From 09dbd56cd416e72e47827596160dc7b70f36c2f1 Mon Sep 17 00:00:00 2001 From: Matadeen Mishra Date: Tue, 7 Jun 2016 18:11:33 +0530 Subject: [PATCH] BT: Fixed Static Analysis Issues - This fix avoids NULL pointer dereferences, Array Index Out of Bounds Exceptions and Banned funciton in the Fluedroid code space of Bluetooth. Change-Id: If389820b427f39e1030013f14d5538d7c99ce9c6 CRs-Fixed: 1025718 --- bta/dm/bta_dm_main.c | 2 +- bta/hl/bta_hl_main.c | 4 ++-- bta/jv/bta_jv_act.c | 9 --------- bta/sys/bta_sys_main.c | 2 +- btif/src/btif_config.c | 6 ++++-- btif/src/btif_debug_conn.c | 8 +++++--- btif/src/btif_dm.c | 18 ++++++++++-------- btif/src/btif_sock_l2cap.c | 26 +++++++++++++++----------- btif/src/btif_sock_thread.c | 2 +- btif/src/btif_storage.c | 6 +++--- hci/src/hci_packet_parser.c | 2 ++ osi/src/allocation_tracker.c | 12 ++++++++---- osi/src/config.c | 26 ++++++++++++++++---------- osi/src/socket.c | 5 +++++ osi/src/thread.c | 5 ++++- stack/btm/btm_acl.c | 6 +++--- stack/btm/btm_pm.c | 6 +++--- stack/btm/btm_sec.c | 9 ++++++--- stack/gap/gap_conn.c | 2 +- stack/include/bt_types.h | 4 ++++ stack/l2cap/l2c_fcr.c | 28 ++++++++++++++++++++++++---- stack/l2cap/l2cap_client.c | 4 ++++ stack/mcap/mca_cact.c | 9 ++++++--- stack/mcap/mca_csm.c | 14 +++++++++++--- stack/mcap/mca_dsm.c | 36 ++++++++++++++++++++++++++++++------ stack/mcap/mca_l2c.c | 2 +- stack/mcap/mca_main.c | 23 ++++++++++++++++------- stack/rfcomm/rfc_mx_fsm.c | 2 +- stack/sdp/sdp_discovery.c | 6 +++++- stack/sdp/sdp_server.c | 14 +++++++++++--- stack/sdp/sdp_utils.c | 11 ++++++++--- stack/smp/smp_cmac.c | 4 +++- stack/smp/smp_main.c | 4 ++-- stack/srvc/srvc_battery.c | 2 +- stack/srvc/srvc_eng.c | 5 +++++ utils/src/bt_utils.c | 2 +- 36 files changed, 223 insertions(+), 103 deletions(-) diff --git a/bta/dm/bta_dm_main.c b/bta/dm/bta_dm_main.c index e9caea6a0..62e3d3f17 100644 --- a/bta/dm/bta_dm_main.c +++ b/bta/dm/bta_dm_main.c @@ -359,7 +359,7 @@ BOOLEAN bta_dm_search_sm_execute(BT_HDR *p_msg) /* execute action functions */ for (i = 0; i < BTA_DM_SEARCH_ACTIONS; i++) { - if ((action = state_table[p_msg->event & 0x00ff][i]) != BTA_DM_SEARCH_IGNORE) + if ((action = state_table[p_msg->event & 0x00ff][i]) < BTA_DM_SEARCH_IGNORE) { (*bta_dm_search_action[action])( (tBTA_DM_MSG*) p_msg); } diff --git a/bta/hl/bta_hl_main.c b/bta/hl/bta_hl_main.c index b4d96cd8b..b9309f28f 100644 --- a/bta/hl/bta_hl_main.c +++ b/bta/hl/bta_hl_main.c @@ -440,7 +440,7 @@ void bta_hl_cch_sm_execute(UINT8 app_idx, UINT8 mcl_idx, for (i = 0; i < BTA_HL_CCH_ACTIONS; i++) { - if ((action = state_table[event][i]) != BTA_HL_CCH_IGNORE) + if ((action = state_table[event][i]) < BTA_HL_CCH_IGNORE) { (*bta_hl_cch_action[action])(app_idx, mcl_idx, p_data); } @@ -497,7 +497,7 @@ void bta_hl_dch_sm_execute(UINT8 app_idx, UINT8 mcl_idx, UINT8 mdl_idx, for (i = 0; i < BTA_HL_DCH_ACTIONS; i++) { - if ((action = state_table[event][i]) != BTA_HL_DCH_IGNORE) + if ((action = state_table[event][i]) < BTA_HL_DCH_IGNORE) { (*bta_hl_dch_action[action])(app_idx, mcl_idx, mdl_idx, p_data); } diff --git a/bta/jv/bta_jv_act.c b/bta/jv/bta_jv_act.c index a03a9ec8e..965b4b8cf 100644 --- a/bta/jv/bta_jv_act.c +++ b/bta/jv/bta_jv_act.c @@ -1797,9 +1797,6 @@ static void bta_jv_port_event_sr_cback(UINT32 code, UINT16 port_handle) tBTA_JV_RFC_CB *p_cb = bta_jv_rfc_port_to_cb(port_handle); tBTA_JV evt_data; - /* Fix for below klockwork issue - * Pointer 'p_pcb' returned from call to function 'bta_jv_rfc_port_to_pcb' at line 1804 - * may be NULL and may be dereferenced at line 1811*/ if (NULL == p_cb || NULL == p_cb->p_cback || NULL == p_pcb) return; @@ -2503,9 +2500,6 @@ static void fcchan_conn_chng_cbk(UINT16 chan, BD_ADDR bd_addr, BOOLEAN connected } } - /* Fix for below klockwork issue - * Null pointer 'p_cback' that comes from line 2438 - * may be dereferenced at line 2494*/ if (call_init && p_cback) p_cback(BTA_JV_L2CAP_CL_INIT_EVT, &init_evt, user_data); @@ -2597,9 +2591,6 @@ void bta_jv_l2cap_connect_le(tBTA_JV_MSG *p_data) } if (call_init_f) cc->p_cback(BTA_JV_L2CAP_CL_INIT_EVT, &evt, cc->user_data); - /* Fix for below klockwork issue - * Pointer 't' checked for NULL at line 2576 - * will be dereferenced at line 2588*/ if (t) t->init_called = TRUE; } diff --git a/bta/sys/bta_sys_main.c b/bta/sys/bta_sys_main.c index 610dec6b9..6bb64c629 100644 --- a/bta/sys/bta_sys_main.c +++ b/bta/sys/bta_sys_main.c @@ -226,7 +226,7 @@ BOOLEAN bta_sys_sm_execute(BT_HDR *p_msg) /* execute action functions */ for (i = 0; i < BTA_SYS_ACTIONS; i++) { - if ((action = state_table[p_msg->event & 0x00ff][i]) != BTA_SYS_IGNORE) + if ((action = state_table[p_msg->event & 0x00ff][i]) < BTA_SYS_IGNORE) { (*bta_sys_action[action])( (tBTA_SYS_HW_MSG*) p_msg); } diff --git a/btif/src/btif_config.c b/btif/src/btif_config.c index 24a8c1759..2e7e19fcf 100644 --- a/btif/src/btif_config.c +++ b/btif/src/btif_config.c @@ -186,8 +186,10 @@ static future_t *init(void) { } else { time_t current_time = time(NULL); struct tm* time_created = localtime(¤t_time); - strftime(btif_config_time_created, TIME_STRING_LENGTH, TIME_STRING_FORMAT, time_created); - config_set_string(config, INFO_SECTION, FILE_TIMESTAMP, btif_config_time_created); + if (time_created) { + strftime(btif_config_time_created, TIME_STRING_LENGTH, TIME_STRING_FORMAT, time_created); + config_set_string(config, INFO_SECTION, FILE_TIMESTAMP, btif_config_time_created); + } } // TODO(sharvil): use a non-wake alarm for this once we have diff --git a/btif/src/btif_debug_conn.c b/btif/src/btif_debug_conn.c index 9c9a9f320..cf9ac6d94 100644 --- a/btif/src/btif_debug_conn.c +++ b/btif/src/btif_debug_conn.c @@ -42,9 +42,11 @@ static char *format_ts(const uint64_t ts, char *buffer, int len) { const time_t secs = ms / 1000; struct tm *ptm = localtime(&secs); - char tempbuff[20]; - strftime(tempbuff, sizeof(tempbuff), "%m-%d %H:%M:%S", ptm); - snprintf(buffer, len, "%s.%03u", tempbuff, (uint16_t)(ms % 1000)); + char tempbuff[20] = {0}; + if (ptm) { + strftime(tempbuff, sizeof(tempbuff), "%m-%d %H:%M:%S", ptm); + snprintf(buffer, len, "%s.%03u", tempbuff, (uint16_t)(ms % 1000)); + } return buffer; } diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c index 6bda6f9c1..240d6fb8c 100644 --- a/btif/src/btif_dm.c +++ b/btif/src/btif_dm.c @@ -2311,14 +2311,14 @@ static void bte_search_devices_evt(tBTA_DM_SEARCH_EVT event, tBTA_DM_SEARCH *p_d { case BTA_DM_INQ_RES_EVT: { - if (p_data->inq_res.p_eir) + if (p_data && p_data->inq_res.p_eir) param_len += HCI_EXT_INQ_RESPONSE_LEN; } break; case BTA_DM_DISC_RES_EVT: { - if (p_data->disc_res.raw_data_size && p_data->disc_res.p_raw_data) + if (p_data && p_data->disc_res.raw_data_size && p_data->disc_res.p_raw_data) param_len += p_data->disc_res.raw_data_size; } break; @@ -2326,7 +2326,7 @@ static void bte_search_devices_evt(tBTA_DM_SEARCH_EVT event, tBTA_DM_SEARCH *p_d BTIF_TRACE_DEBUG("%s event=%s param_len=%d", __FUNCTION__, dump_dm_search_event(event), param_len); /* if remote name is available in EIR, set teh flag so that stack doesnt trigger RNR */ - if (event == BTA_DM_INQ_RES_EVT) + if (p_data && event == BTA_DM_INQ_RES_EVT) p_data->inq_res.remt_name_not_required = check_eir_remote_name(p_data, NULL, NULL); btif_transfer_context (btif_dm_search_devices_evt , (UINT16) event, (void *)p_data, param_len, @@ -2352,7 +2352,7 @@ static void bte_dm_search_services_evt(tBTA_DM_SEARCH_EVT event, tBTA_DM_SEARCH { case BTA_DM_DISC_RES_EVT: { - if ((p_data->disc_res.result == BTA_SUCCESS) && (p_data->disc_res.num_uuids > 0)) { + if ((p_data && p_data->disc_res.result == BTA_SUCCESS) && (p_data->disc_res.num_uuids > 0)) { param_len += (p_data->disc_res.num_uuids * MAX_UUID_SIZE); } } break; @@ -3744,11 +3744,13 @@ void btif_debug_bond_event_dump(int fd) { btif_bond_event_t* event = &btif_dm_bond_events[i]; char eventtime[20]; - char temptime[20]; + char temptime[20] = {0}; struct tm *tstamp = localtime(&event->timestamp.tv_sec); - strftime(temptime, sizeof(temptime), "%H:%M:%S", tstamp); - snprintf(eventtime, sizeof(eventtime), "%s.%03ld", temptime, - event->timestamp.tv_nsec / 1000000); + if (tstamp) { + strftime(temptime, sizeof(temptime), "%H:%M:%S", tstamp); + snprintf(eventtime, sizeof(eventtime), "%s.%03ld", temptime, + event->timestamp.tv_nsec / 1000000); + } char bdaddr[18]; bdaddr_to_string(&event->bd_addr, bdaddr, sizeof(bdaddr)); diff --git a/btif/src/btif_sock_l2cap.c b/btif/src/btif_sock_l2cap.c index 75434310a..e1d8d25c3 100644 --- a/btif/src/btif_sock_l2cap.c +++ b/btif/src/btif_sock_l2cap.c @@ -471,20 +471,24 @@ static void on_srv_l2cap_psm_connect_l(tBTA_JV_L2CAP_OPEN *p_open, l2cap_socket // Mutex locked by caller accept_rs = btsock_l2cap_alloc_l(sock->name, (const bt_bdaddr_t*)p_open->rem_bda, FALSE, 0); - accept_rs->connected = TRUE; - accept_rs->security = sock->security; - accept_rs->fixed_chan = sock->fixed_chan; - accept_rs->channel = sock->channel; - accept_rs->handle = sock->handle; - accept_rs->app_uid = sock->app_uid; - sock->handle = -1; /* We should no longer associate this handle with the server socket */ - accept_rs->is_le_coc = sock->is_le_coc; + if (accept_rs) { + accept_rs->connected = TRUE; + accept_rs->security = sock->security; + accept_rs->fixed_chan = sock->fixed_chan; + accept_rs->channel = sock->channel; + accept_rs->handle = sock->handle; + accept_rs->app_uid = sock->app_uid; + sock->handle = -1; /* We should no longer associate this handle with the server socket */ + accept_rs->is_le_coc = sock->is_le_coc; /* Swap IDs to hand over the GAP connection to the accepted socket, and start a new server on the newly create socket ID. */ - new_listen_id = accept_rs->id; - accept_rs->id = sock->id; - sock->id = new_listen_id; + new_listen_id = accept_rs->id; + accept_rs->id = sock->id; + sock->id = new_listen_id; + } else { + APPL_TRACE_ERROR("Memory not allocated for accept_rs.."); + } if (accept_rs) { //start monitor the socket diff --git a/btif/src/btif_sock_thread.c b/btif/src/btif_sock_thread.c index da65146a2..d1651c85b 100644 --- a/btif/src/btif_sock_thread.c +++ b/btif/src/btif_sock_thread.c @@ -552,7 +552,7 @@ static void prepare_poll_fds(int h, struct pollfd* pfds) ps_i, MAX_POLL, count, ts[h].poll_count); return; } - if(ts[h].ps[ps_i].pfd.fd >= 0) + if(ts[h].ps[ps_i].pfd.fd >= 0 && pfd_i < MAX_POLL) { pfds[pfd_i] = ts[h].ps[ps_i].pfd; ts[h].psi[pfd_i] = ps_i; diff --git a/btif/src/btif_storage.c b/btif/src/btif_storage.c index d306031de..aa592f2be 100644 --- a/btif/src/btif_storage.c +++ b/btif/src/btif_storage.c @@ -224,14 +224,14 @@ static int prop2cfg(bt_bdaddr_t *remote_bd_addr, bt_property_t *prop) uint32_t i; char buf[64]; value[0] = 0; + int size = sizeof(value); for (i=0; i < (prop->len)/sizeof(bt_uuid_t); i++) { bt_uuid_t *p_uuid = (bt_uuid_t*)prop->val + i; memset(buf, 0, sizeof(buf)); uuid_to_string_legacy(p_uuid, buf); - strcat(value, buf); - //strcat(value, ";"); - strcat(value, " "); + strlcat(value, buf, size); + strlcat(value, " ", size); } btif_config_set_str(bdstr, BTIF_STORAGE_PATH_REMOTE_SERVICE, value); break; diff --git a/hci/src/hci_packet_parser.c b/hci/src/hci_packet_parser.c index 9f7dae83b..71300cc9e 100644 --- a/hci/src/hci_packet_parser.c +++ b/hci/src/hci_packet_parser.c @@ -185,6 +185,7 @@ static void parse_ble_read_resolving_list_size_response( uint8_t *resolving_list_size_ptr) { uint8_t *stream = read_command_complete_header(response, HCI_BLE_READ_RESOLVING_LIST_SIZE, 1 /* bytes after */); + assert(stream != NULL); STREAM_TO_UINT8(*resolving_list_size_ptr, stream); buffer_allocator->free(response); @@ -195,6 +196,7 @@ static void parse_ble_read_suggested_default_data_length_response( uint16_t *ble_default_packet_length_ptr) { uint8_t *stream = read_command_complete_header(response, HCI_BLE_READ_DEFAULT_DATA_LENGTH, 2 /* bytes after */); + assert(stream != NULL); STREAM_TO_UINT8(*ble_default_packet_length_ptr, stream); buffer_allocator->free(response); diff --git a/osi/src/allocation_tracker.c b/osi/src/allocation_tracker.c index b4e1a8469..c5cb6cd15 100644 --- a/osi/src/allocation_tracker.c +++ b/osi/src/allocation_tracker.c @@ -133,10 +133,14 @@ void *allocation_tracker_notify_alloc(uint8_t allocator_id, void *ptr, size_t re hash_map_set(allocations, return_ptr, allocation); } - allocation->allocator_id = allocator_id; - allocation->freed = false; - allocation->size = requested_size; - allocation->ptr = return_ptr; + if (allocation) { + allocation->allocator_id = allocator_id; + allocation->freed = false; + allocation->size = requested_size; + allocation->ptr = return_ptr; + } else { + LOG_ERROR(LOG_TAG, "%s Memory not allocated for allocation." ,__func__); + } pthread_mutex_unlock(&lock); diff --git a/osi/src/config.c b/osi/src/config.c index 345f907d5..8a3e23042 100644 --- a/osi/src/config.c +++ b/osi/src/config.c @@ -213,20 +213,26 @@ void config_set_string(config_t *config, const char *section, const char *key, c section_t *sec = section_find(config, section); if (!sec) { sec = section_new(section); - list_append(config->sections, sec); + if (sec) + list_append(config->sections, sec); + else { + LOG_ERROR(LOG_TAG,"%s: Unable to allocate memory for section", __func__); + } } - for (const list_node_t *node = list_begin(sec->entries); node != list_end(sec->entries); node = list_next(node)) { - entry_t *entry = list_node(node); - if (!strcmp(entry->key, key)) { - osi_free(entry->value); - entry->value = osi_strdup(value); - return; + if (sec) { + for (const list_node_t *node = list_begin(sec->entries); node != list_end(sec->entries); node = list_next(node)) { + entry_t *entry = list_node(node); + if (!strcmp(entry->key, key)) { + osi_free(entry->value); + entry->value = osi_strdup(value); + return; + } } - } - entry_t *entry = entry_new(key, value); - list_append(sec->entries, entry); + entry_t *entry = entry_new(key, value); + list_append(sec->entries, entry); + } } bool config_remove_section(config_t *config, const char *section) { diff --git a/osi/src/socket.c b/osi/src/socket.c index 4ebb3b880..abcf483b3 100644 --- a/osi/src/socket.c +++ b/osi/src/socket.c @@ -51,6 +51,11 @@ static void internal_write_ready(void *context); socket_t *socket_new(void) { socket_t *ret = (socket_t *)osi_calloc(sizeof(socket_t)); + if (ret == NULL) { + LOG_ERROR(LOG_TAG, "%s unable to allocate : %s", __func__, strerror(errno)); + return NULL; + } + ret->fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (ret->fd == INVALID_FD) { LOG_ERROR(LOG_TAG, "%s unable to create socket: %s", __func__, strerror(errno)); diff --git a/osi/src/thread.c b/osi/src/thread.c index ebeab5635..c7b1eb243 100644 --- a/osi/src/thread.c +++ b/osi/src/thread.c @@ -66,7 +66,10 @@ thread_t *thread_new_sized(const char *name, size_t work_queue_capacity) { assert(work_queue_capacity != 0); thread_t *ret = osi_calloc(sizeof(thread_t)); - + if (ret == NULL) { + LOG_ERROR(LOG_TAG, "%s unable to allocate memory" , __func__); + return NULL; + } ret->reactor = reactor_new(); if (!ret->reactor) goto error; diff --git a/stack/btm/btm_acl.c b/stack/btm/btm_acl.c index 71a19ec16..d04b75a29 100644 --- a/stack/btm/btm_acl.c +++ b/stack/btm/btm_acl.c @@ -564,7 +564,7 @@ void btm_acl_device_down (void) void btm_acl_update_busy_level (tBTM_BLI_EVENT event) { tBTM_BL_UPDATE_DATA evt; - UINT8 busy_level; + UINT8 busy_level = btm_cb.busy_level; BTM_TRACE_DEBUG ("btm_acl_update_busy_level"); BOOLEAN old_inquiry_state = btm_cb.is_inquiry; switch (event) @@ -1760,7 +1760,7 @@ BOOLEAN BTM_TryAllocateSCN(UINT8 scn) /* Make sure we don't exceed max port range. * Stack reserves scn 1 for HFP, HSP we still do the correct way. */ - if ( (scn>=BTM_MAX_SCN) || (scn == 1) ) + if ( (scn>=BTM_MAX_SCN) || (scn <= 1) ) return FALSE; /* check if this port is available */ @@ -1785,7 +1785,7 @@ BOOLEAN BTM_TryAllocateSCN(UINT8 scn) BOOLEAN BTM_FreeSCN(UINT8 scn) { BTM_TRACE_DEBUG ("BTM_FreeSCN "); - if (scn <= BTM_MAX_SCN) + if (scn <= BTM_MAX_SCN && scn > 0) { btm_cb.btm_scn[scn-1] = FALSE; return(TRUE); diff --git a/stack/btm/btm_pm.c b/stack/btm/btm_pm.c index e24563b50..38b79352f 100644 --- a/stack/btm/btm_pm.c +++ b/stack/btm/btm_pm.c @@ -207,7 +207,7 @@ tBTM_STATUS BTM_SetPowerMode (UINT8 pm_id, BD_ADDR remote_bda, tBTM_PM_PWR_MD *p /* check if the requested mode is supported */ ind = mode - BTM_PM_MD_HOLD; /* make it base 0 */ p_features = BTM_ReadLocalFeatures(); - if( !(p_features[ btm_pm_mode_off[ind] ] & btm_pm_mode_msk[ind] ) ) + if(ind < BTM_PM_NUM_SET_MODES && !(p_features[ btm_pm_mode_off[ind] ] & btm_pm_mode_msk[ind] ) ) return BTM_MODE_UNSUPPORTED; } @@ -386,7 +386,7 @@ void btm_pm_reset(void) tBTM_PM_STATUS_CBACK *cb = NULL; /* clear the pending request for application */ - if( (btm_cb.pm_pend_id != BTM_PM_SET_ONLY_ID) && + if( (btm_cb.pm_pend_id < BTM_PM_SET_ONLY_ID) && (btm_cb.pm_reg_db[btm_cb.pm_pend_id].mask & BTM_PM_REG_NOTIF) ) { cb = btm_cb.pm_reg_db[btm_cb.pm_pend_id].cback; @@ -780,7 +780,7 @@ void btm_pm_proc_cmd_status(UINT8 status) } /* notify the caller is appropriate */ - if( (btm_cb.pm_pend_id != BTM_PM_SET_ONLY_ID) && + if( (btm_cb.pm_pend_id < BTM_PM_SET_ONLY_ID) && (btm_cb.pm_reg_db[btm_cb.pm_pend_id].mask & BTM_PM_REG_NOTIF) ) { (*btm_cb.pm_reg_db[btm_cb.pm_pend_id].cback)(btm_cb.acl_db[btm_cb.pm_pend_link].remote_addr, pm_status, 0, status); diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c index d6df76ff4..ec7de9e55 100644 --- a/stack/btm/btm_sec.c +++ b/stack/btm/btm_sec.c @@ -211,10 +211,12 @@ static BOOLEAN btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC *p_dev_rec) *******************************************************************************/ static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec) { - if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id)) + if(p_serv_rec->service_id < BTM_SEC_MAX_SERVICES && BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id)) { return(TRUE); } + else + BTM_TRACE_ERROR("BTM_Sec: Service Id: %d not found", p_serv_rec->service_id); return(FALSE); } @@ -1547,8 +1549,10 @@ void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr) if (res == BTM_SUCCESS) { if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) + { p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; + } } btsnd_hcic_user_conf_reply (bd_addr, TRUE); @@ -5472,8 +5476,7 @@ static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec) { BTM_TRACE_EVENT ("service id:%d, is trusted:%d", p_dev_rec->p_cur_service->service_id, - (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, - p_dev_rec->p_cur_service->service_id))); + btm_serv_trusted(p_dev_rec,p_dev_rec->p_cur_service)); if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) && (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) && (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, diff --git a/stack/gap/gap_conn.c b/stack/gap/gap_conn.c index dff472c8c..04bba7837 100644 --- a/stack/gap/gap_conn.c +++ b/stack/gap/gap_conn.c @@ -168,7 +168,7 @@ UINT16 GAP_ConnOpen (char *p_serv_name, UINT8 service_id, BOOLEAN is_server, p_ccb->cfg = *p_cfg; /* Configure L2CAP COC, if transport is LE */ - if (transport == BT_TRANSPORT_LE) + if (p_cfg && transport == BT_TRANSPORT_LE) { p_ccb->local_coc_cfg.credits = L2CAP_LE_DEFAULT_CREDIT; p_ccb->local_coc_cfg.mtu = p_cfg->mtu; diff --git a/stack/include/bt_types.h b/stack/include/bt_types.h index 34447b62f..93f33b988 100644 --- a/stack/include/bt_types.h +++ b/stack/include/bt_types.h @@ -20,6 +20,7 @@ #define BT_TYPES_H #include +#include #include #ifndef FALSE @@ -730,6 +731,9 @@ static const BD_ADDR bd_addr_null= {0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; *******************************************************************************/ static inline void bdcpy(BD_ADDR a, const BD_ADDR b) { + if (a == NULL || b == NULL) + return; + int i; for (i = BD_ADDR_LEN; i != 0; i--) diff --git a/stack/l2cap/l2c_fcr.c b/stack/l2cap/l2c_fcr.c index 4a36a0b68..33e2a413d 100644 --- a/stack/l2cap/l2c_fcr.c +++ b/stack/l2cap/l2c_fcr.c @@ -1051,6 +1051,10 @@ static BOOLEAN process_reqseq (tL2C_CCB *p_ccb, UINT16 ctrl_word) for (xx = 0; xx < num_bufs_acked; xx++) { BT_HDR *p_tmp = (BT_HDR *)fixed_queue_try_dequeue(p_fcrb->waiting_for_ack_q); + if (p_tmp == NULL) { + L2CAP_TRACE_WARNING ("%s: Unable to dequeue", __func__); + return (FALSE); + } ls = p_tmp->layer_specific & L2CAP_FCR_SAR_BITS; if ( (ls == L2CAP_FCR_UNSEG_SDU) || (ls == L2CAP_FCR_END_SDU) ) @@ -1238,8 +1242,12 @@ static void process_i_frame (tL2C_CCB *p_ccb, BT_HDR *p_buf, UINT16 ctrl_word, B if (p_fcrb->srej_sent) { /* If SREJ sent, save the frame for later processing as long as it is in sequence */ - next_srej = (((BT_HDR *)fixed_queue_try_peek_last(p_fcrb->srej_rcv_hold_q))->layer_specific + 1) & L2CAP_FCR_SEQ_MODULO; - + void * frame_msg = fixed_queue_try_peek_last(p_fcrb->srej_rcv_hold_q); + if (frame_msg == NULL) { + L2CAP_TRACE_WARNING ("%s: Unable to process frame", __func__); + return; + } + next_srej = (((BT_HDR *)frame_msg)->layer_specific + 1) & L2CAP_FCR_SEQ_MODULO; if ( (tx_seq == next_srej) && (fixed_queue_length(p_fcrb->srej_rcv_hold_q) < p_ccb->our_cfg.fcr.tx_win_sz) ) { /* If user gave us a pool for held rx buffers, use that */ @@ -1739,6 +1747,10 @@ BT_HDR *l2c_fcr_get_next_xmit_sdu_seg (tL2C_CCB *p_ccb, UINT16 max_packet_length } p_buf = (BT_HDR *)fixed_queue_try_peek_first(p_ccb->xmit_hold_q); + if (p_buf == NULL) { + L2CAP_TRACE_ERROR ("%s: L2CAP - fixed_queue_try_peek_first returned queue as empty", __func__); + return NULL; + } /* If there is more data than the MPS, it requires segmentation */ if (p_buf->len > max_pdu) @@ -1775,8 +1787,12 @@ BT_HDR *l2c_fcr_get_next_xmit_sdu_seg (tL2C_CCB *p_ccb, UINT16 max_packet_length } else /* Use the original buffer if no segmentation, or the last segment */ { - p_xmit = (BT_HDR *)fixed_queue_try_dequeue(p_ccb->xmit_hold_q); - + void *seg_msg = fixed_queue_try_dequeue(p_ccb->xmit_hold_q); + if (seg_msg == NULL) { + L2CAP_TRACE_WARNING ("%s: Unable to process frame", __func__); + return (NULL); + } + p_xmit = (BT_HDR *)seg_msg; if (p_xmit->event != 0) last_seg = TRUE; @@ -1890,6 +1906,10 @@ BT_HDR *l2c_lcc_get_next_xmit_sdu_seg (tL2C_CCB *p_ccb, UINT16 max_packet_length UINT16 max_pdu = p_ccb->peer_conn_cfg.mps; p_buf = (BT_HDR *)fixed_queue_try_peek_first(p_ccb->xmit_hold_q); + if (p_buf == NULL) { + L2CAP_TRACE_ERROR ("%s: L2CAP - fixed_queue_try_peek_first returned queue as empty", __func__); + return (NULL); + } /* We are using the "event" field to tell is if we already started segmentation */ if (p_buf->event == 0) diff --git a/stack/l2cap/l2cap_client.c b/stack/l2cap/l2cap_client.c index 7e8b3cb6f..f8ddfd49d 100644 --- a/stack/l2cap/l2cap_client.c +++ b/stack/l2cap/l2cap_client.c @@ -98,6 +98,10 @@ l2cap_client_t *l2cap_client_new(const l2cap_client_callbacks_t *callbacks, void } l2cap_client_t *ret = (l2cap_client_t *)osi_calloc(sizeof(l2cap_client_t)); + if (ret == NULL) { + LOG_ERROR(LOG_TAG, "%s unable to allocate space for L2CAP client.", __func__); + return NULL; + } ret->callbacks = *callbacks; ret->context = context; diff --git a/stack/mcap/mca_cact.c b/stack/mcap/mca_cact.c index b02ef3ef3..ad1c1daca 100644 --- a/stack/mcap/mca_cact.c +++ b/stack/mcap/mca_cact.c @@ -109,8 +109,11 @@ void mca_ccb_snd_req(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data) p_dcb = mca_dcb_by_hdl(p_ccb->p_tx_req->dcb_idx); /* the Abort API does not have the associated mdl_id. * Get the mdl_id in dcb to compose the request */ - p_msg->mdl_id = p_dcb->mdl_id; - mca_dcb_event(p_dcb, MCA_DCB_API_CLOSE_EVT, NULL); + if(p_dcb) + { + p_msg->mdl_id = p_dcb->mdl_id; + mca_dcb_event(p_dcb, MCA_DCB_API_CLOSE_EVT, NULL); + } osi_free_and_reset((void **)&p_ccb->p_tx_req); p_ccb->status = MCA_CCB_STAT_NORM; is_abort = TRUE; @@ -484,7 +487,7 @@ void mca_ccb_hdl_rsp(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data) if (chk_mdl) { p_dcb = mca_dcb_by_hdl(p_ccb->p_tx_req->dcb_idx); - if (evt_data.rsp.rsp_code == MCA_RSP_SUCCESS) + if (p_dcb && evt_data.rsp.rsp_code == MCA_RSP_SUCCESS) { if (evt_data.hdr.mdl_id != p_dcb->mdl_id) { diff --git a/stack/mcap/mca_csm.c b/stack/mcap/mca_csm.c index 1ded76578..f643e9251 100644 --- a/stack/mcap/mca_csm.c +++ b/stack/mcap/mca_csm.c @@ -198,7 +198,7 @@ void mca_ccb_event(tMCA_CCB *p_ccb, UINT8 event, tMCA_CCB_EVT *p_data) p_ccb->state = state_table[event][MCA_CCB_NEXT_STATE]; /* execute action functions */ - if ((action = state_table[event][MCA_CCB_ACT_COL]) != MCA_CCB_IGNORE) + if ((action = state_table[event][MCA_CCB_ACT_COL]) < MCA_CCB_IGNORE) { (*mca_ccb_action[action])(p_ccb, p_data); } @@ -366,10 +366,18 @@ BOOLEAN mca_ccb_uses_mdl_id(tMCA_CCB *p_ccb, UINT16 mdl_id) { BOOLEAN uses = FALSE; tMCA_DCB *p_dcb; - int i; + unsigned int i; i = mca_ccb_to_hdl(p_ccb)-1; - p_dcb = &mca_cb.dcb[i*MCA_NUM_MDLS]; + if (i*MCA_NUM_MDLS < MCA_NUM_DCBS) + { + p_dcb = &mca_cb.dcb[i*MCA_NUM_MDLS]; + } + else + { + MCA_TRACE_WARNING("dcb index out of range"); + return uses; + } for (i=0; istate != MCA_DCB_NULL_ST && p_dcb->mdl_id == mdl_id) diff --git a/stack/mcap/mca_dsm.c b/stack/mcap/mca_dsm.c index c76e020d2..e122d431f 100644 --- a/stack/mcap/mca_dsm.c +++ b/stack/mcap/mca_dsm.c @@ -154,7 +154,7 @@ void mca_dcb_event(tMCA_DCB *p_dcb, UINT8 event, tMCA_DCB_EVT *p_data) p_dcb->state = state_table[event][MCA_DCB_NEXT_STATE]; /* execute action functions */ - if ((action = state_table[event][MCA_DCB_ACT_COL]) != MCA_DCB_IGNORE) + if ((action = state_table[event][MCA_DCB_ACT_COL]) < MCA_DCB_IGNORE) { (*mca_dcb_action[action])(p_dcb, p_data); } @@ -175,13 +175,21 @@ tMCA_DCB *mca_dcb_alloc(tMCA_CCB*p_ccb, tMCA_DEP dep) tMCA_DCB *p_dcb = NULL, *p_dcb_tmp; tMCA_RCB *p_rcb = p_ccb->p_rcb; tMCA_CS *p_cs; - int i, max; + unsigned int i, max; if (dep < MCA_NUM_DEPS) { p_cs = &p_rcb->dep[dep]; i = mca_ccb_to_hdl(p_ccb)-1; - p_dcb_tmp = &mca_cb.dcb[i*MCA_NUM_MDLS]; + if( i*MCA_NUM_MDLS < MCA_NUM_DCBS) + { + p_dcb_tmp = &mca_cb.dcb[i*MCA_NUM_MDLS]; + } + else + { + MCA_TRACE_WARNING("dcb index out of range"); + return NULL; + } /* make sure p_cs->max_mdl is smaller than MCA_NUM_MDLS at MCA_CreateDep */ max = p_cs->max_mdl; for (i=0; ip_rcb; tMCA_CS *p_cs; - int i, max; + unsigned int i, max; UINT8 count = 0; UINT8 left; @@ -223,7 +231,15 @@ UINT8 mca_dep_free_mdl(tMCA_CCB *p_ccb, tMCA_DEP dep) { p_cs = &p_rcb->dep[dep]; i = mca_ccb_to_hdl(p_ccb)-1; - p_dcb = &mca_cb.dcb[i * MCA_NUM_MDLS]; + if( i*MCA_NUM_MDLS < MCA_NUM_DCBS) + { + p_dcb = &mca_cb.dcb[i * MCA_NUM_MDLS]; + } + else + { + MCA_TRACE_WARNING("dcb index out of range"); + return 0; + } /* make sure p_cs->max_mdl is smaller than MCA_NUM_MDLS at MCA_CreateDep */ max = p_cs->max_mdl; for (i=0; istate) diff --git a/stack/mcap/mca_l2c.c b/stack/mcap/mca_l2c.c index 62caf78f3..9456d3dea 