diff options
| author | Matadeen Mishra <matade@codeaurora.org> | 2015-08-21 09:47:05 +0530 |
|---|---|---|
| committer | Linux Build Service Account <lnxbuild@localhost> | 2015-10-06 03:22:00 -0600 |
| commit | fada44256f77be2e7cdf1b6089c15c4b08a76046 (patch) | |
| tree | 3a19278722436dd7dfc10c723f1feacb1632754b /stack/mcap/mca_dsm.c | |
| parent | c50610c030fc7b0bd547750a9851b772d836391a (diff) | |
| download | android_system_bt-fada44256f77be2e7cdf1b6089c15c4b08a76046.tar.gz android_system_bt-fada44256f77be2e7cdf1b6089c15c4b08a76046.tar.bz2 android_system_bt-fada44256f77be2e7cdf1b6089c15c4b08a76046.zip | |
BT: Fixed Static Analysis Issues
- This fix avoids NULL pointer dereferences,
Array Index Out of Bounds Exceptions
and Banned funciton in the bluedroid code
space of Bluetooth.
CRs-Fixed: 890309, 890321
Change-Id: I24ae794ee01b65b5ab15c73cd82677b0481910ad
Diffstat (limited to 'stack/mcap/mca_dsm.c')
| -rw-r--r-- | stack/mcap/mca_dsm.c | 38 |
1 files changed, 31 insertions, 7 deletions
diff --git a/stack/mcap/mca_dsm.c b/stack/mcap/mca_dsm.c index 8b57a695f..39daa336d 100644 --- a/stack/mcap/mca_dsm.c +++ b/stack/mcap/mca_dsm.c @@ -154,7 +154,7 @@ void mca_dcb_event(tMCA_DCB *p_dcb, UINT8 event, tMCA_DCB_EVT *p_data) p_dcb->state = state_table[event][MCA_DCB_NEXT_STATE]; /* execute action functions */ - if ((action = state_table[event][MCA_DCB_ACT_COL]) != MCA_DCB_IGNORE) + if ((action = state_table[event][MCA_DCB_ACT_COL]) < MCA_DCB_IGNORE) { (*mca_dcb_action[action])(p_dcb, p_data); } @@ -175,13 +175,21 @@ tMCA_DCB *mca_dcb_alloc(tMCA_CCB*p_ccb, tMCA_DEP dep) tMCA_DCB *p_dcb = NULL, *p_dcb_tmp; tMCA_RCB *p_rcb = p_ccb->p_rcb; tMCA_CS *p_cs; - int i, max; + unsigned int i, max; if (dep < MCA_NUM_DEPS) { p_cs = &p_rcb->dep[dep]; i = mca_ccb_to_hdl(p_ccb)-1; - p_dcb_tmp = &mca_cb.dcb[i*MCA_NUM_MDLS]; + if( i*MCA_NUM_MDLS < MCA_NUM_DCBS) + { + p_dcb_tmp = &mca_cb.dcb[i*MCA_NUM_MDLS]; + } + else + { + MCA_TRACE_WARNING("dcb index out of range"); + return 0; + } /* make sure p_cs->max_mdl is smaller than MCA_NUM_MDLS at MCA_CreateDep */ max = p_cs->max_mdl; for (i=0; i<max; i++, p_dcb_tmp++) @@ -215,7 +223,7 @@ UINT8 mca_dep_free_mdl(tMCA_CCB *p_ccb, tMCA_DEP dep) tMCA_DCB *p_dcb; tMCA_RCB *p_rcb = p_ccb->p_rcb; tMCA_CS *p_cs; - int i, max; + unsigned int i, max; UINT8 count = 0; UINT8 left; @@ -223,7 +231,15 @@ UINT8 mca_dep_free_mdl(tMCA_CCB *p_ccb, tMCA_DEP dep) { p_cs = &p_rcb->dep[dep]; i = mca_ccb_to_hdl(p_ccb)-1; - p_dcb = &mca_cb.dcb[i * MCA_NUM_MDLS]; + if( i*MCA_NUM_MDLS < MCA_NUM_DCBS) + { + p_dcb = &mca_cb.dcb[i * MCA_NUM_MDLS]; + } + else + { + MCA_TRACE_WARNING("dcb index out of range"); + return 0; + } /* make sure p_cs->max_mdl is smaller than MCA_NUM_MDLS at MCA_CreateDep */ max = p_cs->max_mdl; for (i=0; i<max; i++, p_dcb++) @@ -323,11 +339,19 @@ tMCA_DCB *mca_dcb_by_hdl(tMCA_DL hdl) void mca_dcb_close_by_mdl_id(tMCA_CCB*p_ccb, UINT16 mdl_id) { tMCA_DCB *p_dcb; - int i; + unsigned int i; MCA_TRACE_DEBUG("mca_dcb_close_by_mdl_id mdl_id=%d", mdl_id); i = mca_ccb_to_hdl(p_ccb)-1; - p_dcb = &mca_cb.dcb[i*MCA_NUM_MDLS]; + if(i*MCA_NUM_MDLS < MCA_NUM_DCBS) + { + p_dcb = &mca_cb.dcb[i*MCA_NUM_MDLS]; + } + else + { + MCA_TRACE_WARNING("dcb index out of range"); + return 0; + } for (i=0; i<MCA_NUM_MDLS; i++, p_dcb++) { if (p_dcb->state) |