diff --git a/components/bt/host/bluedroid/api/esp_hf_ag_api.c b/components/bt/host/bluedroid/api/esp_hf_ag_api.c index 34de9398c2..3c89b1be76 100644 --- a/components/bt/host/bluedroid/api/esp_hf_ag_api.c +++ b/components/bt/host/bluedroid/api/esp_hf_ag_api.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -77,6 +77,9 @@ esp_err_t esp_hf_ag_slc_connect(esp_bd_addr_t remote_addr) if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -96,6 +99,9 @@ esp_err_t esp_hf_ag_slc_disconnect(esp_bd_addr_t remote_addr) if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -115,6 +121,9 @@ esp_err_t esp_hf_ag_audio_connect(esp_bd_addr_t remote_addr) if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -134,6 +143,9 @@ esp_err_t esp_hf_ag_audio_disconnect(esp_bd_addr_t remote_addr) if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -153,6 +165,9 @@ esp_err_t esp_hf_ag_vra_control(esp_bd_addr_t remote_addr, esp_hf_vr_state_t val if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -161,7 +176,7 @@ esp_err_t esp_hf_ag_vra_control(esp_bd_addr_t remote_addr, esp_hf_vr_state_t val btc_hf_args_t arg; memset(&arg, 0, sizeof(btc_hf_args_t)); arg.vra_rep.value = value; - memcpy(&(arg.volcon.remote_addr), remote_addr, sizeof(esp_bd_addr_t)); + memcpy(&(arg.vra_rep.remote_addr), remote_addr, sizeof(esp_bd_addr_t)); /* Switch to BTC context */ bt_status_t status = btc_transfer_context(&msg, &arg, sizeof(btc_hf_args_t), NULL, NULL); @@ -173,6 +188,9 @@ esp_err_t esp_hf_ag_volume_control(esp_bd_addr_t remote_addr, esp_hf_volume_cont if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } if (volume < 0 || volume > 15) { return ESP_ERR_INVALID_ARG; } @@ -197,6 +215,9 @@ esp_err_t esp_hf_ag_unknown_at_send(esp_bd_addr_t remote_addr, char *unat) if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL || unat == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -218,6 +239,9 @@ esp_err_t esp_hf_ag_cmee_send(esp_bd_addr_t remote_addr, esp_hf_at_response_code if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -239,6 +263,9 @@ esp_err_t esp_hf_ag_ciev_report(esp_bd_addr_t remote_addr, esp_hf_ciev_report_ty if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -264,6 +291,9 @@ esp_err_t esp_hf_ag_cind_response(esp_bd_addr_t remote_addr, if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } if (signal < 0 || signal > 5 || batt_lev < 0 || batt_lev > 5) { return ESP_ERR_INVALID_ARG; } @@ -294,6 +324,9 @@ esp_err_t esp_hf_ag_cops_response(esp_bd_addr_t remote_addr, char *name) if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL || name == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -317,6 +350,9 @@ esp_err_t esp_hf_ag_clcc_response(esp_bd_addr_t remote_addr, int index, esp_hf_c if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -346,6 +382,9 @@ esp_err_t esp_hf_ag_cnum_response(esp_bd_addr_t remote_addr, char *number, int n if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } if (number == NULL || number_type < 128 || number_type > 175) { return ESP_ERR_INVALID_ARG; } @@ -356,7 +395,7 @@ esp_err_t esp_hf_ag_cnum_response(esp_bd_addr_t remote_addr, char *number, int n btc_hf_args_t arg; memset(&arg, 0, sizeof(btc_hf_args_t)); - memcpy(&(arg.cnum_rep), remote_addr, sizeof(esp_bd_addr_t)); + memcpy(&(arg.cnum_rep.remote_addr), remote_addr, sizeof(esp_bd_addr_t)); arg.cnum_rep.number = number; //deep_copy arg.cnum_rep.number_type = number_type; arg.cnum_rep.service_type = service_type; @@ -372,6 +411,9 @@ esp_err_t esp_hf_ag_bsir(esp_bd_addr_t remote_addr, esp_hf_in_band_ring_state_t if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -394,6 +436,9 @@ esp_err_t esp_hf_ag_answer_call(esp_bd_addr_t remote_addr, int num_active, int n if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -422,6 +467,9 @@ esp_err_t esp_hf_ag_reject_call(esp_bd_addr_t remote_addr, int num_active, int n if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -450,6 +498,9 @@ esp_err_t esp_hf_ag_end_call(esp_bd_addr_t remote_addr, int num_active, int num_ if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; @@ -478,6 +529,9 @@ esp_err_t esp_hf_ag_out_call(esp_bd_addr_t remote_addr, int num_active, int num_ if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_HF; diff --git a/components/bt/host/bluedroid/api/esp_hf_client_api.c b/components/bt/host/bluedroid/api/esp_hf_client_api.c index 78347fc97f..64ef18eb32 100644 --- a/components/bt/host/bluedroid/api/esp_hf_client_api.c +++ b/components/bt/host/bluedroid/api/esp_hf_client_api.