From 5ff866c6cf008ed5361c8a37256cb9656adc3cfc Mon Sep 17 00:00:00 2001 From: Hemant Gupta Date: Fri, 12 Jul 2013 20:05:54 +0530 Subject: [PATCH] Bluetooth: Getbuf returning invalid buffer pointer Getbuff is checking for the pool which can accommodate requested size, but is changing the pool with a restricted check and not checking for the free memory size in that pool. Added a check to avoid returng the wrong pool free buf pointer. Without this patch, SDP Codenomicon TestSuite crash is observed on Bluedroid stack. Change-Id: Id66d460c5a40d8c3208438d7cfaf729e9b355184 --- gki/common/gki_buffer.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/gki/common/gki_buffer.c b/gki/common/gki_buffer.c index 582f3aaa0..1958d0e6f 100644 --- a/gki/common/gki_buffer.c +++ b/gki/common/gki_buffer.c @@ -401,8 +401,11 @@ void *GKI_getbuf (UINT16 size) /* Only look at PUBLIC buffer pools (bypass RESTRICTED pools) */ if (((UINT16)1 << p_cb->pool_list[i]) & p_cb->pool_access_mask) continue; + if ( size <= p_cb->freeq[p_cb->pool_list[i]].size ) + Q = &p_cb->freeq[p_cb->pool_list[i]]; + else + continue; - Q = &p_cb->freeq[p_cb->pool_list[i]]; if(Q->cur_cnt < Q->total) { // btla-specific ++ -- 2.11.0