Merge cherrypicks of [2780928, 2780896, 2781450, 2781451, 2781452, 2781453, 2781454, 2781169, 2781470, 2781471, 2781472, 2781473, 2781474, 2780929, 2781185, 2781490, 2781491, 2781492, 2781493, 2781494, 2781495, 2781496, 2781497, 2781437, 2781498, 2781499, 2781500, 2781501, 2781502, 2781503, 2781504, 2781505, 2781506, 2781507, 2780897, 2780898, 2780899, 2780900, 2780901, 2781475, 2781476, 2781477, 2781478, 2781186, 2781511, 2781512, 2781630] into nyc-bugfix-release
Change-Id: I0c8087fe605056201d28d83e755052f32a37999a
diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
index 286787e..7fe3c99 100644
--- a/stack/btm/btm_ble_gap.c
+++ b/stack/btm/btm_ble_gap.c
@@ -28,6 +28,8 @@
#include <stdio.h>
#include <stddef.h>
+#include <log/log.h>
+
#include "bt_types.h"
#include "bt_utils.h"
#include "btm_ble_api.h"
@@ -2285,7 +2287,7 @@
** Returns void
**
*******************************************************************************/
-void btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, UINT8 evt_type)
+BOOLEAN btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, UINT8 evt_type)
{
tBTM_BLE_INQ_CB *p_le_inq_cb = &btm_cb.ble_ctr_cb.inq_var;
UINT8 *p_cache;
@@ -2305,8 +2307,16 @@
STREAM_TO_UINT8(length, p);
while ( length && ((p_le_inq_cb->adv_len + length + 1) <= BTM_BLE_CACHE_ADV_DATA_MAX))
{
+ /* adv record size must be smaller than the total adv data size */
+ if ((length + 1) > data_len) {
+ BTM_TRACE_ERROR("BTM - got incorrect LE advertising data");
+ android_errorWriteLog(0x534e4554, "33899337");
+ return FALSE;
+ }
/* copy from the length byte & data into cache */
memcpy(p_cache, p-1, length+1);
+ /* reduce the total data size by size of data copied */
+ data_len -= length + 1;
/* advance the cache pointer past data */
p_cache += length+1;
/* increment cache length */
@@ -2316,6 +2326,7 @@
STREAM_TO_UINT8(length, p);
}
}
+ return TRUE;
/* parse service UUID from adv packet and save it in inq db eir_uuid */
/* TODO */
@@ -2540,7 +2551,9 @@
BTM_TRACE_WARNING("EIR data too long %d. discard", data_len);
return FALSE;
}
- btm_ble_cache_adv_data(p_cur, data_len, p, evt_type);
+ if (!btm_ble_cache_adv_data(p_cur, data_len, p, evt_type)) {
+ return FALSE;
+ }
p1 = (p + data_len);
STREAM_TO_UINT8 (rssi, p1);
diff --git a/stack/l2cap/l2c_main.c b/stack/l2cap/l2c_main.c
index dab56a2..3c48d69 100644
--- a/stack/l2cap/l2c_main.c
+++ b/stack/l2cap/l2c_main.c
@@ -28,6 +28,8 @@
#include <stdlib.h>
#include <string.h>
+#include <log/log.h>
+
#include "bt_target.h"
#include "btm_int.h"
#include "btu.h"
@@ -132,6 +134,14 @@
STREAM_TO_UINT16 (hci_len, p);
p_msg->offset += 4;
+ if (hci_len < L2CAP_PKT_OVERHEAD) {
+ /* Must receive at least the L2CAP length and CID */
+ L2CAP_TRACE_WARNING ("L2CAP - got incorrect hci header");
+ android_errorWriteLog(0x534e4554, "34946955");
+ osi_free(p_msg);
+ return;
+ }
+
/* Extract the length and CID */
STREAM_TO_UINT16 (l2cap_len, p);
STREAM_TO_UINT16 (rcv_cid, p);
@@ -154,17 +164,8 @@
}
}
- if (hci_len >= L2CAP_PKT_OVERHEAD) /* Must receive at least the L2CAP length and CID.*/
- {
- p_msg->len = hci_len - L2CAP_PKT_OVERHEAD;
- p_msg->offset += L2CAP_PKT_OVERHEAD;
- }
- else
- {
- L2CAP_TRACE_WARNING ("L2CAP - got incorrect hci header" );
- osi_free(p_msg);
- return;
- }
+ p_msg->len = hci_len - L2CAP_PKT_OVERHEAD;
+ p_msg->offset += L2CAP_PKT_OVERHEAD;
if (l2cap_len != p_msg->len)
{
