btm_ble_multi_adv: Check data length in HCI interface
For BleAdvertiserVscHciInterfaceImpl and
BleAdvertiserLegacyHciInterfaceImpl, the maximum size of scan response
and advertising packet data length should be BTM_BLE_AD_DATA_LEN (31).
Bug: 121145627
Test: POC
Change-Id: I7653a6c186b7313ef2b1547bca120b9d41c90140
(cherry picked from commit a99fe8a175a6d209e741871544ae3f857c8a7cbb)
diff --git a/stack/btm/ble_advertiser_hci_interface.cc b/stack/btm/ble_advertiser_hci_interface.cc
index 93b517d..574ef71 100644
--- a/stack/btm/ble_advertiser_hci_interface.cc
+++ b/stack/btm/ble_advertiser_hci_interface.cc
@@ -27,6 +27,7 @@
#include "btm_int_types.h"
#include "device/include/controller.h"
#include "hcidefs.h"
+#include "log/log.h"
#define BTM_BLE_MULTI_ADV_SET_RANDOM_ADDR_LEN 8
#define BTM_BLE_MULTI_ADV_ENB_LEN 3
@@ -162,6 +163,14 @@
uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN];
memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN);
+ if (data_length > BTM_BLE_AD_DATA_LEN) {
+ android_errorWriteLog(0x534e4554, "121145627");
+ LOG(ERROR) << __func__
+ << ": data_length=" << static_cast<int>(data_length)
+ << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN;
+ data_length = BTM_BLE_AD_DATA_LEN;
+ }
+
uint8_t* pp = param;
UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_ADV_DATA);
UINT8_TO_STREAM(pp, data_length);
@@ -181,6 +190,14 @@
uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN];
memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN);
+ if (scan_response_data_length > BTM_BLE_AD_DATA_LEN) {
+ android_errorWriteLog(0x534e4554, "121145627");
+ LOG(ERROR) << __func__ << ": scan_response_data_length="
+ << static_cast<int>(scan_response_data_length)
+ << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN;
+ scan_response_data_length = BTM_BLE_AD_DATA_LEN;
+ }
+
uint8_t* pp = param;
UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_SCAN_RSP_DATA);
UINT8_TO_STREAM(pp, scan_response_data_length);
@@ -372,6 +389,15 @@
uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1];
+ if (data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) {
+ android_errorWriteLog(0x534e4554, "121145627");
+ LOG(ERROR) << __func__
+ << ": data_length=" << static_cast<int>(data_length)
+ << ", is longer than size limit "
+ << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA;
+ data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA;
+ }
+
uint8_t* pp = param;
memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1);
UINT8_TO_STREAM(pp, data_length);
@@ -389,6 +415,15 @@
VLOG(1) << __func__;
uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1];
+ if (scan_response_data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) {
+ android_errorWriteLog(0x534e4554, "121145627");
+ LOG(ERROR) << __func__ << ": scan_response_data_length="
+ << static_cast<int>(scan_response_data_length)
+ << ", is longer than size limit "
+ << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA;
+ scan_response_data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA;
+ }
+
uint8_t* pp = param;
memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1);
UINT8_TO_STREAM(pp, scan_response_data_length);