diff options
34 files changed, 179 insertions, 73 deletions
diff --git a/bta/dm/bta_dm_main.c b/bta/dm/bta_dm_main.c index b12a11ed1..4645760e3 100644 --- a/bta/dm/bta_dm_main.c +++ b/bta/dm/bta_dm_main.c @@ -360,7 +360,7 @@ BOOLEAN bta_dm_search_sm_execute(BT_HDR *p_msg) /* execute action functions */ for (i = 0; i < BTA_DM_SEARCH_ACTIONS; i++) { - if ((action = state_table[p_msg->event & 0x00ff][i]) != BTA_DM_SEARCH_IGNORE) + if ((action = state_table[p_msg->event & 0x00ff][i]) < BTA_DM_SEARCH_IGNORE) { (*bta_dm_search_action[action])( (tBTA_DM_MSG*) p_msg); } diff --git a/bta/hf_client/bta_hf_client_main.c b/bta/hf_client/bta_hf_client_main.c index 0286284f4..f5244b78c 100644 --- a/bta/hf_client/bta_hf_client_main.c +++ b/bta/hf_client/bta_hf_client_main.c @@ -505,7 +505,7 @@ void bta_hf_client_sm_execute(UINT16 event, tBTA_HF_CLIENT_DATA *p_data) /* execute action functions */ for (i = 0; i < BTA_HF_CLIENT_ACTIONS; i++) { - if ((action = state_table[event][i]) != BTA_HF_CLIENT_IGNORE) + if ((action = state_table[event][i]) < BTA_HF_CLIENT_IGNORE) { (*bta_hf_client_action[action])(p_data); } diff --git a/bta/hl/bta_hl_main.c b/bta/hl/bta_hl_main.c index 86fdd17e3..abb43a9f6 100644 --- a/bta/hl/bta_hl_main.c +++ b/bta/hl/bta_hl_main.c @@ -440,7 +440,7 @@ void bta_hl_cch_sm_execute(UINT8 app_idx, UINT8 mcl_idx, for (i = 0; i < BTA_HL_CCH_ACTIONS; i++) { - if ((action = state_table[event][i]) != BTA_HL_CCH_IGNORE) + if ((action = state_table[event][i]) < BTA_HL_CCH_IGNORE) { (*bta_hl_cch_action[action])(app_idx, mcl_idx, p_data); } @@ -497,7 +497,7 @@ void bta_hl_dch_sm_execute(UINT8 app_idx, UINT8 mcl_idx, UINT8 mdl_idx, for (i = 0; i < BTA_HL_DCH_ACTIONS; i++) { - if ((action = state_table[event][i]) != BTA_HL_DCH_IGNORE) + if ((action = state_table[event][i]) < BTA_HL_DCH_IGNORE) { (*bta_hl_dch_action[action])(app_idx, mcl_idx, mdl_idx, p_data); } diff --git a/bta/jv/bta_jv_act.c b/bta/jv/bta_jv_act.c index 2ad86a132..063e676e0 100644 --- a/bta/jv/bta_jv_act.c +++ b/bta/jv/bta_jv_act.c @@ -1493,8 +1493,12 @@ static void bta_jv_port_mgmt_cl_cback(UINT32 code, UINT16 port_handle) tBTA_JV_RFCOMM_CBACK *p_cback; /* the callback function */ APPL_TRACE_DEBUG( "bta_jv_port_mgmt_cl_cback:code:%d, port_handle%d", code, port_handle); - if(NULL == p_cb || NULL == p_cb->p_cback) + if(NULL == p_cb || NULL == p_cb->p_cback || NULL == p_pcb) + { + APPL_TRACE_ERROR( "bta_jv_port_mgmt_cl_cback, p_cb:%p, p_cb->p_cback:%p, p_pcb", + p_cb, p_cb ? p_cb->p_cback : NULL, p_pcb); return; + } APPL_TRACE_DEBUG( "bta_jv_port_mgmt_cl_cback code=%d port_handle:%d handle:%d", code, port_handle, p_cb->handle); @@ -1544,8 +1548,12 @@ static void bta_jv_port_event_cl_cback(UINT32 code, UINT16 port_handle) tBTA_JV evt_data; APPL_TRACE_DEBUG( "bta_jv_port_event_cl_cback:%d", port_handle); - if (NULL == p_cb || NULL == p_cb->p_cback) + if (NULL == p_cb || NULL == p_cb->p_cback || NULL == p_pcb) + { + APPL_TRACE_ERROR( "bta_jv_port_event_cl_cback, p_cb:%p, p_cb->p_cback:%p, p_pcb", + p_cb, p_cb ? p_cb->p_cback : NULL, p_pcb); return; + } APPL_TRACE_DEBUG( "bta_jv_port_event_cl_cback code=x%x port_handle:%d handle:%d", code, port_handle, p_cb->handle); @@ -1756,7 +1764,7 @@ static void bta_jv_port_mgmt_sr_cback(UINT32 code, UINT16 port_handle) BD_ADDR rem_bda; UINT16 lcid; APPL_TRACE_DEBUG("bta_jv_port_mgmt_sr_cback, code:%d, port_handle:%d", code, port_handle); - if (NULL == p_cb || NULL == p_cb->p_cback) + if (NULL == p_cb || NULL == p_cb->p_cback || NULL == p_pcb) { APPL_TRACE_ERROR("bta_jv_port_mgmt_sr_cback, p_cb:%p, p_cb->p_cback%p", p_cb, p_cb ? p_cb->p_cback : NULL); diff --git a/bta/sys/bta_sys_main.c