Fix payload size for GATT Read by type request
Payload size for GATT Read by type request for UUID32 and UUID128
are incorrectly allocated. This leads to memory overflow when
Read by type request is sent for them and eventually results
in crash during free. This change makes sure that the payload
can accomodate upto 128 bit UUID.
This crash is observed while running TC_GAR_CL_BV_03_C Qual test
case.
Bug: 29011042
Change-Id: Ib2b41b769b394670099f4549f204e2972f7df876
diff --git a/stack/gatt/att_protocol.c b/stack/gatt/att_protocol.c
index 8b99089..e096362 100644
--- a/stack/gatt/att_protocol.c
+++ b/stack/gatt/att_protocol.c
@@ -31,6 +31,8 @@
#define GATT_HDR_FIND_TYPE_VALUE_LEN 21
#define GATT_OP_CODE_SIZE 1
+#define GATT_START_END_HANDLE_SIZE 4
+
/**********************************************************************
** ATT protocl message building utility *
***********************************************************************/
@@ -125,10 +127,10 @@
*******************************************************************************/
BT_HDR *attp_build_browse_cmd(UINT8 op_code, UINT16 s_hdl, UINT16 e_hdl, tBT_UUID uuid)
{
- UINT8 *p;
- BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 8 + L2CAP_MIN_OFFSET);
+ const size_t payload_size = (GATT_OP_CODE_SIZE) + (GATT_START_END_HANDLE_SIZE) + (LEN_UUID_128);
+ BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
- p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
+ UINT8 *p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
/* Describe the built message location and size */
p_buf->offset = L2CAP_MIN_OFFSET;
p_buf->len = GATT_OP_CODE_SIZE + 4;
