diff options
| author | Matadeen Mishra <matade@codeaurora.org> | 2015-09-04 16:52:26 +0530 |
|---|---|---|
| committer | Linux Build Service Account <lnxbuild@localhost> | 2015-10-06 03:22:15 -0600 |
| commit | c6d466c548ac3ba18d3cac5c3903c3ad93317685 (patch) | |
| tree | 2d141d024fae1e5072ed231942c1ad3c1edef215 | |
| parent | 2e14d2f4e2c287842865b50e19242ca69daa4a6c (diff) | |
| download | android_system_bt-c6d466c548ac3ba18d3cac5c3903c3ad93317685.tar.gz android_system_bt-c6d466c548ac3ba18d3cac5c3903c3ad93317685.tar.bz2 android_system_bt-c6d466c548ac3ba18d3cac5c3903c3ad93317685.zip | |
Bluedroid BT: Fixed Static Analysis Issues
- This fix avoids NULL pointer dereferences
and Array Index Out of Bounds Exceptions
in the bluedroid stack code space of Bluetooth.
Change-Id: I5a6fcfe6943918b324f5b36f72b1e0e338db5a3d
CRs-Fixed: 890309
| -rw-r--r-- | stack/smp/smp_br_main.c | 2 | ||||
| -rw-r--r-- | stack/smp/smp_main.c | 2 | ||||
| -rw-r--r-- | test/suite/cases/adapter.c | 22 |
3 files changed, 18 insertions, 8 deletions
diff --git a/stack/smp/smp_br_main.c b/stack/smp/smp_br_main.c index 11039ec20..ff12d0366 100644 --- a/stack/smp/smp_br_main.c +++ b/stack/smp/smp_br_main.c @@ -384,7 +384,7 @@ void smp_br_state_machine_event(tSMP_CB *p_cb, tSMP_BR_EVENT event, void *p_data /* execute action functions */ for (UINT8 i = 0; i < SMP_BR_NUM_ACTIONS; i++) { - if ((action = state_table[entry - 1][i]) != SMP_BR_SM_NO_ACTION) + if ((action = state_table[entry - 1][i]) < SMP_BR_SM_NO_ACTION) { (*smp_br_sm_action[action])(p_cb, (tSMP_INT_DATA *)p_data); } diff --git a/stack/smp/smp_main.c b/stack/smp/smp_main.c index 98d3e50fd..e05f934e1 100644 --- a/stack/smp/smp_main.c +++ b/stack/smp/smp_main.c @@ -816,7 +816,7 @@ void smp_sm_event(tSMP_CB *p_cb, tSMP_EVENT event, void *p_data) /* execute action functions */ for (i = 0; i < SMP_NUM_ACTIONS; i++) { - if ((action = state_table[entry-1][i]) != SMP_SM_NO_ACTION) + if ((action = state_table[entry-1][i]) < SMP_SM_NO_ACTION) { (*smp_sm_action[action])(p_cb, (tSMP_INT_DATA *)p_data); } diff --git a/test/suite/cases/adapter.c b/test/suite/cases/adapter.c index 280cfc676..651e0fcbb 100644 --- a/test/suite/cases/adapter.c +++ b/test/suite/cases/adapter.c @@ -52,9 +52,14 @@ bool adapter_set_name() { TASSERT(error == BT_STATUS_SUCCESS, "Error setting device name."); TASSERT(adapter_get_property_count() == 1, "Expected 1 adapter property change, found %d instead.", adapter_get_property_count()); TASSERT(adapter_get_property(BT_PROPERTY_BDNAME), "The Bluetooth name property did not change."); - TASSERT(property_equals(adapter_get_property(BT_PROPERTY_BDNAME), name), "Bluetooth name '%s' does not match test value", property_as_name(adapter_get_property(BT_PROPERTY_BDNAME))->name); - - property_free(name); + const bt_bdname_t *name_prop = property_as_name(adapter_get_property(BT_PROPERTY_BDNAME)); + if (name_prop) { + TASSERT(property_equals(adapter_get_property(BT_PROPERTY_BDNAME), name), "Bluetooth name '%s' does not match test value", name_prop->name); + } else { + TASSERT(name_prop != NULL, "Extracting Bluetooth Name property failed."); + } + if(name) + property_free(name); return true; } @@ -68,9 +73,14 @@ bool adapter_get_name() { TASSERT(error == BT_STATUS_SUCCESS, "Error getting device name."); TASSERT(adapter_get_property_count() == 1, "Expected 1 adapter property change, found %d instead.", adapter_get_property_count()); TASSERT(adapter_get_property(BT_PROPERTY_BDNAME), "The Bluetooth name property did not change."); - TASSERT(property_equals(adapter_get_property(BT_PROPERTY_BDNAME), name), "Bluetooth name '%s' does not match test value", property_as_name(adapter_get_property(BT_PROPERTY_BDNAME))->name); - - property_free(name); + const bt_bdname_t *name_prop = property_as_name(adapter_get_property(BT_PROPERTY_BDNAME)); + if (name_prop) { + TASSERT(property_equals(adapter_get_property(BT_PROPERTY_BDNAME), name), "Bluetooth name '%s' does not match test value", name_prop->name); + } else { + TASSERT(name_prop != NULL, "Extracting Bluetooth Name property failed."); + } + if(name) + property_free(name); return true; } |