b/bta/sys/bta_sys_main.c index 62362f40c..d85f37c4a 100644 --- a/bta/sys/bta_sys_main.c +++ b/bta/sys/bta_sys_main.c @@ -235,7 +235,7 @@ BOOLEAN bta_sys_sm_execute(BT_HDR *p_msg) /* execute action functions */ for (i = 0; i < BTA_SYS_ACTIONS; i++) { - if ((action = state_table[p_msg->event & 0x00ff][i]) != BTA_SYS_IGNORE) + if ((action = state_table[p_msg->event & 0x00ff][i]) < BTA_SYS_IGNORE) { (*bta_sys_action[action])( (tBTA_SYS_HW_MSG*) p_msg); } diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c index 0236baf27..6bbfbe386 100644 --- a/btif/src/btif_dm.c +++ b/btif/src/btif_dm.c @@ -2208,14 +2208,14 @@ static void bte_search_devices_evt(tBTA_DM_SEARCH_EVT event, tBTA_DM_SEARCH *p_d { case BTA_DM_INQ_RES_EVT: { - if (p_data->inq_res.p_eir) + if ( p_data && p_data->inq_res.p_eir) param_len += HCI_EXT_INQ_RESPONSE_LEN; } break; case BTA_DM_DISC_RES_EVT: { - if (p_data->disc_res.raw_data_size && p_data->disc_res.p_raw_data) + if (p_data && p_data->disc_res.raw_data_size && p_data->disc_res.p_raw_data) param_len += p_data->disc_res.raw_data_size; } break; @@ -2223,7 +2223,7 @@ static void bte_search_devices_evt(tBTA_DM_SEARCH_EVT event, tBTA_DM_SEARCH *p_d BTIF_TRACE_DEBUG("%s event=%s param_len=%d", __FUNCTION__, dump_dm_search_event(event), param_len); /* if remote name is available in EIR, set teh flag so that stack doesnt trigger RNR */ - if (event == BTA_DM_INQ_RES_EVT) + if (p_data && event == BTA_DM_INQ_RES_EVT) p_data->inq_res.remt_name_not_required = check_eir_remote_name(p_data, NULL, NULL); btif_transfer_context (btif_dm_search_devices_evt , (UINT16) event, (void *)p_data, param_len, @@ -2249,7 +2249,7 @@ static void bte_dm_search_services_evt(tBTA_DM_SEARCH_EVT event, tBTA_DM_SEARCH { case BTA_DM_DISC_RES_EVT: { - if ((p_data->disc_res.result == BTA_SUCCESS) && (p_data->disc_res.num_uuids > 0)) { + if (( p_data && p_data->disc_res.result == BTA_SUCCESS) && (p_data->disc_res.num_uuids > 0)) { param_len += (p_data->disc_res.num_uuids * MAX_UUID_SIZE); } } break; diff --git a/btif/src/btif_sock_thread.c b/btif/src/btif_sock_thread.c index 5a0ba45b7..5dc0e3038 100644 --- a/btif/src/btif_sock_thread.c +++ b/btif/src/btif_sock_thread.c @@ -591,7 +591,7 @@ static void prepare_poll_fds(int h, struct pollfd* pfds) ps_i, MAX_POLL, count, ts[h].poll_count); return; } - if(ts[h].ps[ps_i].pfd.fd >= 0) + if(ts[h].ps[ps_i].pfd.fd >= 0 && pfd_i < MAX_POLL) { pfds[pfd_i] = ts[h].ps[ps_i].pfd; ts[h].psi[pfd_i] = ps_i; diff --git a/btif/src/btif_storage.c b/btif/src/btif_storage.c index 9603e1190..aaab5d6cc 100644 --- a/btif/src/btif_storage.c +++ b/btif/src/btif_storage.c @@ -288,14 +288,15 @@ static int prop2cfg(bt_bdaddr_t *remote_bd_addr, bt_property_t *prop) uint32_t i; char buf[64]; value[0] = 0; + int size = sizeof(value); for (i=0; i < (prop->len)/sizeof(bt_uuid_t); i++) { bt_uuid_t *p_uuid = (bt_uuid_t*)prop->val + i; memset(buf, 0, sizeof(buf)); uuid_to_string_legacy(p_uuid, buf); - strcat(value, buf); + strlcat(value, buf, size); //strcat(value, ";"); - strcat(value, " "); + strlcat(value, " ", size); } btif_config_set_str(bdstr, BTIF_STORAGE_PATH_REMOTE_SERVICE, value); /* save UUIDs immediately */ diff --git a/gki/common/gki_buffer.c b/gki/common/gki_buffer.c index 633b2223a..9f7e329fe 100644 --- a/gki/common/gki_buffer.c +++ b/gki/common/gki_buffer.c @@ -88,6 +88,7 @@ static void gki_init_free_queue (UINT8 id, UINT16 size, UINT16 total, void *p_me hdr = (BUFFER_HDR_T *)((UINT8 *)hdr + act_size); hdr1->p_next = hdr; } + if(hdr1) hdr1->p_next = NULL; p_cb->freeq[id]._p_last = hdr1; } diff --git a/osi/src/config.c b/osi/src/config.c index 11a5baf72..cf5dfc8c3 