From bced7f0c0b1155e3619644b1d2db1f7fe9a12703 Mon Sep 17 00:00:00 2001 From: Andre Eisenbach Date: Tue, 27 Dec 2016 14:48:34 -0800 Subject: [PATCH] Fix pointer arithmetic in BTA_DmBleCfgFilterCondition Using the pointer to the beginning of a union in a member of the union, which will then be over-written, is a bad idea(TM). Bug: 33910711 Test: manual Change-Id: I0b979e493688bf8c02119a2ef6707d6c8e730dcb --- bta/dm/bta_dm_api.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bta/dm/bta_dm_api.cc b/bta/dm/bta_dm_api.cc index f4e9dfd16..3bb378b8d 100644 --- a/bta/dm/bta_dm_api.cc +++ b/bta/dm/bta_dm_api.cc @@ -1203,6 +1203,7 @@ void BTA_DmBleCfgFilterCondition(tBTA_DM_BLE_SCAN_COND_OP action, if (cond_type == BTA_DM_BLE_PF_SRVC_DATA_PATTERN || cond_type == BTA_DM_BLE_PF_MANU_DATA) { + p += sizeof(tBTA_DM_BLE_PF_MANU_COND); p_cond_param->manu_data.p_pattern = p; p_cond_param->manu_data.data_len = p_cond->manu_data.data_len; memcpy(p_cond_param->manu_data.p_pattern, p_cond->manu_data.p_pattern, @@ -1219,12 +1220,14 @@ void BTA_DmBleCfgFilterCondition(tBTA_DM_BLE_SCAN_COND_OP action, } } } else if (cond_type == BTA_DM_BLE_PF_LOCAL_NAME) { + p += sizeof(tBTA_DM_BLE_PF_LOCAL_NAME_COND); p_cond_param->local_name.p_data = p; p_cond_param->local_name.data_len = p_cond->local_name.data_len; memcpy(p_cond_param->local_name.p_data, p_cond->local_name.p_data, p_cond->local_name.data_len); } else if (cond_type == BTM_BLE_PF_SRVC_UUID || cond_type == BTM_BLE_PF_SRVC_SOL_UUID) { + p += sizeof(tBTA_DM_BLE_PF_SRVC_PATTERN_COND); if (p_cond->srvc_uuid.p_target_addr != NULL) { p_cond_param->srvc_uuid.p_target_addr = (tBLE_BD_ADDR*)(p); p_cond_param->srvc_uuid.p_target_addr->type = -- 2.11.0