HIDD: Check descriptor length and increase buffer
Since maximum descriptor length is 2048, we need to assign 2054 bytes of
buffer for another 6 bytes of data. Also added a const for maximum
descriptor length.
Bug: 113572366
Test: manual
Change-Id: Ie2b25c9e1a9f2019cbc7e6fbecbb08b643c87946
Merged-In: Ie2b25c9e1a9f2019cbc7e6fbecbb08b643c87946
diff --git a/bta/hd/bta_hd_int.h b/bta/hd/bta_hd_int.h
index 4a48254..0748b67 100644
--- a/bta/hd/bta_hd_int.h
+++ b/bta/hd/bta_hd_int.h
@@ -66,7 +66,7 @@
#define BTA_HD_APP_NAME_LEN 50
#define BTA_HD_APP_DESCRIPTION_LEN 50
#define BTA_HD_APP_PROVIDER_LEN 50
-#define BTA_HD_APP_DESCRIPTOR_LEN 2048
+#define BTA_HD_APP_DESCRIPTOR_LEN HIDD_APP_DESCRIPTOR_LEN
#define BTA_HD_STATE_DISABLED 0x00
#define BTA_HD_STATE_ENABLED 0x01
diff --git a/stack/hid/hidd_api.cc b/stack/hid/hidd_api.cc
index 414cf74..f93511e 100644
--- a/stack/hid/hidd_api.cc
+++ b/stack/hid/hidd_api.cc
@@ -33,6 +33,7 @@
#include "hidd_api.h"
#include "hidd_int.h"
#include "hiddefs.h"
+#include "log/log.h"
tHID_DEV_CTB hd_cb;
@@ -293,7 +294,13 @@
uint8_t* p_buf;
uint8_t seq_len = 4 + desc_len;
- p_buf = (uint8_t*)osi_malloc(2048);
+ if (desc_len > HIDD_APP_DESCRIPTOR_LEN) {
+ HIDD_TRACE_ERROR("%s: descriptor length = %d, larger than max %d",
+ __func__, desc_len, HIDD_APP_DESCRIPTOR_LEN);
+ return HID_ERR_NOT_REGISTERED;
+ };
+
+ p_buf = (uint8_t*)osi_malloc(HIDD_APP_DESCRIPTOR_LEN + 6);
if (p_buf == NULL) {
HIDD_TRACE_ERROR("%s: Buffer allocation failure for size = 2048 ",
@@ -314,6 +321,10 @@
UINT8_TO_BE_STREAM(p, desc_len);
ARRAY_TO_BE_STREAM(p, p_desc_data, (int)desc_len);
+ if (desc_len > HIDD_APP_DESCRIPTOR_LEN - 6) {
+ android_errorWriteLog(0x534e4554, "113572366");
+ }
+
result &= SDP_AddAttribute(handle, ATTR_ID_HID_DESCRIPTOR_LIST,
DATA_ELE_SEQ_DESC_TYPE, p - p_buf, p_buf);
diff --git a/stack/include/hiddefs.h b/stack/include/hiddefs.h
index 8df616c..df01e7d 100644
--- a/stack/include/hiddefs.h
+++ b/stack/include/hiddefs.h
@@ -131,6 +131,8 @@
#define HID_SSR_PARAM_INVALID 0xffff
+#define HIDD_APP_DESCRIPTOR_LEN 2048
+
typedef struct sdp_info {
char svc_name[HID_MAX_SVC_NAME_LEN]; /*Service Name */
char svc_descr[HID_MAX_SVC_DESCR_LEN]; /*Service Description*/