app_val_txt.vals;
                     for (xx=0; xx< p_result->get_app_val_txt.num_val; xx++)
                     {

diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c
index d940e29..c3fa051 100644 (file)
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c
@@ -486,6 +486,12 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
     type = *p++;
     extension_present = type >> 7;
     type &= 0x7f;
+    if (type >= sizeof(bnep_frame_hdr_sizes) / sizeof(bnep_frame_hdr_sizes[0])) {
+        BNEP_TRACE_EVENT("BNEP - rcvd frame, bad type: 0x%02x", type);
+        android_errorWriteLog(0x534e4554, "68818034");
+        GKI_freebuf (p_buf);
+        return;
+    }
     if ((rem_len <= bnep_frame_hdr_sizes[type]) || (rem_len > BNEP_MTU_SIZE))
     {
         BNEP_TRACE_EVENT ("BNEP - rcvd frame, bad len: %d  type: 0x%02x", p_buf->len, type);
@@ -655,6 +661,7 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
     if (bnep_cb.p_data_buf_cb)
     {
         (*bnep_cb.p_data_buf_cb)(p_bcb->handle, p_src_addr, p_dst_addr, protocol, p_buf, fw_ext_present);
+        GKI_freebuf (p_buf);
     }
     else if (bnep_cb.p_data_ind_cb)
     {

diff --git a/stack/smp/smp_utils.c b/stack/smp/smp_utils.c
index 3e592f2..da54fdf 100644 (file)
--- a/stack/smp/smp_utils.c
+++ b/stack/smp/smp_utils.c
@@ -294,8 +294,7 @@ BOOLEAN  smp_send_msg_to_L2CAP(BD_ADDR rem_bda, BT_HDR *p_toL2CAP)
     if ((l2cap_ret = L2CA_SendFixedChnlData (fixed_cid, rem_bda, p_toL2CAP)) == L2CAP_DW_FAILED)
     {
         smp_cb.total_tx_unacked -= 1;
-        SMP_TRACE_ERROR("SMP   failed to pass msg:0x%0x to L2CAP",
-                         *((UINT8 *)(p_toL2CAP + 1) + p_toL2CAP->offset));
+        SMP_TRACE_ERROR("SMP failed to pass msg to L2CAP");
         return FALSE;
     }
     else