Skip to content

Commit

Permalink
Check LE advertising data length before caching advertising records
Browse files Browse the repository at this point in the history 
Bug: 33899337
Test: make, receive LE advertising
Change-Id: I06b249ac5cabdef64528deda07b8bae749e1d2fd
(cherry picked from commit d57adbc350fdee4f27b82c9e39a14bd745d92320)
(cherry picked from commit 1bef3546a6cb6f05739c10825dab9eb3362892f6)
  • Loading branch information
@andi34
Jack He authored and andi34 committed Jun 16, 2017
1 parent 905a778 commit 52a228d
Showing 1 changed file with 15 additions and 2 deletions.
17 changes: 15 additions & 2 deletions stack/btm/btm_ble_gap.c
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@
#include <stdio.h> #include <stdio.h>
#include <stddef.h> #include <stddef.h>


#include <log/log.h>

#include "bt_types.h" #include "bt_types.h"
#include "btu.h" #include "btu.h"
#include "btm_int.h" #include "btm_int.h"
Expand Down Expand Up @@ -1407,7 +1409,7 @@ static void btm_ble_parse_adv_data(tBTM_INQ_INFO *p_info, UINT8 *p_data,
** Returns void ** Returns void
** **
*******************************************************************************/ *******************************************************************************/
void btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, UINT8 evt_type) BOOLEAN btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, UINT8 evt_type)
{ {
tBTM_BLE_INQ_CB *p_le_inq_cb = &btm_cb.ble_ctr_cb.inq_var; tBTM_BLE_INQ_CB *p_le_inq_cb = &btm_cb.ble_ctr_cb.inq_var;
UINT8 *p_cache; UINT8 *p_cache;
Expand All @@ -1426,8 +1428,16 @@ void btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, U
STREAM_TO_UINT8(length, p); STREAM_TO_UINT8(length, p);
while ( length && ((p_le_inq_cb->adv_len + length + 1) <= BTM_BLE_CACHE_ADV_DATA_MAX)) while ( length && ((p_le_inq_cb->adv_len + length + 1) <= BTM_BLE_CACHE_ADV_DATA_MAX))
{ {
/* adv record size must be smaller than the total adv data size */
if ((length + 1) > data_len) {
BTM_TRACE_ERROR0("BTM - got incorrect LE advertising data");
android_errorWriteLog(0x534e4554, "33899337");
return FALSE;
}
/* copy from the length byte & data into cache */ /* copy from the length byte & data into cache */
memcpy(p_cache, p-1, length+1); memcpy(p_cache, p-1, length+1);
/* reduce the total data size by size of data copied */
data_len -= length + 1;
/* advance the cache pointer past data */ /* advance the cache pointer past data */
p_cache += length+1; p_cache += length+1;
/* increment cache length */ /* increment cache length */
Expand All @@ -1437,6 +1447,7 @@ void btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, U
STREAM_TO_UINT8(length, p); STREAM_TO_UINT8(length, p);
} }
} }
return TRUE;


/* parse service UUID from adv packet and save it in inq db eir_uuid */ /* parse service UUID from adv packet and save it in inq db eir_uuid */
/* TODO */ /* TODO */
Expand Down Expand Up @@ -1547,7 +1558,9 @@ BOOLEAN btm_ble_update_inq_result(tINQ_DB_ENT *p_i, UINT8 addr_type, UINT8 evt_t
BTM_TRACE_WARNING1("EIR data too long %d. discard", data_len); BTM_TRACE_WARNING1("EIR data too long %d. discard", data_len);
return FALSE; return FALSE;
} }
btm_ble_cache_adv_data(p_cur, data_len, p, evt_type); if (!btm_ble_cache_adv_data(p_cur, data_len, p, evt_type)) {
return FALSE;
}


p1 = (p + data_len); p1 = (p + data_len);
STREAM_TO_UINT8 (rssi, p1); STREAM_TO_UINT8 (rssi, p1);
Expand Down

0 comments on commit 52a228d

Please sign in to comment.