Google Git
Sign in
android / platform / external / bluetooth / bluedroid / 980c6a8^! / .
commit980c6a82542ee49ed52113c4ac772ce3d6a5e628[log] [tgz]
authorHemant Gupta <hemantg@codeaurora.org>Wed Oct 15 19:59:23 2014 +0530
committerThe Android Automerger <android-build@google.com>Tue Oct 27 10:37:14 2015 -0700
treeb30d3f26e1b665bfc6def8842103b13f640e9b45
parent50407e45b6cf3471aa1b01e081599a3f0fc8d0a1 [diff]
DO NOT MERGE - Add proper checks for PAN & BNEP in BD stack

This patch fixes issues for PAN & BNEP in BD stack identified
by static analysis tool.

Bug: 24595992

Change-Id: I29417dae982abb5cef11379f8d03baad11ffde8b

diff --git a/btif/co/bta_pan_co.c b/btif/co/bta_pan_co.c
index ad0c796..3884abb 100644
--- a/btif/co/bta_pan_co.c
+++ b/btif/co/bta_pan_co.c

@@ -166,31 +166,37 @@
     BOOLEAN            ext;
     BOOLEAN         forward;
 
-    BTIF_TRACE_API("bta_pan_co_tx_path, handle:%d, app_id:%d", handle, app_id);
+    BTIF_TRACE_API("%s, handle:%d, app_id:%d", __func__, handle, app_id);
 
     btpan_conn_t* conn = btpan_find_conn_handle(handle);
-    if(!conn || conn->state != PAN_STATE_OPEN)
+    if (!conn)
     {
-        BTIF_TRACE_ERROR("bta_pan_co_tx_path: cannot find pan connction or conn"
-            "is not opened, conn:%p, conn->state:%d", conn, conn->state);
+        BTIF_TRACE_ERROR("%s: cannot find pan connection", __func__);
         return;
     }
+    else if(conn->state != PAN_STATE_OPEN)
+    {
+        BTIF_TRACE_ERROR("%s: conn is not opened, conn:%p, conn->state:%d",
+            __func__, conn, conn->state);
+        return;
+    }
+
     do
     {
         /* read next data buffer from pan */
         if ((p_buf = bta_pan_ci_readbuf(handle, src, dst, &protocol,
                                  &ext, &forward)))
         {
-            BTIF_TRACE_DEBUG("bta_pan_co_tx_path, calling btapp_tap_send, "
-                "p_buf->len:%d, offset:%d", p_buf->len, p_buf->offset);
+            bdstr_t bdstr;
+            BTIF_TRACE_DEBUG("%s, calling btapp_tap_send, "
+                "p_buf->len:%d, offset:%d", __func__, p_buf->len, p_buf->offset);
             if(is_empty_eth_addr(conn->eth_addr) && is_valid_bt_eth_addr(src))
             {
-                BTIF_TRACE_DEBUG("pan bt peer addr: %02x:%02x:%02x:%02x:%02x:%02x",
-                    conn->peer[0], conn->peer[1], conn->peer[2],
-                    conn->peer[3],conn->peer[4], conn->peer[5]);
-                BTIF_TRACE_DEBUG("     update its ethernet addr: "
-                    "%02x:%02x:%02x:%02x:%02x:%02x", src[0], src[1], src[2],
-                    src[3],src[4], src[5]);
+                BTIF_TRACE_DEBUG("%s pan bt peer addr: %s", __func__,
+                    bd2str((bt_bdaddr_t *)conn->peer, &bdstr));
+                bd2str((bt_bdaddr_t *)src, &bdstr);
+                BTIF_TRACE_DEBUG("%s:     update its ethernet addr: %s", __func__,
+                    bd2str((bt_bdaddr_t *)src, &bdstr));
                 memcpy(conn->eth_addr, src, sizeof(conn->eth_addr));
 
             }

diff --git a/btif/include/btif_pan_internal.h b/btif/include/btif_pan_internal.h
index 64bab99..fad5577 100644
--- a/btif/include/btif_pan_internal.h
+++ b/btif/include/btif_pan_internal.h

