OSDN > Desarrollador > keagan_johansen > Chamber > system-bt > Commit

system-bt
Fork

R/O
HTTP
SSH
HTTPS

Commit

Commit MetaInfo

Revisión	1c90ccea1068a7081a1268621f4c527a2f181606 (tree)
Tiempo	2018-10-20 01:33:43
Autor	android-build-team Robot <android-build-team-robot@goog...>
Commiter	android-build-team Robot

Log Message

Merge cherrypicks of [5313290, 5313323, 5313343, 5313415, 5313291, 5313441, 5313557, 5313344, 5313383, 5313384, 5313324, 5313325, 5313326, 5313294, 5313295, 5313296, 5313498] into oc-m8-release

Change-Id: If387e42363401bc4f4c362de2b66e910b38d7239

Cambiar Resumen

modified: stack/l2cap/l2c_fcr.cc (diff)
modified: stack/sdp/sdp_discovery.cc (diff)

Diferencia incremental

--- a/stack/l2cap/l2c_fcr.cc

+++ b/stack/l2cap/l2c_fcr.cc

		@@ -842,6 +842,14 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) {
842	842	return;
843	843	}
844	844
	845	+ if (sdu_length < p_buf->len) {
	846	+ L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
	847	+ android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
	848	+ /* Discard the buffer */
	849	+ osi_free(p_buf);
	850	+ return;
	851	+ }
	852	+
845	853	p_data = (BT_HDR*)osi_malloc(L2CAP_MAX_BUF_SIZE);
846	854	if (p_data == NULL) {
847	855	osi_free(p_buf);

--- a/stack/sdp/sdp_discovery.cc

+++ b/stack/sdp/sdp_discovery.cc

		@@ -277,6 +277,11 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
277	277	uint16_t total, cur_handles, orig;
278	278	uint8_t cont_len;
279	279
	280	+ if (p_reply + 8 > p_reply_end) {
	281	+ android_errorWriteLog(0x534e4554, "74249842");
	282	+ sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
	283	+ return;
	284	+ }
280	285	/* Skip transaction, and param len */
281	286	p_reply += 4;
282	287	BE_STREAM_TO_UINT16(total, p_reply);

		@@ -295,6 +300,12 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
295	300	if (p_ccb->num_handles > sdp_cb.max_recs_per_search)
296	301	p_ccb->num_handles = sdp_cb.max_recs_per_search;
297	302
	303	+ if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) {
	304	+ android_errorWriteLog(0x534e4554, "74249842");
	305	+ sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
	306	+ return;
	307	+ }
	308	+
298	309	for (xx = orig; xx < p_ccb->num_handles; xx++)
299	310	BE_STREAM_TO_UINT32(p_ccb->handles[xx], p_reply);
300	311

system-bt Fork