100644 --- a/osi/src/config.c +++ b/osi/src/config.c @@ -184,8 +184,14 @@ void config_set_string(config_t *config, const char *section, const char *key, c section_t *sec = section_find(config, section); if (!sec) { sec = section_new(section); + if (sec) list_append(config->sections, sec); + else + { + ALOGE("%s: Unable to allocate memory for section", __func__); + return; } + } for (const list_node_t *node = list_begin(sec->entries); node != list_end(sec->entries); node = list_next(node)) { entry_t *entry = list_node(node); diff --git a/stack/btm/btm_acl.c b/stack/btm/btm_acl.c index c05a39ec9..8e1872b0e 100644 --- a/stack/btm/btm_acl.c +++ b/stack/btm/btm_acl.c @@ -1618,7 +1618,7 @@ BOOLEAN BTM_TryAllocateSCN(UINT8 scn) /* Make sure we don't exceed max port range. * Stack reserves scn 1 for HFP, HSP we still do the correct way. */ - if ( (scn>=BTM_MAX_SCN) || (scn == 1) ) + if ( (scn>=BTM_MAX_SCN) || (scn <= 1) ) return FALSE; /* check if this port is available */ @@ -1643,7 +1643,7 @@ BOOLEAN BTM_TryAllocateSCN(UINT8 scn) BOOLEAN BTM_FreeSCN(UINT8 scn) { BTM_TRACE_DEBUG ("BTM_FreeSCN "); - if (scn <= BTM_MAX_SCN) + if (scn <= BTM_MAX_SCN && scn > 0) { btm_cb.btm_scn[scn-1] = FALSE; return(TRUE); diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c index f841148a4..a75745fb2 100644 --- a/stack/btm/btm_ble_gap.c +++ b/stack/btm/btm_ble_gap.c @@ -1364,11 +1364,11 @@ UINT8 *btm_ble_build_adv_data(tBTM_BLE_AD_MASK *p_data_mask, UINT8 **p_dst, data_mask &= ~BTM_BLE_AD_BIT_FLAGS; } /* appearance data */ - if (len > 3 && data_mask & BTM_BLE_AD_BIT_APPEARANCE) + if (len > 3 && data_mask & BTM_BLE_AD_BIT_APPEARANCE && p_data) { *p++ = 3; /* length */ *p++ = BTM_BLE_AD_TYPE_APPEARANCE; - UINT16_TO_STREAM(p, p_data->appearance); + UINT16_TO_STREAM(p, p_data->appearance ); len -= 4; data_mask &= ~BTM_BLE_AD_BIT_APPEARANCE; @@ -1412,7 +1412,7 @@ UINT8 *btm_ble_build_adv_data(tBTM_BLE_AD_MASK *p_data_mask, UINT8 **p_dst, data_mask &= ~BTM_BLE_AD_BIT_MANU; } /* TX power */ - if (len > MIN_ADV_LENGTH && data_mask & BTM_BLE_AD_BIT_TX_PWR) + if (len > MIN_ADV_LENGTH && data_mask & BTM_BLE_AD_BIT_TX_PWR && p_data) { *p++ = MIN_ADV_LENGTH; *p++ = BTM_BLE_AD_TYPE_TX_PWR; diff --git a/stack/btm/btm_pm.c b/stack/btm/btm_pm.c index a3ee1f36e..d6f13c453 100644 --- a/stack/btm/btm_pm.c +++ b/stack/btm/btm_pm.c @@ -208,7 +208,7 @@ tBTM_STATUS BTM_SetPowerMode (UINT8 pm_id, BD_ADDR remote_bda, tBTM_PM_PWR_MD *p /* check if the requested mode is supported */ ind = mode - BTM_PM_MD_HOLD; /* make it base 0 */ p_features = BTM_ReadLocalFeatures(); - if( !(p_features[ btm_pm_mode_off[ind] ] & btm_pm_mode_msk[ind] ) ) + if( ind < BTM_PM_NUM_SET_MODES && !(p_features[ btm_pm_mode_off[ind] ] & btm_pm_mode_msk[ind] ) ) return BTM_MODE_UNSUPPORTED; } diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c index f6e7b8f6a..487c175cd 100644 --- a/stack/btm/btm_sec.c +++ b/stack/btm/btm_sec.c @@ -224,10 +224,12 @@ static BOOLEAN btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC *p_dev_rec) *******************************************************************************/ static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec) { - if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id)) + if( p_serv_rec->service_id <= BTM_SEC_MAX_SERVICES && BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id)) { return(TRUE); } + else + BTM_TRACE_ERROR("BTM_Sec: Service Id: %d not found", p_serv_rec->service_id); return(FALSE); } @@ -5820,8 +5822,7 @@ static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec) { BTM_TRACE_EVENT ("service id:%d, is