@@ -38,6 +38,7 @@
 #define PANU_SERVICE_NAME "Android Network User"
 #define TAP_IF_NAME "bt-pan"
 #define ETH_ADDR_LEN        6
+#define TAP_MAX_PKT_WRITE_LEN 2000
 #ifndef PAN_SECURITY
 #define PAN_SECURITY (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_OUT_ENCRYPT)
 #endif

diff --git a/btif/src/btif_pan.c b/btif/src/btif_pan.c
index 3d31bf5..fd1d4aa 100644
--- a/btif/src/btif_pan.c
+++ b/btif/src/btif_pan.c

@@ -451,9 +451,9 @@
         memcpy(&eth_hdr.h_dest, dst, ETH_ADDR_LEN);
         memcpy(&eth_hdr.h_src, src, ETH_ADDR_LEN);
         eth_hdr.h_proto = htons(proto);
-        char packet[2000];
+        char packet[TAP_MAX_PKT_WRITE_LEN + sizeof(tETH_HDR)];
         memcpy(packet, &eth_hdr, sizeof(tETH_HDR));
-        if(len > 2000)
+        if (len > TAP_MAX_PKT_WRITE_LEN)
         {
             ALOGE("btpan_tap_send eth packet size:%d is exceeded limit!", len);
             return -1;

diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c
index 62fa316..56ab945 100644
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c

@@ -370,8 +370,8 @@
     }
     else
     {
-        if (((p_bcb->con_flags & BNEP_FLAGS_IS_ORIG) && (bnep_cb.p_conn_state_cb)) ||
-            p_bcb->con_flags & BNEP_FLAGS_CONN_COMPLETED)
+        if ((bnep_cb.p_conn_state_cb) && ((p_bcb->con_flags & BNEP_FLAGS_IS_ORIG) ||
+            (p_bcb->con_flags & BNEP_FLAGS_CONN_COMPLETED)))
             (*bnep_cb.p_conn_state_cb) (p_bcb->handle, p_bcb->rem_bda, BNEP_CONN_FAILED, FALSE);
     }
 

diff --git a/stack/bnep/bnep_utils.c b/stack/bnep/bnep_utils.c
index 92061d0..116d80f 100644
--- a/stack/bnep/bnep_utils.c
+++ b/stack/bnep/bnep_utils.c

@@ -173,10 +173,11 @@
     BT_HDR  *p_buf;
     UINT8   *p, *p_start;
 
-    BNEP_TRACE_DEBUG ("BNEP sending setup req with dst uuid %x", p_bcb->dst_uuid.uu.uuid16);
+    BNEP_TRACE_DEBUG ("%s: sending setup req with dst uuid %x",
+        __func__, p_bcb->dst_uuid.uu.uuid16);
     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (BNEP_POOL_ID)) == NULL)
     {
-        BNEP_TRACE_ERROR ("BNEP - not able to send connection request");
+        BNEP_TRACE_ERROR ("%s: not able to send connection request", __func__);
         return;
     }
 
@@ -202,7 +203,7 @@
         UINT32_TO_BE_STREAM (p, p_bcb->dst_uuid.uu.uuid32);
         UINT32_TO_BE_STREAM (p, p_bcb->src_uuid.uu.uuid32);
     }
-    else
+    else if (p_bcb->dst_uuid.len == 16)
     {
         memcpy (p, p_bcb->dst_uuid.uu.uuid128, p_bcb->dst_uuid.len);
         p += p_bcb->dst_uuid.len;
@@ -210,6 +211,11 @@
         p += p_bcb->dst_uuid.len;
     }
 #endif
+    else
+    {
+        BNEP_TRACE_ERROR ("%s: uuid: %x, invalid length: %x",
+            __func__, p_bcb->dst_uuid.uu.uuid16, p_bcb->dst_uuid.len);
+    }
 
     p_buf->len = (UINT16)(p - p_start);