resolve merge conflicts of ec78d74706c3e81f91eee53e3d9f959f66e5d77f to pi-dev
Bug: None
Test: I solemnly swear I tested this conflict resolution.
Change-Id: Id658b3485fdc0025bc44850be9f23bb2d2146d9b
(cherry picked from commit 6c0f22f324ed0bdf9dea3e803e5ee6176d03fdb4)
diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc
index eae77a6..74e7135 100644
--- a/stack/l2cap/l2c_main.cc
+++ b/stack/l2cap/l2c_main.cc
@@ -455,19 +455,40 @@
switch (cfg_code & 0x7F) {
case L2CAP_CFG_TYPE_MTU:
cfg_info.mtu_present = true;
- if (p + 2 > p_next_cmd) return;
+ if (cfg_len != 2) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(cfg_info.mtu, p);
break;
case L2CAP_CFG_TYPE_FLUSH_TOUT:
cfg_info.flush_to_present = true;
- if (p + 2 > p_next_cmd) return;
+ if (cfg_len != 2) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(cfg_info.flush_to, p);
break;
case L2CAP_CFG_TYPE_QOS:
cfg_info.qos_present = true;
- if (p + 2 + 5 * 4 > p_next_cmd) return;
+ if (cfg_len != 2 + 5 * 4) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.qos.qos_flags, p);
STREAM_TO_UINT8(cfg_info.qos.service_type, p);
STREAM_TO_UINT32(cfg_info.qos.token_rate, p);
@@ -479,7 +500,14 @@
case L2CAP_CFG_TYPE_FCR:
cfg_info.fcr_present = true;
- if (p + 3 + 3 * 2 > p_next_cmd) return;
+ if (cfg_len != 3 + 3 * 2) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.fcr.mode, p);
STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p);
STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p);
@@ -490,13 +518,27 @@
case L2CAP_CFG_TYPE_FCS:
cfg_info.fcs_present = true;
- if (p + 1 > p_next_cmd) return;
+ if (cfg_len != 1) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.fcs, p);
break;
case L2CAP_CFG_TYPE_EXT_FLOW:
cfg_info.ext_flow_spec_present = true;
- if (p + 2 + 2 + 3 * 4 > p_next_cmd) return;
+ if (cfg_len != 2 + 2 + 3 * 4) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p);
STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p);
STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p);
diff --git a/stack/l2cap/l2c_utils.cc b/stack/l2cap/l2c_utils.cc
index 337e076..ced48a2 100644
--- a/stack/l2cap/l2c_utils.cc
+++ b/stack/l2cap/l2c_utils.cc
@@ -796,6 +796,9 @@
case L2CAP_CFG_TYPE_MTU:
case L2CAP_CFG_TYPE_FLUSH_TOUT:
case L2CAP_CFG_TYPE_QOS:
+ case L2CAP_CFG_TYPE_FCR:
+ case L2CAP_CFG_TYPE_FCS:
+ case L2CAP_CFG_TYPE_EXT_FLOW:
p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
break;