From 23de612ce214779db5cfc46b169f2170c4cdd89d Mon Sep 17 00:00:00 2001 From: Pavlin Radoslavov Date: Thu, 6 Jul 2017 13:39:02 -0700 Subject: [PATCH] Allocate buffers of the right size when BT_HDR is included Bug: 63146105 Test: External script Change-Id: I1f2c871e3fcf57aabdad9d07905e6dae643bd496 Merged-In: I1f2c871e3fcf57aabdad9d07905e6dae643bd496 (cherry picked from commit d88838a7237cd672d87b6b9cc8d56fff625fd1d5) (cherry picked from commit b648c7dfe45c57842d58576f558fdf8edff10bec) (cherry picked from commit 338e0485940ab278e6a2dc12285ba0798b79cfa4) (cherry picked from commit 510697a0d79ac9816c0e2717c357c3330d89645a) --- stack/avdt/avdt_api.c | 2 +- stack/bnep/bnep_main.c | 2 +- stack/l2cap/l2cap_client.c | 6 ++++-- stack/mcap/mca_cact.c | 4 ++-- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/stack/avdt/avdt_api.c b/stack/avdt/avdt_api.c index 98ef5f755..52010541d 100644 --- a/stack/avdt/avdt_api.c +++ b/stack/avdt/avdt_api.c @@ -1208,7 +1208,7 @@ UINT16 AVDT_SendReport(UINT8 handle, AVDT_REPORT_TYPE type, /* build SR - assume fit in one packet */ p_tbl = avdt_ad_tc_tbl_by_type(AVDT_CHAN_REPORT, p_scb->p_ccb, p_scb); if (p_tbl->state == AVDT_AD_ST_OPEN) { - BT_HDR *p_pkt = (BT_HDR *)osi_malloc(p_tbl->peer_mtu); + BT_HDR *p_pkt = (BT_HDR *)osi_malloc(p_tbl->peer_mtu + sizeof(BT_HDR)); p_pkt->offset = L2CAP_MIN_OFFSET; p = (UINT8 *)(p_pkt + 1) + p_pkt->offset; diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c index 078a72ebd..6d3684e48 100644 --- a/stack/bnep/bnep_main.c +++ b/stack/bnep/bnep_main.c @@ -575,7 +575,7 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) p_bcb->con_state != BNEP_STATE_CONNECTED && extension_present && p && rem_len) { - p_bcb->p_pending_data = (BT_HDR *)osi_malloc(rem_len); + p_bcb->p_pending_data = (BT_HDR *)osi_malloc(rem_len + sizeof(BT_HDR)); memcpy((UINT8 *)(p_bcb->p_pending_data + 1), p, rem_len); p_bcb->p_pending_data->len = rem_len; p_bcb->p_pending_data->offset = 0; diff --git a/stack/l2cap/l2cap_client.c b/stack/l2cap/l2cap_client.c index 7e8b3cb6f..cd7edfe1f 100644 --- a/stack/l2cap/l2cap_client.c +++ b/stack/l2cap/l2cap_client.c @@ -370,7 +370,8 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet) { assert(packet != NULL); // TODO(sharvil): eliminate copy into BT_HDR. - BT_HDR *bt_packet = osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET); + BT_HDR *bt_packet = osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET + + sizeof(BT_HDR)); bt_packet->offset = L2CAP_MIN_OFFSET; bt_packet->len = buffer_length(packet); memcpy(bt_packet->data + bt_packet->offset, buffer_ptr(packet), buffer_length(packet)); @@ -384,7 +385,8 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet) { break; } - BT_HDR *fragment = osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET); + BT_HDR *fragment = osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET + + sizeof(BT_HDR)); fragment->offset = L2CAP_MIN_OFFSET; fragment->len = client->remote_mtu; memcpy(fragment->data + fragment->offset, bt_packet->data + bt_packet->offset, client->remote_mtu); diff --git a/stack/mcap/mca_cact.c b/stack/mcap/mca_cact.c index 583a34215..483169ad6 100644 --- a/stack/mcap/mca_cact.c +++ b/stack/mcap/mca_cact.c @@ -122,7 +122,7 @@ void mca_ccb_snd_req(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data) p_ccb->p_tx_req = p_msg; if (!p_ccb->cong) { - BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU); + BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR)); p_pkt->offset = L2CAP_MIN_OFFSET; p = p_start = (UINT8*)(p_pkt + 1) + L2CAP_MIN_OFFSET; @@ -164,7 +164,7 @@ void mca_ccb_snd_rsp(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data) tMCA_CCB_MSG *p_msg = (tMCA_CCB_MSG *)p_data; UINT8 *p, *p_start; BOOLEAN chk_mdl = FALSE; - BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU); + BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR)); MCA_TRACE_DEBUG("%s cong=%d req=%d", __func__, p_ccb->cong, p_msg->op_code); /* assume that API functions verified the parameters */ -- 2.11.0