• R/O
  • HTTP
  • SSH
  • HTTPS

Commit

Tags
Keine Tags

Frequently used words (click to add to your profile)

javaandroidc++linuxc#objective-ccocoa誰得qtrubypythongamewindowsbathyscaphephpguic翻訳omegattwitterframeworktestbtronarduinovb.net計画中(planning stage)directxpreviewerゲームエンジンdom

system/bt


Commit MetaInfo

Revisionc513a8ff5cfdcc62cc14da354beb1dd22e56be0e (tree)
Zeit2017-08-09 03:44:30
AutorPavlin Radoslavov <pavlin@goog...>
Commiterandroid-build-team Robot

Log Message

Allocate buffers of the right size when BT_HDR is included

Bug: 63146105
Test: External script
Change-Id: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
Merged-In: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
(cherry picked from commit 8810ffba990f8f53172c445ebde8707525bb7813)

Ändern Zusammenfassung

Diff

--- a/stack/avdt/avdt_api.cc
+++ b/stack/avdt/avdt_api.cc
@@ -1042,7 +1042,7 @@ uint16_t AVDT_SendReport(uint8_t handle, AVDT_REPORT_TYPE type,
10421042 /* build SR - assume fit in one packet */
10431043 p_tbl = avdt_ad_tc_tbl_by_type(AVDT_CHAN_REPORT, p_scb->p_ccb, p_scb);
10441044 if (p_tbl->state == AVDT_AD_ST_OPEN) {
1045- BT_HDR* p_pkt = (BT_HDR*)osi_malloc(p_tbl->peer_mtu);
1045+ BT_HDR* p_pkt = (BT_HDR*)osi_malloc(p_tbl->peer_mtu + sizeof(BT_HDR));
10461046
10471047 p_pkt->offset = L2CAP_MIN_OFFSET;
10481048 p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
--- a/stack/bnep/bnep_main.cc
+++ b/stack/bnep/bnep_main.cc
@@ -525,7 +525,7 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) {
525525 if (ctrl_type == BNEP_SETUP_CONNECTION_REQUEST_MSG &&
526526 p_bcb->con_state != BNEP_STATE_CONNECTED && extension_present && p &&
527527 rem_len) {
528- p_bcb->p_pending_data = (BT_HDR*)osi_malloc(rem_len);
528+ p_bcb->p_pending_data = (BT_HDR*)osi_malloc(rem_len + sizeof(BT_HDR));
529529 memcpy((uint8_t*)(p_bcb->p_pending_data + 1), p, rem_len);
530530 p_bcb->p_pending_data->len = rem_len;
531531 p_bcb->p_pending_data->offset = 0;
--- a/stack/l2cap/l2cap_client.cc
+++ b/stack/l2cap/l2cap_client.cc
@@ -393,7 +393,7 @@ static void fragment_packet(l2cap_client_t* client, buffer_t* packet) {
393393
394394 // TODO(sharvil): eliminate copy into BT_HDR.
395395 BT_HDR* bt_packet = static_cast<BT_HDR*>(
396- osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET));
396+ osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET + sizeof(BT_HDR)));
397397 bt_packet->offset = L2CAP_MIN_OFFSET;
398398 bt_packet->len = buffer_length(packet);
399399 memcpy(bt_packet->data + bt_packet->offset, buffer_ptr(packet),
@@ -408,8 +408,8 @@ static void fragment_packet(l2cap_client_t* client, buffer_t* packet) {
408408 break;
409409 }
410410
411- BT_HDR* fragment =
412- static_cast<BT_HDR*>(osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET));
411+ BT_HDR* fragment = static_cast<BT_HDR*>(
412+ osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET + sizeof(BT_HDR)));
413413 fragment->offset = L2CAP_MIN_OFFSET;
414414 fragment->len = client->remote_mtu;
415415 memcpy(fragment->data + fragment->offset,
--- a/stack/mcap/mca_cact.cc
+++ b/stack/mcap/mca_cact.cc
@@ -117,7 +117,7 @@ void mca_ccb_snd_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
117117 if ((!p_ccb->p_tx_req) || is_abort) {
118118 p_ccb->p_tx_req = p_msg;
119119 if (!p_ccb->cong) {
120- BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU);
120+ BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
121121
122122 p_pkt->offset = L2CAP_MIN_OFFSET;
123123 p = p_start = (uint8_t*)(p_pkt + 1) + L2CAP_MIN_OFFSET;
@@ -154,7 +154,7 @@ void mca_ccb_snd_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
154154 void mca_ccb_snd_rsp(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
155155 tMCA_CCB_MSG* p_msg = (tMCA_CCB_MSG*)p_data;
156156 uint8_t *p, *p_start;
157- BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU);
157+ BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
158158
159159 MCA_TRACE_DEBUG("%s cong=%d req=%d", __func__, p_ccb->cong, p_msg->op_code);
160160 /* assume that API functions verified the parameters */
@@ -367,7 +367,7 @@ void mca_ccb_hdl_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
367367 if (((reject_code != MCA_RSP_SUCCESS) &&
368368 (evt_data.hdr.op_code != MCA_OP_SYNC_INFO_IND)) ||
369369 send_rsp) {
370- BT_HDR* p_buf = (BT_HDR*)osi_malloc(MCA_CTRL_MTU);
370+ BT_HDR* p_buf = (BT_HDR*)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
371371 p_buf->offset = L2CAP_MIN_OFFSET;
372372 p = p_start = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
373373 *p++ = reject_opcode;