trusted:%d", p_dev_rec->p_cur_service->service_id, - (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, - p_dev_rec->p_cur_service->service_id))); + btm_serv_trusted(p_dev_rec,p_dev_rec->p_cur_service)); if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) && (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) && (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, diff --git a/stack/gatt/gatt_main.c b/stack/gatt/gatt_main.c index df1f939b7..a6c4b1628 100644 --- a/stack/gatt/gatt_main.c +++ b/stack/gatt/gatt_main.c @@ -507,7 +507,7 @@ static void gatt_channel_congestion(tGATT_TCB *p_tcb, BOOLEAN congested) { if (p_reg->in_use) { - if (p_reg->app_cb.p_congestion_cb) + if (p_reg->app_cb.p_congestion_cb && p_tcb) { conn_id = GATT_CREATE_CONN_ID(p_tcb->tcb_idx, p_reg->gatt_if); (*p_reg->app_cb.p_congestion_cb)(conn_id, congested); diff --git a/stack/l2cap/l2c_ble.c b/stack/l2cap/l2c_ble.c index 34fa4defd..e2990c6e8 100644 --- a/stack/l2cap/l2c_ble.c +++ b/stack/l2cap/l2c_ble.c @@ -877,7 +877,7 @@ static void l2cble_start_conn_update (tL2C_LCB *p_lcb) if (p_lcb->link_role == HCI_ROLE_MASTER #if (defined BLE_LLT_INCLUDED) && (BLE_LLT_INCLUDED == TRUE) || (HCI_LE_CONN_PARAM_REQ_SUPPORTED(controller_get_interface()->get_features_ble()->as_array) && - HCI_LE_CONN_PARAM_REQ_SUPPORTED(p_acl_cb->peer_le_features)) + (p_acl_cb && HCI_LE_CONN_PARAM_REQ_SUPPORTED(p_acl_cb->peer_le_features))) #endif ) { @@ -902,7 +902,7 @@ static void l2cble_start_conn_update (tL2C_LCB *p_lcb) if (p_lcb->link_role == HCI_ROLE_MASTER #if (defined BLE_LLT_INCLUDED) && (BLE_LLT_INCLUDED == TRUE) || (HCI_LE_CONN_PARAM_REQ_SUPPORTED(controller_get_interface()->get_features_ble()->as_array) && - HCI_LE_CONN_PARAM_REQ_SUPPORTED(p_acl_cb->peer_le_features)) + (p_acl_cb && HCI_LE_CONN_PARAM_REQ_SUPPORTED(p_acl_cb->peer_le_features))) #endif ) { diff --git a/stack/l2cap/l2c_fcr.c b/stack/l2cap/l2c_fcr.c index 3290cd796..1bac4fad6 100644 --- a/stack/l2cap/l2c_fcr.c +++ b/stack/l2cap/l2c_fcr.c @@ -1796,7 +1796,11 @@ BT_HDR *l2c_fcr_get_next_xmit_sdu_seg (tL2C_CCB *p_ccb, UINT16 max_packet_length if (GKI_getfirst(&p_ccb->fcrb.retrans_q)) { p_buf = (BT_HDR *)GKI_dequeue (&p_ccb->fcrb.retrans_q); - + if(!p_buf) + { + L2CAP_TRACE_ERROR ("L2CAP - GKI_dequeue returned queue as empty"); + return NULL; + } /* Update Rx Seq and FCS if we acked some packets while this one was queued */ prepare_I_frame (p_ccb, p_buf, TRUE); @@ -1856,6 +1860,11 @@ BT_HDR *l2c_fcr_get_next_xmit_sdu_seg (tL2C_CCB *p_ccb, UINT16 max_packet_length else /* Use the original buffer if no segmentation, or the last segment */ { p_xmit = (BT_HDR *)GKI_dequeue (&p_ccb->xmit_hold_q); + if (!p_xmit) + { + L2CAP_TRACE_ERROR ("L2CAP - GKI_dequeue returned queue as empty"); + return NULL; + } if (p_xmit->event != 0) last_seg = TRUE; diff --git a/stack/l2cap/l2c_utils.c b/stack/l2cap/l2c_utils.c index 4a1926850..dd572e3e1 100644 --- a/stack/l2cap/l2c_utils.c +++ b/stack/l2cap/l2c_utils.c @@ -980,8 +980,15 @@ void l2cu_send_peer_disc_req (tL2C_CCB *p_ccb) while (GKI_getfirst(&p_ccb->xmit_hold_q)) { p_buf2 = (BT_HDR *)GKI_dequeue (&p_ccb->xmit_hold_q); - l2cu_set_acl_hci_header (p_buf2, p_ccb); - l2c_link_check_send_pkts (p_ccb->p_lcb, p_ccb, p_buf2); + if (p_buf2 != NULL) + { + l2cu_set_acl_hci_header (p_buf2, p_ccb); + l2c_link_check_send_pkts (p_ccb->p_lcb, p_ccb, p_buf2); + } + else + { + L2CAP_TRACE_ERROR ("L2CAP - GKI_dequeue returned NULL"); + } } } diff --git a/stack/mcap/mca_cact.c b/stack/mcap/mca_cact.c index 7ac0efb0d..fd1779e06 100644 --- a/stack/mcap/mca_cact.c +++ b/stack/mcap/mca_cact.c @@ -108,8 +108,11 @@ void mca_ccb_snd_req(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data) p_dcb = mca_dcb_by_hdl(p_ccb->p_tx_req->dcb_idx); /* the Abort API does not have the associated mdl_id. * Get the mdl_id in dcb to compose the request */ - p_msg->mdl_id = p_dcb->mdl_id; - mca_dcb_event(p_dcb, MCA_DCB_API_CLOSE_EVT, NULL); + if(p_dcb) + { + p_msg->mdl_id = p_dcb->mdl_id; + mca_dcb_event(p_dcb, MCA_DCB_API_CLOSE_EVT, NULL); + } mca_free_buf ((void **)&p_ccb->p_tx_req); p_ccb->status = MCA_CCB_STAT_NORM; is_abort = TRUE; @@ -489,7 +492,7 @@ void mca_ccb_hdl_rsp(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data) if (chk_mdl) { p_dcb = mca_dcb_by_hdl(p_ccb->p_tx_req->dcb_idx); - if (evt_data.rsp.rsp_code == MCA_RSP_SUCCESS) + if (p_dcb && evt_data.rsp.rsp_code == MCA_RSP_SUCCESS) { if (evt_data.hdr.mdl_id != p_dcb->mdl_id) { diff --git a/stack/mcap/mca_csm.c b/stack/mcap/mca_csm.c index 0077f350d..e5ce9b3a8 100644 --- a/stack/mcap/mca_csm.c +++ b/stack/mcap/mca_csm.c @@ -202,7 +202,7 @@ void mca_ccb_event(tMCA_CCB *p_ccb, UINT8 event, tMCA_CCB_EVT *p_data) p_ccb->state = state_table[event][MCA_CCB_NEXT_STATE]; /* execute action functions */ - if ((action = state_table[event][MCA_CCB_ACT_COL]) != MCA_CCB_IGNORE) + if ((action = state_table[event][MCA_CCB_ACT_COL]) < MCA_CCB_IGNORE) { (*mca_ccb_action[action])(p_ccb, p_data); } @@ -368,10 +368,18 @@ BOOLEAN mca_ccb_uses_mdl_id(tMCA_CCB *p_ccb, UINT16 mdl_id) { BOOLEAN uses = FALSE; tMCA_DCB *p_dcb; - int i; + unsigned int i; i = mca_ccb_to_hdl(p_ccb)-1; - p_dcb = &mca_cb.dcb[i*MCA_NUM_MDLS]; + if (i*MCA_NUM_MDLS < MCA_NUM_DCBS) + { + p_dcb = &mca_cb.dcb[i*MCA_NUM_MDLS]; + } + else + { + MCA_TRACE_WARNING("dcb index out of range"); + return uses; + } for (i=0; i<MCA_NUM_MDLS; i++, p_dcb++) { if (p_dcb->state != MCA_DCB_NULL_ST && p_dcb->mdl_id == mdl_id) diff --git a/stack/mcap/mca_dsm.c b/stack/mcap/mca_dsm.c index 8b57a695f..39daa336d 100644 --- a/stack/mcap/mca_dsm.c +++ b/stack/mcap/mca_dsm.c @@ -154,7 +154,7 @@ void mca_dcb_event(tMCA_DCB *p_dcb, UINT8 event, tMCA_DCB_EVT *p_data) p_dcb->state = state_table[event][MCA_DCB_NEXT_STATE]; /* execute action functions */ - if ((action = state_table[event][MCA_DCB_ACT_COL]) != MCA_DCB_IGNORE) + if ((action = state_table[event][MCA_DCB_ACT_COL]) < MCA_DCB_IGNORE) { (*mca_dcb_action[action])(p_dcb, p_data); } @@ -175,13 +175,21 @@ tMCA_DCB *mca_dcb_alloc(tMCA_CCB*p_ccb, tMCA_DEP dep) tMCA_DCB *p_dcb = NULL, *p_dcb_tmp; tMCA_RCB *p_rcb = p_ccb->p_rcb; tMCA_CS *p_cs; - int i, max; + unsigned int i, max; if (dep < MCA_NUM_DEPS) { p_cs = &p_rcb->dep[dep]; i = mca_ccb_to_hdl(p_ccb)-1; - p_dcb_tmp = &mca_cb.dcb[i*MCA_NUM_MDLS]; + if( i*MCA_NUM_MDLS < MCA_NUM_DCBS) + { + p_dcb_tmp = &mca_cb.dcb[i*MCA_NUM_MDLS]; + } + else + { + MCA_TRACE_WARNING("dcb index out of range"); + return 0; + } /* make sure p_cs->max_mdl is smaller than MCA_NUM_MDLS at MCA_CreateDep */ max = p_cs->max_mdl; for (i=0; i<max; i++, p_dcb_tmp++) @@ -215,7 +223,7 @@ UINT8 mca_dep_free_mdl(tMCA_CCB *p_ccb, tMCA_DEP dep) tMCA_DCB *p_dcb; tMCA_RCB *p_rcb = p_ccb->p_rcb; tMCA_CS *p_cs; - int i, max; + unsigned int i, max; UINT8 count = 0; UINT8 left; @@ -223,7 +231,15 @@ UINT8 mca_dep_free_mdl(tMCA_CCB *p_ccb, tMCA_DEP dep) { p_cs = &p_rcb->dep[dep]; i = mca_ccb_to_hdl(p_ccb)-1; - p_dcb = &mca_cb.dcb[i * MCA_NUM_MDLS]; + if( i*MCA_NUM_MDLS < MCA_NUM_DCBS) + { + p_dcb = &mca_cb.dcb[i * MCA_NUM_MDLS]; + } + else + { + MCA_TRACE_WARNING("dcb index out of range"); + return 0; + } /* make sure p_cs->max_mdl is smaller than MCA_NUM_MDLS at MCA_CreateDep */ max = p_cs->max_mdl; for (i=0; i<max; i++, p_dcb++) @@ -323,11 +339,19 @@ tMCA_DCB *mca_dcb_by_hdl(tMCA_DL hdl) void mca_dcb_close_by_mdl_id(tMCA_CCB*p_ccb, UINT16 