diff options
| author | venkata Jagadeesh <vjagad@codeaurora.org> | 2015-06-16 15:29:04 +0530 |
|---|---|---|
| committer | Linux Build Service Account <lnxbuild@localhost> | 2015-10-06 03:21:52 -0600 |
| commit | 2626f0a4260c37742db898539b91f04cb758cc66 (patch) | |
| tree | c3eafcdcd4c0153e31022dd73190e7c90bddb830 | |
| parent | 257929ac3b056223e9bbf057363ed8b1a43bbd79 (diff) | |
| download | android_system_bt-2626f0a4260c37742db898539b91f04cb758cc66.tar.gz android_system_bt-2626f0a4260c37742db898539b91f04cb758cc66.tar.bz2 android_system_bt-2626f0a4260c37742db898539b91f04cb758cc66.zip | |
SDP: Restricted invalid attr len in sdp delete
Restricted invalid attr len in SDP_DeleteAttribute as
pointer is trying to access invalid memory when attr_len
is invalid
Registering PNP record before PAN profile as PNP record
should be registered before profiles.In some cases PAN and
PNP SDP registration colliding and leading to memory
corruption in SDP DB.
Change-Id: Ib6d2120c7ef1d10633fa905d6b853281efaf0ecd
Bluetooth: Cleanup ACL link during restarting pending ACL connection
This fix removes the previously held ACL link with the BR_EDR
device before trying to create a new pending connection with the
same device.
Change-Id: Iac941794e2fc86c48781edc86492146ab5c21eae
Bluetooth: Cleanup the lcb variables properly on reuse
- Cleanup all relevant link control block variables
like send_not_acked, partial_segment_being_sent
and stop the info response timer to reuse the same
LCB.
- L2cap layer will reuse the same lcb if the link is
disconnected and wants to re-establish the link.
Change-Id: I822b0ee350574bbeb5b3c86a349d1471fa45761a
CRs-Fixed: 885782
Change-Id: I15f83b5c1a88d248d29080123ebbf4652f2cb340
| -rw-r--r-- | btif/src/btif_core.c | 6 | ||||
| -rw-r--r-- | stack/l2cap/l2c_link.c | 22 | ||||
| -rw-r--r-- | stack/sdp/sdp_db.c | 9 |
3 files changed, 33 insertions, 4 deletions
diff --git a/btif/src/btif_core.c b/btif/src/btif_core.c index 9a7de4cd5..5695017b2 100644 --- a/btif/src/btif_core.c +++ b/btif/src/btif_core.c @@ -513,12 +513,12 @@ void btif_enable_bluetooth_evt(tBTA_STATUS status) /* init rfcomm & l2cap api */ btif_sock_init(); - /* init pan */ - btif_pan_init(); - /* load did configuration */ bte_load_did_conf(BTE_DID_CONF_FILE); + /* init pan */ + btif_pan_init(); + #ifdef BTIF_DM_OOB_TEST btif_dm_load_local_oob(); #endif diff --git a/stack/l2cap/l2c_link.c b/stack/l2cap/l2c_link.c index 6cda75d3a..749ce4dea 100644 --- a/stack/l2cap/l2c_link.c +++ b/stack/l2cap/l2c_link.c @@ -541,6 +541,28 @@ BOOLEAN l2c_link_hci_disc_comp (UINT16 handle, UINT8 reason) transport = BT_TRANSPORT_LE; } #endif + if (p_lcb->transport == BT_TRANSPORT_BR_EDR) + { + if (p_lcb->sent_not_acked > 0) + { + l2cb.controller_xmit_window += p_lcb->sent_not_acked; + if (l2cb.controller_xmit_window > l2cb.num_lm_acl_bufs) + { + l2cb.controller_xmit_window = l2cb.num_lm_acl_bufs; + } + p_lcb->sent_not_acked = 0; + } + p_lcb->partial_segment_being_sent = FALSE; + + /* Stop the link connect timer if sent */ + if (p_lcb->w4_info_rsp) + { + btu_stop_timer (&p_lcb->info_timer_entry); + p_lcb->w4_info_rsp = FALSE; + } + + btm_acl_removed(p_lcb->remote_bd_addr, BT_TRANSPORT_BR_EDR); + } if (l2cu_create_conn(p_lcb, transport)) lcb_is_free = FALSE; /* still using this lcb */ } diff --git a/stack/sdp/sdp_db.c b/stack/sdp/sdp_db.c index ea8fa8756..dd7e785a6 100644 --- a/stack/sdp/sdp_db.c +++ b/stack/sdp/sdp_db.c @@ -907,7 +907,14 @@ BOOLEAN SDP_DeleteAttribute (UINT32 handle, UINT16 attr_id) { pad_ptr = p_attr->value_ptr; len = p_attr->len; - + if (p_rec->free_pad_ptr + p_attr->len >= SDP_MAX_PAD_LEN) + { + SDP_TRACE_ERROR("Deleting attr_id 0x%04x len %d exceeds 600", attr_id, len); + if (p_attr->type == TEXT_STR_DESC_TYPE) + len = SDP_MAX_PAD_LEN - p_rec->free_pad_ptr; + else + len = 0; + } if (len) { for (yy = 0; yy < p_rec->num_attributes; yy++) |