100644 --- a/stack/mcap/mca_l2c.c +++ b/stack/mcap/mca_l2c.c @@ -204,7 +204,7 @@ void mca_l2c_cconn_ind_cback(BD_ADDR bd_addr, UINT16 lcid, UINT16 psm, UINT8 id) /* if result ok, proceed with connection and send L2CAP config req */ - if (result == L2CAP_CONN_OK) + if (result == L2CAP_CONN_OK && p_tbl) { /* set channel state */ p_tbl->state = MCA_TC_ST_CFG; diff --git a/stack/mcap/mca_main.c b/stack/mcap/mca_main.c index d1591b34a..14ca09af8 100644 --- a/stack/mcap/mca_main.c +++ b/stack/mcap/mca_main.c @@ -255,7 +255,7 @@ void mca_free_tc_tbl_by_lcid(UINT16 lcid) void mca_set_cfg_by_tbl(tL2CAP_CFG_INFO *p_cfg, tMCA_TC_TBL *p_tbl) { tMCA_DCB *p_dcb; - const tL2CAP_FCR_OPTS *p_opt; + const tL2CAP_FCR_OPTS *p_opt = NULL; tMCA_FCS_OPT fcs = MCA_FCS_NONE; if (p_tbl->tcid == MCA_CTRL_TCID) @@ -265,7 +265,7 @@ void mca_set_cfg_by_tbl(tL2CAP_CFG_INFO *p_cfg, tMCA_TC_TBL *p_tbl) else { p_dcb = mca_dcb_by_hdl(p_tbl->cb_idx); - if (p_dcb) + if (p_dcb != NULL) { p_opt = &p_dcb->p_chnl_cfg->fcr_opt; fcs = p_dcb->p_chnl_cfg->fcs; @@ -275,7 +275,8 @@ void mca_set_cfg_by_tbl(tL2CAP_CFG_INFO *p_cfg, tMCA_TC_TBL *p_tbl) p_cfg->mtu_present = TRUE; p_cfg->mtu = p_tbl->my_mtu; p_cfg->fcr_present = TRUE; - memcpy(&p_cfg->fcr, p_opt, sizeof (tL2CAP_FCR_OPTS)); + if (p_opt != NULL) + memcpy(&p_cfg->fcr, p_opt, sizeof (tL2CAP_FCR_OPTS)); if (fcs & MCA_FCS_PRESNT_MASK) { p_cfg->fcs_present = TRUE; @@ -323,7 +324,10 @@ void mca_tc_close_ind(tMCA_TC_TBL *p_tbl, UINT16 reason) if (p_tbl->tcid == MCA_CTRL_TCID) { p_ccb = mca_ccb_by_hdl((tMCA_CL)p_tbl->cb_idx); - mca_ccb_event(p_ccb, MCA_CCB_LL_CLOSE_EVT, (tMCA_CCB_EVT *)&close); + if(p_ccb != NULL) + { + mca_ccb_event(p_ccb, MCA_CCB_LL_CLOSE_EVT, (tMCA_CCB_EVT *)&close); + } } /* notify dcb that channel close */ else @@ -372,8 +376,10 @@ void mca_tc_open_ind(tMCA_TC_TBL *p_tbl) if (p_tbl->tcid == MCA_CTRL_TCID) { p_ccb = mca_ccb_by_hdl((tMCA_CL)p_tbl->cb_idx); - - mca_ccb_event(p_ccb, MCA_CCB_LL_OPEN_EVT, (tMCA_CCB_EVT *)&open); + if(p_ccb != NULL) + { + mca_ccb_event(p_ccb, MCA_CCB_LL_OPEN_EVT, (tMCA_CCB_EVT *)&open); + } } /* must be data channel, notify dcb that channel open */ else @@ -415,7 +421,10 @@ void mca_tc_cong_ind(tMCA_TC_TBL *p_tbl, BOOLEAN is_congested) if (p_tbl->tcid == MCA_CTRL_TCID) { p_ccb = mca_ccb_by_hdl((tMCA_CL)p_tbl->cb_idx); - mca_ccb_event(p_ccb, MCA_CCB_LL_CONG_EVT, (tMCA_CCB_EVT *) &is_congested); + if (p_ccb != NULL) + { + mca_ccb_event(p_ccb, MCA_CCB_LL_CONG_EVT, (tMCA_CCB_EVT *) &is_congested); + } } /* notify dcb that channel open */ else diff --git a/stack/rfcomm/rfc_mx_fsm.c b/stack/rfcomm/rfc_mx_fsm.c index a12ae96d8..e99be11b2 100644 --- a/stack/rfcomm/rfc_mx_fsm.c +++ b/stack/rfcomm/rfc_mx_fsm.c @@ -603,7 +603,7 @@ static void rfc_mx_conf_cnf (tRFC_MCB *p_mcb, tL2CAP_CFG_INFO *p_cfg) { RFCOMM_TRACE_EVENT ("rfc_mx_conf_cnf p_cfg:%08x res:%d ", p_cfg, (p_cfg) ? p_cfg->result : 0); - if (p_cfg->result != L2CAP_CFG_OK) + if (p_cfg && p_cfg->result != L2CAP_CFG_OK) { if (p_mcb->is_initiator) { diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c index a610e2202..b54f4fcf1 100644 --- a/stack/sdp/sdp_discovery.c +++ b/stack/sdp/sdp_discovery.c @@ -94,11 +94,15 @@ static UINT8 *sdpu_build_uuid_seq (UINT8 *p_out, UINT16 num_uuids, tSDP_UUID *p_ UINT8_TO_BE_STREAM (p_out, (UUID_DESC_TYPE << 3) | SIZE_FOUR_BYTES); UINT32_TO_BE_STREAM (p_out, p_uuid_list->uu.uuid32); } - else + else if (p_uuid_list->len == 16) { UINT8_TO_BE_STREAM (p_out, (UUID_DESC_TYPE << 3) | SIZE_SIXTEEN_BYTES); ARRAY_TO_BE_STREAM (p_out, p_uuid_list->uu.uuid128, p_uuid_list->len); } + else + { + SDP_TRACE_ERROR("SDP: Passed Uuid is of Invalid length: %x",p_uuid_list->len); + } } /* Now, put in the length */ diff --git a/stack/sdp/sdp_server.c b/stack/sdp/sdp_server.c index 2c30d087d..374be9b06 100644 --- a/stack/sdp/sdp_server.c +++ b/stack/sdp/sdp_server.c @@ -30,6 +30,7 @@ #include "bt_common.h" #include "bt_types.h" #include "bt_utils.h" +#include "bt_trace.h" #include "btu.h" #include "l2cdefs.h" @@ -919,7 +920,7 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, BOOLEAN is_avrcp_browse_bit_reset = FALSE; BOOLEAN is_hfp_fallback = FALSE; BOOLEAN is_avrcp_ca_bit_reset = FALSE; - UINT8 *p_seq_start; + UINT8 *p_seq_start = NULL; UINT16 seq_len, attr_len; UNUSED(p_req_end); @@ -1170,8 +1171,15 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, seq_len = sdpu_get_attrib_seq_len(p_rec, &attr_seq_sav); if (seq_len != 0) { - UINT8_TO_BE_STREAM (p_seq_start, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_WORD); - UINT16_TO_BE_STREAM (p_seq_start, seq_len); + if (p_seq_start) + { + UINT8_TO_BE_STREAM (p_seq_start, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_WORD); + UINT16_TO_BE_STREAM (p_seq_start, seq_len); + } + else + { + SDP_TRACE_DEBUG("SDP service and attribute rsp: Attribute sequence p_seq_start is NULL"); + } if (maxxed_out) p_ccb->cont_info.last_attr_seq_desc_sent = TRUE; diff --git a/stack/sdp/sdp_utils.c b/stack/sdp/sdp_utils.c index a6f0ba6a9..7ca7585fc 100644 --- a/stack/sdp/sdp_utils.c +++ b/stack/sdp/sdp_utils.c @@ -226,6 +226,8 @@ UINT8 *sdpu_build_attrib_seq (UINT8 *p_out, UINT16 *p_attr, UINT16 num_attrs) *******************************************************************************/ UINT8 *sdpu_build_attrib_entry (UINT8 *p_out, tSDP_ATTRIBUTE *p_attr) { + if(!p_out) + return p_out; /* First, store the attribute ID. Goes as a UINT */ UINT8_TO_BE_STREAM (p_out, (UINT_DESC_TYPE << 3) | SIZE_TWO_BYTES); UINT16_TO_BE_STREAM (p_out, p_attr->id); @@ -1011,10 +1013,13 @@ UINT8 *sdpu_build_partial_attrib_entry (UINT8 *p_out, tSDP_ATTRIBUTE *p_attr, UI } size_t len_to_copy = ((attr_len - *offset) < len) ? (attr_len - *offset) : len; - memcpy(p_out, &p_attr_buff[*offset], len_to_copy); + if(p_out) + { + memcpy(p_out, &p_attr_buff[*offset], len_to_copy); - p_out = &p_out[len_to_copy]; - *offset += len_to_copy; + p_out = &p_out[len_to_copy]; + *offset += len_to_copy; + } osi_free(p_attr_buff); return p_out; diff --git a/stack/smp/smp_cmac.c b/stack/smp/smp_cmac.c index b16466948..1989292e8 100644 --- a/stack/smp/smp_cmac.c +++ b/stack/smp/smp_cmac.c @@ -134,7 +134,7 @@ static BOOLEAN cmac_aes_k_calculate(BT_OCTET16 key, UINT8 *p_signature, UINT16 t tSMP_ENC output; UINT8 i = 1, err = 0; UINT8 x[16] = {0}; - UINT8 *p_mac; + UINT8 *p_mac = NULL; SMP_TRACE_EVENT ("cmac_aes_k_calculate "); @@ -154,6 +154,8 @@ static BOOLEAN cmac_aes_k_calculate(BT_OCTET16 key, UINT8 *p_signature, UINT16 t if (!err) { + if (tlen > BT_OCTET16_LEN) + tlen = BT_OCTET16_LEN; p_mac = output.param_buf + (BT_OCTET16_LEN - tlen); memcpy(p_signature, p_mac, tlen); diff --git a/stack/smp/smp_main.c b/stack/smp/smp_main.c index 2d80343a6..e05f934e1 100644 --- a/stack/smp/smp_main.c +++ b/stack/smp/smp_main.c @@ -816,7 +816,7 @@ void smp_sm_event(tSMP_CB *p_cb, tSMP_EVENT event, void *p_data) /* execute action functions */ for (i = 0; i < SMP_NUM_ACTIONS; i++) { - if ((action = state_table[entry-1][i]) != SMP_SM_NO_ACTION) + if ((action = state_table[entry-1][i]) < SMP_SM_NO_ACTION) { (*smp_sm_action[action])(p_cb, (tSMP_INT_DATA *)p_data); } @@ -851,7 +851,7 @@ const char * smp_get_event_name(tSMP_EVENT event) { const char *p_str = smp_event_name[SMP_MAX_EVT]; - if (event <= SMP_MAX_EVT) + if (event && event <= SMP_MAX_EVT) { p_str = smp_event_name[event- 1]; } diff --git a/stack/srvc/srvc_battery.c b/stack/srvc/srvc_battery.c index 90632dfad..a3ce3aeac 100644 --- a/stack/srvc/srvc_battery.c +++ b/stack/srvc/srvc_battery.c @@ -203,7 +203,7 @@ UINT16 Battery_Instantiate (UINT8 app_id, tBA_REG_INFO *p_reg_info) tBA_INST *p_inst; tGATT_CHAR_PROP prop = GATT_CHAR_PROP_BIT_READ; - if (battery_cb.inst_id == BA_MAX_INT_NUM) + if (battery_cb.inst_id >= BA_MAX_INT_NUM) { GATT_TRACE_ERROR("MAX battery service has been reached"); return 0; diff --git a/stack/srvc/srvc_eng.c b/stack/srvc/srvc_eng.c index 92d1d6e1b..fd7eaf0e7 100644 --- a/stack/srvc/srvc_eng.c +++ b/stack/srvc/srvc_eng.c @@ -270,6 +270,11 @@ static void srvc_eng_s_request_cback (UINT16 conn_id, UINT32 trans_id, tGATTS_RE tGATTS_RSP rsp_msg ; UINT8 act = SRVC_ACT_IGNORE; UINT8 clcb_idx = srvc_eng_find_clcb_idx_by_conn_id(conn_id); + if( clcb_idx == SRVC_MAX_APPS) + { + GATT_TRACE_ERROR("srvc_eng_s_request_cback received for unknown connection"); + return; + } GATT_TRACE_EVENT("srvc_eng_s_request_cback : recv type (0x%02x)", type); diff --git a/utils/src/bt_utils.c b/utils/src/bt_utils.c index b5ac4d67f..fac892fa8 100644 --- a/utils/src/bt_utils.c +++ b/utils/src/bt_utils.c @@ -161,7 +161,7 @@ void raise_priority_a2dp(tHIGH_PRIORITY_TASK high_task) { rc = -1; #else // !defined(OS_GENERIC) pthread_once(&g_DoSchedulingGroupOnce[g_TaskIdx], check_do_scheduling_group); - if (g_DoSchedulingGroup[g_TaskIdx]) { + if (g_TaskIdx < TASK_HIGH_MAX && g_DoSchedulingGroup[g_TaskIdx]) { // set_sched_policy does not support tid == 0 rc = set_sched_policy(tid, SP_AUDIO_SYS); } -- 2.11.0