mdl_id) { tMCA_DCB *p_dcb; - int i; + unsigned int i; MCA_TRACE_DEBUG("mca_dcb_close_by_mdl_id mdl_id=%d", mdl_id); i = mca_ccb_to_hdl(p_ccb)-1; - p_dcb = &mca_cb.dcb[i*MCA_NUM_MDLS]; + if(i*MCA_NUM_MDLS < MCA_NUM_DCBS) + { + p_dcb = &mca_cb.dcb[i*MCA_NUM_MDLS]; + } + else + { + MCA_TRACE_WARNING("dcb index out of range"); + return 0; + } for (i=0; i<MCA_NUM_MDLS; i++, p_dcb++) { if (p_dcb->state) diff --git a/stack/mcap/mca_l2c.c b/stack/mcap/mca_l2c.c index fe3b20dc3..42d3a6a37 100644 --- a/stack/mcap/mca_l2c.c +++ b/stack/mcap/mca_l2c.c @@ -209,7 +209,7 @@ void mca_l2c_cconn_ind_cback(BD_ADDR bd_addr, UINT16 lcid, UINT16 psm, UINT8 id) /* if result ok, proceed with connection and send L2CAP config req */ - if (result == L2CAP_CONN_OK) + if (result == L2CAP_CONN_OK && p_tbl) { /* set channel state */ p_tbl->state = MCA_TC_ST_CFG; diff --git a/stack/mcap/mca_main.c b/stack/mcap/mca_main.c index b99c71206..1bf16dd0d 100644 --- a/stack/mcap/mca_main.c +++ b/stack/mcap/mca_main.c @@ -265,7 +265,7 @@ void mca_set_cfg_by_tbl(tL2CAP_CFG_INFO *p_cfg, tMCA_TC_TBL *p_tbl) else { p_dcb = mca_dcb_by_hdl(p_tbl->cb_idx); - if (p_dcb) + if (p_dcb !=NULL) { p_opt = &p_dcb->p_chnl_cfg->fcr_opt; fcs = p_dcb->p_chnl_cfg->fcs; @@ -323,7 +323,10 @@ void mca_tc_close_ind(tMCA_TC_TBL *p_tbl, UINT16 reason) if (p_tbl->tcid == MCA_CTRL_TCID) { p_ccb = mca_ccb_by_hdl((tMCA_CL)p_tbl->cb_idx); - mca_ccb_event(p_ccb, MCA_CCB_LL_CLOSE_EVT, (tMCA_CCB_EVT *)&close); + if(p_ccb != NULL) + { + mca_ccb_event(p_ccb, MCA_CCB_LL_CLOSE_EVT, (tMCA_CCB_EVT *)&close); + } } /* notify dcb that channel close */ else @@ -372,8 +375,10 @@ void mca_tc_open_ind(tMCA_TC_TBL *p_tbl) if (p_tbl->tcid == MCA_CTRL_TCID) { p_ccb = mca_ccb_by_hdl((tMCA_CL)p_tbl->cb_idx); - - mca_ccb_event(p_ccb, MCA_CCB_LL_OPEN_EVT, (tMCA_CCB_EVT *)&open); + if(p_ccb !=NULL) + { + mca_ccb_event(p_ccb, MCA_CCB_LL_OPEN_EVT, (tMCA_CCB_EVT *)&open); + } } /* must be data channel, notify dcb that channel open */ else @@ -415,7 +420,10 @@ void mca_tc_cong_ind(tMCA_TC_TBL *p_tbl, BOOLEAN is_congested) if (p_tbl->tcid == MCA_CTRL_TCID) { p_ccb = mca_ccb_by_hdl((tMCA_CL)p_tbl->cb_idx); - mca_ccb_event(p_ccb, MCA_CCB_LL_CONG_EVT, (tMCA_CCB_EVT *) &is_congested); + if(p_ccb != NULL) + { + mca_ccb_event(p_ccb, MCA_CCB_LL_CONG_EVT, (tMCA_CCB_EVT *) &is_congested); + } } /* notify dcb that channel open */ else diff --git a/stack/rfcomm/rfc_mx_fsm.c b/stack/rfcomm/rfc_mx_fsm.c index a7ffca57f..5c1c1a698 100644 --- a/stack/rfcomm/rfc_mx_fsm.c +++ b/stack/rfcomm/rfc_mx_fsm.c @@ -596,7 +596,7 @@ static void rfc_mx_conf_cnf (tRFC_MCB *p_mcb, tL2CAP_CFG_INFO *p_cfg) { RFCOMM_TRACE_EVENT ("rfc_mx_conf_cnf p_cfg:%08x res:%d ", p_cfg, (p_cfg) ? p_cfg->result : 0); - if (p_cfg->result != L2CAP_CFG_OK) + if (p_cfg && p_cfg->result != L2CAP_CFG_OK) { if (p_mcb->is_initiator) { diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c index 646a62dd3..6aee7af54 100644 --- a/stack/sdp/sdp_discovery.c +++ b/stack/sdp/sdp_discovery.c @@ -93,11 +93,16 @@ static UINT8 *sdpu_build_uuid_seq (UINT8 *p_out, UINT16 num_uuids, tSDP_UUID *p_ UINT8_TO_BE_STREAM (p_out, (UUID_DESC_TYPE << 3) | SIZE_FOUR_BYTES); UINT32_TO_BE_STREAM (p_out, p_uuid_list->uu.uuid32); } - else + else if (p_uuid_list->len == 16) { UINT8_TO_BE_STREAM (p_out, (UUID_DESC_TYPE << 3) | SIZE_SIXTEEN_BYTES); ARRAY_TO_BE_STREAM (p_out, p_uuid_list->uu.uuid128, p_uuid_list->len); } + else + { + SDP_TRACE_ERROR("SDP: Passed Uuid is of Invalid length: %x",p_uuid_list->len); + } + } /* Now, put in the length */ diff --git a/stack/sdp/sdp_server.c b/stack/sdp/sdp_server.c index 73715fc8f..b93ea7863 100644 --- a/stack/sdp/sdp_server.c +++ b/stack/sdp/sdp_server.c @@ -30,6 +30,7 @@ #include "gki.h" #include "bt_types.h" #include "bt_utils.h" +#include "bt_trace.h" #include "btu.h" #include "l2cdefs.h" @@ -963,8 +964,15 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, seq_len = sdpu_get_attrib_seq_len(p_rec, &attr_seq_sav); if (seq_len != 0) { - UINT8_TO_BE_STREAM (p_seq_start, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_WORD); - UINT16_TO_BE_STREAM (p_seq_start, seq_len); + if (p_seq_start) + { + UINT8_TO_BE_STREAM (p_seq_start, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_WORD); + UINT16_TO_BE_STREAM (p_seq_start, seq_len); + } + else + { + SDP_TRACE_DEBUG("SDP service and attribute rsp: Attribute sequence p_seq_start is NULL"); + } if (maxxed_out) p_ccb->cont_info.last_attr_seq_desc_sent = TRUE; diff --git a/stack/sdp/sdp_utils.c b/stack/sdp/sdp_utils.c index 3cf439706..5c8d73312 100644 --- a/stack/sdp/sdp_utils.c +++ b/stack/sdp/sdp_utils.c @@ -231,6 +231,8 @@ UINT8 *sdpu_build_attrib_seq (UINT8 *p_out, UINT16 *p_attr, UINT16 num_attrs) *******************************************************************************/ UINT8 *sdpu_build_attrib_entry (UINT8 *p_out, tSDP_ATTRIBUTE *p_attr) { + if(!p_out) + return p_out; /* First, store the attribute ID. Goes as a UINT */ UINT8_TO_BE_STREAM (p_out, (UINT_DESC_TYPE << 3) | SIZE_TWO_BYTES); UINT16_TO_BE_STREAM (p_out, p_attr->id); @@ -1026,11 +1028,12 @@ UINT8 *sdpu_build_partial_attrib_entry (UINT8 *p_out, tSDP_ATTRIBUTE *p_attr, UI attr_len = sdpu_get_attrib_entry_len(p_attr); len_to_copy = ((attr_len - *offset) < len) ? (attr_len - *offset): len; - - memcpy(p_out, &p_attr_buff[*offset], len_to_copy); - - p_out = &p_out[len_to_copy]; - *offset += len_to_copy; + if(p_out) + { + memcpy(p_out, &p_attr_buff[*offset], len_to_copy); + p_out = &p_out[len_to_copy]; + *offset += len_to_copy; + } GKI_freebuf(p_attr_buff); return p_out; diff --git a/stack/smp/smp_cmac.c b/stack/smp/smp_cmac.c index 9ed295735..b0fdc0f1a 100644 --- a/stack/smp/smp_cmac.c +++ b/stack/smp/smp_cmac.c @@ -137,7 +137,7 @@ static BOOLEAN cmac_aes_k_calculate(BT_OCTET16 key, UINT8 *p_signature, UINT16 t tSMP_ENC output; UINT8 i = 1, err = 0; UINT8 x[16] = {0}; - UINT8 *p_mac; + UINT8 *p_mac = NULL; SMP_TRACE_EVENT ("cmac_aes_k_calculate "); @@ -157,6 +157,8 @@ static BOOLEAN cmac_aes_k_calculate(BT_OCTET16 key, UINT8 *p_signature, UINT16 t if (!err) { + if (tlen > BT_OCTET16_LEN) + tlen = BT_OCTET16_LEN; p_mac = output.param_buf + (BT_OCTET16_LEN - tlen); memcpy(p_signature, p_mac, tlen); diff --git a/stack/smp/smp_main.c b/stack/smp/smp_main.c index 2d80343a6..98d3e50fd 100644 --- a/stack/smp/smp_main.c +++ b/stack/smp/smp_main.c @@ -851,7 +851,7 @@ const char * smp_get_event_name(tSMP_EVENT event) { const char *p_str = smp_event_name[SMP_MAX_EVT]; - if (event <= SMP_MAX_EVT) + if (event && event <= SMP_MAX_EVT) { p_str = smp_event_name[event- 1]; } diff --git a/stack/srvc/srvc_battery.c b/stack/srvc/srvc_battery.c index 90632dfad..a3ce3aeac 100644 --- a/stack/srvc/srvc_battery.c +++ b/stack/srvc/srvc_battery.c @@ -203,7 +203,7 @@ UINT16 Battery_Instantiate (UINT8 app_id, tBA_REG_INFO *p_reg_info) tBA_INST *p_inst; tGATT_CHAR_PROP prop = GATT_CHAR_PROP_BIT_READ; - if (battery_cb.inst_id == BA_MAX_INT_NUM) + if (battery_cb.inst_id >= BA_MAX_INT_NUM) { GATT_TRACE_ERROR("MAX battery service has been reached"); return 0; diff --git a/stack/srvc/srvc_eng.c b/stack/srvc/srvc_eng.c index 2fcc6d921..daa599bd5 100644 --- a/stack/srvc/srvc_eng.c +++ b/stack/srvc/srvc_eng.c @@ -272,6 +272,11 @@ static void srvc_eng_s_request_cback (UINT16 conn_id, UINT32 