Revert "Fix buffer overflow in GAP_ConnWriteData" This reverts commit 9f9c47683e28a0cf99b308deeac04073a9528c59. Reason for revert: Bluetooth OPP crashing. Bug: 72049058 Change-Id: Ic9ee9f28ce480453a9e01d3273595bff2264cd2b (cherry picked from commit 3114ecdaa118837ebd2fe0432d8edb663284aca8)

commit: aeabeb24db02fdb40d07de5d017483615eb6d40f [log] [tgz]
author: Hansong Zhang <hsz@google.com> Tue Jan 16 23:57:27 2018 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> Wed Jan 17 22:50:21 2018 +0000
tree: fa886e39c8df5cb433873e00b38dcc0dfe50270f
parent: cdf3a09e67d1d8def7f7dfbbabba5ddd0542a5da [diff]
diff --git a/stack/gap/gap_conn.cc b/stack/gap/gap_conn.cc
index 0fd70a0..f7186b3 100644
--- a/stack/gap/gap_conn.cc
+++ b/stack/gap/gap_conn.cc

@@ -502,12 +502,14 @@
   if (p_ccb->con_state != GAP_CCB_STATE_CONNECTED) return (GAP_ERR_BAD_STATE);
 
   while (max_len) {
-    uint16_t data_len = std::min(p_ccb->rem_mtu_size, max_len);
-    size_t bufsize = BT_HDR_SIZE + L2CAP_MIN_OFFSET + data_len;
+    if (p_ccb->cfg.fcr.mode == L2CAP_FCR_ERTM_MODE)
+      p_buf = (BT_HDR*)osi_malloc(L2CAP_FCR_ERTM_BUF_SIZE);
+    else
+      p_buf = (BT_HDR*)osi_malloc(GAP_DATA_BUF_SIZE);
 
-    p_buf = (BT_HDR*)osi_malloc(bufsize);
     p_buf->offset = L2CAP_MIN_OFFSET;
-    p_buf->len = data_len;
+    p_buf->len =
+        (p_ccb->rem_mtu_size < max_len) ? p_ccb->rem_mtu_size : max_len;
     p_buf->event = BT_EVT_TO_BTU_SP_DATA;
 
     memcpy((uint8_t*)(p_buf + 1) + p_buf->offset, p_data, p_buf->len);
commit	aeabeb24db02fdb40d07de5d017483615eb6d40f	[log] [tgz]
author	Hansong Zhang <hsz@google.com>	Tue Jan 16 23:57:27 2018 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	Wed Jan 17 22:50:21 2018 +0000
tree	fa886e39c8df5cb433873e00b38dcc0dfe50270f
parent	cdf3a09e67d1d8def7f7dfbbabba5ddd0542a5da [diff]