diff options
author | Hansong Zhang <hsz@google.com> | 2019-02-01 17:45:30 -0800 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2019-07-07 14:49:22 +0200 |
commit | ad7555c9d783be7e360de0edf114f3da8da70b5f (patch) | |
tree | 30b1de1681c94d68c594b8f6bb8f1c2ea8ec71f1 /stack/l2cap/l2c_main.c | |
parent | 3d34ee18a6b5e16ddf77157103a1c3cc5a777d3b (diff) | |
download | android_system_bt-cm-13.0.tar.gz android_system_bt-cm-13.0.tar.bz2 android_system_bt-cm-13.0.zip |
resolve merge conflicts of ec78d74706c3e81f91eee53e3d9f959f66e5d77f to pi-devHEADreplicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004cm-13.0
Bug: None
Test: I solemnly swear I tested this conflict resolution.
Change-Id: Id658b3485fdc0025bc44850be9f23bb2d2146d9b
(cherry picked from commit 6c0f22f324ed0bdf9dea3e803e5ee6176d03fdb4)
Diffstat (limited to 'stack/l2cap/l2c_main.c')
-rw-r--r-- | stack/l2cap/l2c_main.c | 44 |
1 files changed, 34 insertions, 10 deletions
diff --git a/stack/l2cap/l2c_main.c b/stack/l2cap/l2c_main.c index 0ef1fbb6e..379d7608e 100644 --- a/stack/l2cap/l2c_main.c +++ b/stack/l2cap/l2c_main.c @@ -573,7 +573,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) { case L2CAP_CFG_TYPE_MTU: cfg_info.mtu_present = TRUE; - if (p + 2 > p_next_cmd) { + if (cfg_len != 2) { + android_errorWriteLog(0x534e4554, "119870451"); + return; + } + if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } @@ -582,7 +586,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) case L2CAP_CFG_TYPE_FLUSH_TOUT: cfg_info.flush_to_present = TRUE; - if (p + 2 > p_next_cmd) { + if (cfg_len != 2) { + android_errorWriteLog(0x534e4554, "119870451"); + return; + } + if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } @@ -591,9 +599,13 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) case L2CAP_CFG_TYPE_QOS: cfg_info.qos_present = TRUE; - if (p + 2 + 5 * 4 > p_next_cmd) { - android_errorWriteLog(0x534e4554, "74202041"); - return; + if (cfg_len != 2 + 5 * 4) { + android_errorWriteLog(0x534e4554, "119870451"); + return; + } + if (p + cfg_len > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; } STREAM_TO_UINT8 (cfg_info.qos.qos_flags, p); STREAM_TO_UINT8 (cfg_info.qos.service_type, p); @@ -606,9 +618,13 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) case L2CAP_CFG_TYPE_FCR: cfg_info.fcr_present = TRUE; - if (p + 3 + 3 * 2 > p_next_cmd) { - android_errorWriteLog(0x534e4554, "74202041"); - return; + if (cfg_len != 3 + 3 * 2) { + android_errorWriteLog(0x534e4554, "119870451"); + return; + } + if (p + cfg_len > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; } STREAM_TO_UINT8 (cfg_info.fcr.mode, p); STREAM_TO_UINT8 (cfg_info.fcr.tx_win_sz, p); @@ -620,7 +636,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) case L2CAP_CFG_TYPE_FCS: cfg_info.fcs_present = TRUE; - if (p + 1 > p_next_cmd) { + if (cfg_len != 1) { + android_errorWriteLog(0x534e4554, "119870451"); + return; + } + if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } @@ -629,7 +649,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) case L2CAP_CFG_TYPE_EXT_FLOW: cfg_info.ext_flow_spec_present = TRUE; - if (p + 2 + 2 + 3 * 4 > p_next_cmd) { + if (cfg_len != 2 + 2 + 3 * 4) { + android_errorWriteLog(0x534e4554, "119870451"); + return; + } + if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } |