#include <assert.h>
#include <string.h>
+#include <log/log.h>
+
#include "bt_common.h"
#include "avrc_api.h"
#include "avrc_int.h"
p_data = (UINT8 *)(p_pkt+1) + p_pkt->offset;
memset(&msg, 0, sizeof(tAVRC_MSG) );
{
+ if (p_pkt->len < AVRC_AVC_HDR_SIZE) {
+ android_errorWriteLog(0x534e4554, "111803925");
+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
+ __func__, p_pkt->len, AVRC_AVC_HDR_SIZE);
+ osi_free(p_pkt);
+ return;
+ }
msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK;
AVRC_TRACE_DEBUG("avrc_msg_cback handle:%d, ctype:%d, offset:%d, len: %d",
handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
else
{
/* parse response */
+ if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) {
+ AVRC_TRACE_WARNING(
+ "%s: message length %d too short: must be at least %d",
+ __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);
+ android_errorWriteLog(0x534e4554, "79883824");
+ drop = TRUE;
+ p_drop_msg = "UNIT_INFO_RSP too short";
+ break;
+ }
p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/
msg.unit.unit_type = (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
msg.unit.unit = *p_data & AVRC_SUBID_MASK;
else
{
/* parse response */
+ if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) {
+ AVRC_TRACE_WARNING(
+ "%s: message length %d too short: must be at least %d",
+ __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
+ android_errorWriteLog(0x534e4554, "79883824");
+ drop = TRUE;
+ p_drop_msg = "SUB_UNIT_INFO_RSP too short";
+ break;
+ }
p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */
msg.sub.page = (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;
xx = 0;
OSDN Git Service
