From c1ccb0d9854cea4b2cd09bbd57fc1e1081eb96b9 Mon Sep 17 00:00:00 2001
From: Maggie_Lee <Maggie_Lee@asus.com>
Date: Tue, 23 Sep 2014 17:17:02 -0700
Subject: [PATCH] anthias:17614185:Bluetooth: Getbuf returning invalid buffer
 pointer

b/17623865

Getbuff is checking for the pool which can accommodate
requested size, but it changing the pool with a restricted
check and not checking for the free memory size in that pool.

Added a check to avoid return the wrong pool free buf pointer
and avoid gki get_buffer overflow.

Change-Id: I142870c989fc37f49c2d9b411d5eddbfba59bd9d
---
 gki/common/gki_buffer.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/gki/common/gki_buffer.c b/gki/common/gki_buffer.c
index bcf6f06b3..3a96614d5 100644
--- a/gki/common/gki_buffer.c
+++ b/gki/common/gki_buffer.c
@@ -402,7 +402,11 @@ void *GKI_getbuf (UINT16 size)
         if (((UINT16)1 << p_cb->pool_list[i]) & p_cb->pool_access_mask)
             continue;
 
-        Q = &p_cb->freeq[p_cb->pool_list[i]];
+        if ( size <= p_cb->freeq[p_cb->pool_list[i]].size )
+            Q = &p_cb->freeq[p_cb->pool_list[i]];
+        else
+            continue;
+
         if(Q->cur_cnt < Q->total)
         {
 // btla-specific ++
-- 
2.11.0