trans_id, tGATTS_RE tGATTS_RSP rsp_msg ; UINT8 act = SRVC_ACT_IGNORE; UINT8 clcb_idx = srvc_eng_find_clcb_idx_by_conn_id(conn_id); + if( clcb_idx == SRVC_MAX_APPS) + { + GATT_TRACE_ERROR("srvc_eng_s_request_cback received for unknown connection"); + return; + } GATT_TRACE_EVENT("srvc_eng_s_request_cback : recv type (0x%02x)", type); diff --git a/test/bluedroidtest/bluedroidtest.c b/test/bluedroidtest/bluedroidtest.c index 21c840320..391c85eae 100644 --- a/test/bluedroidtest/bluedroidtest.c +++ b/test/bluedroidtest/bluedroidtest.c @@ -211,11 +211,11 @@ static void hex_dump(char *msg, void *data, int size, int trunc) /* store hex str (for left side) */ snprintf(bytestr, sizeof(bytestr), "%02X ", *p); - strncat(hexstr, bytestr, sizeof(hexstr)-strlen(hexstr)-1); + strlcat(hexstr, bytestr, sizeof(hexstr)-strlen(hexstr)-1); /* store char str (for right side) */ snprintf(bytestr, sizeof(bytestr), "%c", c); - strncat(charstr, bytestr, sizeof(charstr)-strlen(charstr)-1); + strlcat(charstr, bytestr, sizeof(charstr)-strlen(charstr)-1); if(n%16 == 0) { /* line completed */ @@ -224,8 +224,8 @@ static void hex_dump(char *msg, void *data, int size, int trunc) charstr[0] = 0; } else if(n%8 == 0) { /* half line: add whitespaces */ - strncat(hexstr, " ", sizeof(hexstr)-strlen(hexstr)-1); - strncat(charstr, " ", sizeof(charstr)-strlen(charstr)-1); + strlcat(hexstr, " ", sizeof(hexstr)-strlen(hexstr)-1); + strlcat(charstr, " ", sizeof(charstr)-strlen(charstr)-1); } p++; /* next byte */ } @@ -384,11 +384,18 @@ static int create_cmdjob(char *cmd) char *job_cmd; job_cmd = malloc(strlen(cmd)+1); /* freed in job handler */ - strcpy(job_cmd, cmd); + if (job_cmd) + { + strlcpy(job_cmd, cmd, strlen(cmd)+1); - if (pthread_create(&thread_id, NULL, + if (pthread_create(&thread_id, NULL, (void*)cmdjob_handler, (void*)job_cmd)!=0) - perror("pthread_create"); + perror("pthread_create"); + } + else + { + perror("create_cmdjob(): Failed to allocate memory"); + } return 0; } diff --git a/test/rfcommtest/rfcommtest.c b/test/rfcommtest/rfcommtest.c index 8453dcfed..73b15cd13 100644 --- a/test/rfcommtest/rfcommtest.c +++ b/test/rfcommtest/rfcommtest.c @@ -257,11 +257,11 @@ static void hex_dump(char *msg, void *data, int size, int trunc) /* store hex str (for left side) */ snprintf(bytestr, sizeof(bytestr), "%02X ", *p); - strncat(hexstr, bytestr, sizeof(hexstr)-strlen(hexstr)-1); + strlcat(hexstr, bytestr, sizeof(hexstr)-strlen(hexstr)-1); /* store char str (for right side) */ snprintf(bytestr, sizeof(bytestr), "%c", c); - strncat(charstr, bytestr, sizeof(charstr)-strlen(charstr)-1); + strlcat(charstr, bytestr, sizeof(charstr)-strlen(charstr)-1); if(n%16 == 0) { /* line completed */ @@ -270,8 +270,8 @@ static void hex_dump(char *msg, void *data, int size, int trunc) charstr[0] = 0; } else if(n%8 == 0) { /* half line: add whitespaces */ - strncat(hexstr, " ", sizeof(hexstr)-strlen(hexstr)-1); - strncat(charstr, " ", sizeof(charstr)-strlen(charstr)-1); + strlcat(hexstr, " ", sizeof(hexstr)-strlen(hexstr)-1); + strlcat(charstr, " ", sizeof(charstr)-strlen(charstr)-1); } p++; /* next byte */ } diff --git a/utils/src/bt_utils.c b/utils/src/bt_utils.c index 53a53de20..4a73c8057 100644 --- a/utils/src/bt_utils.c +++ b/utils/src/bt_utils.c @@ -123,7 +123,7 @@ void raise_priority_a2dp(tHIGH_PRIORITY_TASK high_task) { g_TaskIdx = high_task; pthread_once(&g_DoSchedulingGroupOnce[g_TaskIdx], check_do_scheduling_group); - if (g_DoSchedulingGroup[g_TaskIdx]) { + if (g_TaskIdx < TASK_HIGH_MAX && g_DoSchedulingGroup[g_TaskIdx]) { // set_sched_policy does not support tid == 0 rc = set_sched_policy(tid, SP_AUDIO_SYS); } |