OSDN > Entwickler > natedogg > Kammer > system-bt > Commit

system-bt
Fork

R/O
HTTP
SSH
HTTPS

Commit

Commit MetaInfo

Revision	72270d976bbc02e2408c57f416bf589c8bd14a88 (tree)
Zeit	2017-04-12 07:33:09
Autor	Jack He <siyuanh@goog...>
Commiter	android-build-merger

Log Message

Check LE advertising data length before caching advertising records am: 1bef3546a6 am: e6620d18cf am: 585e0c08f5 am: 005eb1d305 am: 7752061901 am: 0ddb124e6e
am: 2feb43b5b1

Change-Id: I3d16a2939976a326ca20056b29818e2df550ee67

Ändern Zusammenfassung

modified: stack/btm/btm_ble_gap.c (diff)

Diff

--- a/stack/btm/btm_ble_gap.c

+++ b/stack/btm/btm_ble_gap.c

		@@ -28,6 +28,8 @@
28	28	#include <stdio.h>
29	29	#include <stddef.h>
30	30
	31	+#include <log/log.h>
	32	+
31	33	#include "bt_types.h"
32	34	#include "bt_utils.h"
33	35	#include "btm_ble_api.h"

		@@ -2285,7 +2287,7 @@ static void btm_ble_parse_adv_data(tBTM_INQ_INFO p_info, UINT8 p_data,
2285	2287	** Returns void
2286	2288	**
2287	2289	*******************************************************************************/
2288		-void btm_ble_cache_adv_data(tBTM_INQ_RESULTS p_cur, UINT8 data_len, UINT8 p, UINT8 evt_type)
	2290	+BOOLEAN btm_ble_cache_adv_data(tBTM_INQ_RESULTS p_cur, UINT8 data_len, UINT8 p, UINT8 evt_type)
2289	2291	{
2290	2292	tBTM_BLE_INQ_CB *p_le_inq_cb = &btm_cb.ble_ctr_cb.inq_var;
2291	2293	UINT8 *p_cache;

		@@ -2305,8 +2307,16 @@ void btm_ble_cache_adv_data(tBTM_INQ_RESULTS p_cur, UINT8 data_len, UINT8 p, U
2305	2307	STREAM_TO_UINT8(length, p);
2306	2308	while ( length && ((p_le_inq_cb->adv_len + length + 1) <= BTM_BLE_CACHE_ADV_DATA_MAX))
2307	2309	{
	2310	+ /* adv record size must be smaller than the total adv data size */
	2311	+ if ((length + 1) > data_len) {
	2312	+ BTM_TRACE_ERROR("BTM - got incorrect LE advertising data");
	2313	+ android_errorWriteLog(0x534e4554, "33899337");
	2314	+ return FALSE;
	2315	+ }
2308	2316	/* copy from the length byte & data into cache */
2309	2317	memcpy(p_cache, p-1, length+1);
	2318	+ /* reduce the total data size by size of data copied */
	2319	+ data_len -= length + 1;
2310	2320	/* advance the cache pointer past data */
2311	2321	p_cache += length+1;
2312	2322	/* increment cache length */

		@@ -2316,6 +2326,7 @@ void btm_ble_cache_adv_data(tBTM_INQ_RESULTS p_cur, UINT8 data_len, UINT8 p, U
2316	2326	STREAM_TO_UINT8(length, p);
2317	2327	}
2318	2328	}
	2329	+ return TRUE;
2319	2330
2320	2331	/* parse service UUID from adv packet and save it in inq db eir_uuid */
2321	2332	/* TODO */

		@@ -2540,7 +2551,9 @@ BOOLEAN btm_ble_update_inq_result(tINQ_DB_ENT *p_i, UINT8 addr_type, UINT8 evt_t
2540	2551	BTM_TRACE_WARNING("EIR data too long %d. discard", data_len);
2541	2552	return FALSE;
2542	2553	}
2543		- btm_ble_cache_adv_data(p_cur, data_len, p, evt_type);
	2554	+ if (!btm_ble_cache_adv_data(p_cur, data_len, p, evt_type)) {
	2555	+ return FALSE;
	2556	+ }
2544	2557
2545	2558	p1 = (p + data_len);
2546	2559	STREAM_TO_UINT8 (rssi, p1);

system-bt Fork