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -68,6 +68,9 @@ esp_err_t esp_hf_client_connect(esp_bd_addr_t remote_bda) if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_bda == NULL) { + return ESP_ERR_INVALID_ARG; + } bt_status_t stat; btc_hf_client_args_t arg; @@ -90,6 +93,9 @@ esp_err_t esp_hf_client_disconnect(esp_bd_addr_t remote_bda) if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_bda == NULL) { + return ESP_ERR_INVALID_ARG; + } bt_status_t stat; btc_hf_client_args_t arg; @@ -112,6 +118,9 @@ esp_err_t esp_hf_client_connect_audio(esp_bd_addr_t remote_bda) if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_bda == NULL) { + return ESP_ERR_INVALID_ARG; + } bt_status_t stat; btc_hf_client_args_t arg; @@ -134,6 +143,9 @@ esp_err_t esp_hf_client_disconnect_audio(esp_bd_addr_t remote_bda) if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (remote_bda == NULL) { + return ESP_ERR_INVALID_ARG; + } bt_status_t stat; btc_hf_client_args_t arg; @@ -191,6 +203,9 @@ esp_err_t esp_hf_client_volume_update(esp_hf_volume_control_target_t type, int v if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (volume < 0 || volume > 15) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; btc_hf_client_args_t arg; @@ -391,6 +406,10 @@ esp_err_t esp_hf_client_send_dtmf(char code) if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (!((code >= '0' && code <= '9') || code == '*' || code == '#' || + (code >= 'A' && code <= 'D'))) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; btc_hf_client_args_t arg; @@ -499,6 +518,9 @@ esp_err_t esp_hf_client_register_data_callback(esp_hf_client_incoming_data_cb_t if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (recv == NULL || send == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; @@ -553,6 +575,9 @@ esp_err_t esp_hf_client_pkt_stat_nums_get(uint16_t sync_conn_handle) void esp_hf_client_outgoing_data_ready(void) { + if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { + return; + } BTA_HfClientCiData(); } @@ -561,6 +586,9 @@ esp_err_t esp_hf_client_register_audio_data_callback(esp_hf_client_audio_data_cb if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (callback == NULL) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; @@ -616,6 +644,9 @@ esp_err_t esp_hf_client_audio_data_send(esp_hf_sync_conn_hdl_t sync_conn_hdl, es if (audio_buf == NULL || audio_buf->data_len == 0) { return ESP_ERR_INVALID_ARG; } + if (audio_buf->data_len > audio_buf->buff_size) { + return ESP_ERR_INVALID_ARG; + } BTA_HfClientAudioDataSend(sync_conn_hdl, (uint8_t *)audio_buf, audio_buf->data, audio_buf->data_len); return ESP_OK; diff --git a/components/bt/host/bluedroid/api/esp_pbac_api.c b/components/bt/host/bluedroid/api/esp_pbac_api.c index 3799038f94..3d6273c2d6 100644 --- a/components/bt/host/bluedroid/api/esp_pbac_api.c +++ b/components/bt/host/bluedroid/api/esp_pbac_api.c @@ -171,6 +171,9 @@ esp_err_t esp_pbac_set_phone_book2(esp_pbac_conn_hdl_t handle, const char *path) if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (handle == ESP_PBAC_INVALID_HANDLE) { + return ESP_ERR_INVALID_ARG; + } btc_msg_t msg; msg.sig = BTC_SIG_API_CALL; diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_act.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_act.c index c2e2773792..fc385d7c3f 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_act.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_act.c @@ -91,6 +91,9 @@ const tBTA_AG_ATCMD_CBACK bta_ag_at_cback_tbl[BTA_AG_NUM_IDX] = static void bta_ag_cback_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data, tBTA_AG_STATUS status) { tBTA_AG_OPEN open; + if (p_scb->conn_service >= BTA_AG_NUM_IDX) { + return; + } /* call app callback with open event */ open.hdr.handle = bta_ag_scb_to_idx(p_scb); open.hdr.app_id = p_scb->app_id; @@ -102,7 +105,9 @@ static void bta_ag_cback_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data, tBTA_AG_ } else { bdcpy(open.bd_addr, p_scb->peer_addr); } - (*bta_ag_cb.p_cback)(BTA_AG_OPEN_EVT, (tBTA_AG *) &open); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_OPEN_EVT, (tBTA_AG *) &open); + } } /******************************************************************************* @@ -132,7 +137,9 @@ void bta_ag_register(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) reg.hdr.handle = bta_ag_scb_to_idx(p_scb); reg.hdr.app_id = p_scb->app_id; reg.hdr.status = BTA_AG_SUCCESS; - (*bta_ag_cb.p_cback)(BTA_AG_REGISTER_EVT, (tBTA_AG *) ®); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_REGISTER_EVT, (tBTA_AG *) ®); + } } /******************************************************************************* @@ -188,7 +195,7 @@ void bta_ag_start_dereg(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) *******************************************************************************/ void bta_ag_start_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) { - BD_ADDR pending_bd_addr; + BD_ADDR pending_bd_addr = {0}; /* store parameters */ if (p_data) { bdcpy(p_scb->peer_addr, p_data->api_open.bd_addr); @@ -199,7 +206,7 @@ void bta_ag_start_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) if (PORT_IsOpening (pending_bd_addr)) { /* Let the incoming connection goes through. */ /* Issue collision for this scb for now. */ - /* We will decide what to do when we find incoming connetion later. */ + /* We will decide what to do when we find incoming connection later. */ bta_ag_collision_cback (0, BTA_ID_AG, 0, p_scb->peer_addr); return; } @@ -398,7 +405,9 @@ void bta_ag_rfc_close(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) bta_sys_conn_close(BTA_ID_AG, p_scb->app_id, p_scb->peer_addr); /* call close cback */ - (*bta_ag_cb.p_cback)(BTA_AG_CLOSE_EVT, (tBTA_AG *) &close); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_CLOSE_EVT, (tBTA_AG *) &close); + } /* if not deregistering (deallocating) reopen registered servers */ if (p_scb->dealloc == FALSE) { @@ -444,6 +453,9 @@ void bta_ag_rfc_close(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) *******************************************************************************/ void bta_ag_rfc_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) { + if (p_scb->conn_service >= BTA_AG_NUM_IDX) { + return; + } /* initialize AT feature variables */ p_scb->clip_enabled = FALSE; p_scb->ccwa_enabled = FALSE; @@ -670,7 +682,7 @@ void bta_ag_post_sco_close(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) case BTA_AG_POST_SCO_CALL_END_INCALL: { bta_ag_send_call_inds(p_scb, BTA_AG_END_CALL_RES); - /* Sending callsetup IND and Ring were defered to after SCO close. */ + /* Sending callsetup IND and Ring were deferred to after SCO close. */ bta_ag_send_call_inds(p_scb, BTA_AG_IN_CALL_RES); if (bta_ag_inband_enabled(p_scb) && !(p_scb->features & BTA_AG_FEAT_NOSCO)) { @@ -722,7 +734,9 @@ void bta_ag_svc_conn_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) (p_scb->callsetup_ind != BTA_AG_CALLSETUP_NONE)) { bta_sys_sco_use(BTA_ID_AG, p_scb->app_id, p_scb->peer_addr); } - (*bta_ag_cb.p_cback)(BTA_AG_CONN_EVT, (tBTA_AG *) &evt); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_CONN_EVT, (tBTA_AG *) &evt); + } } } @@ -794,7 +808,9 @@ void bta_ag_setcodec(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) (codec_type != BTA_AG_CODEC_MSBC)) { val.hdr.status = BTA_AG_FAIL_RESOURCES; APPL_TRACE_ERROR("%s error: unsupported codec type %d", __func__, codec_type); - (*bta_ag_cb.p_cback)(BTA_AG_WBS_EVT, (tBTA_AG *) &val); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_WBS_EVT, (tBTA_AG *) &val); + } return; } @@ -809,7 +825,9 @@ void bta_ag_setcodec(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) val.hdr.status = BTA_AG_FAIL_RESOURCES; APPL_TRACE_ERROR("%s error: unsupported codec type %d",__func__, codec_type); } - (*bta_ag_cb.p_cback)(BTA_AG_WBS_EVT, (tBTA_AG *) &val); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_WBS_EVT, (tBTA_AG *) &val); + } #endif } diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_api.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_api.c index 331f6595e6..d1b9cc80e5 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_api.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_api.c @@ -67,14 +67,17 @@ tBTA_STATUS BTA_AgEnable(tBTA_AG_PARSE_MODE parse_mode, tBTA_AG_CBACK *p_cback) return BTA_FAILURE; } } - /* register with BTA system manager */ - bta_sys_register(BTA_ID_AG, &bta_ag_reg); if ((p_buf = (tBTA_AG_API_ENABLE *) osi_malloc(sizeof(tBTA_AG_API_ENABLE))) != NULL) { + /* register with BTA system manager */ + bta_sys_register(BTA_ID_AG, &bta_ag_reg); + p_buf->hdr.event = BTA_AG_API_ENABLE_EVT; p_buf->parse_mode = parse_mode; p_buf->p_cback = p_cback; bta_sys_sendmsg(p_buf); + } else { + return BTA_NO_RESOURCES; } return BTA_SUCCESS; } @@ -121,7 +124,7 @@ void BTA_AgRegister(tBTA_SERVICE_MASK services, tBTA_SEC sec_mask,tBTA_AG_FEAT f p_buf->services = services; p_buf->app_id = app_id; for (i = 0; i < BTA_AG_NUM_IDX; i++) { - if(p_service_names[i]) { + if (p_service_names != NULL && p_service_names[i]) { BCM_STRNCPY_S(p_buf->p_name[i], p_service_names[i], BTA_SERVICE_NAME_LEN); p_buf->p_name[i][BTA_SERVICE_NAME_LEN] = '\0'; } else { diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_at.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_at.c index 82066d8f79..bebd282a44 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_at.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_at.c @@ -122,20 +122,30 @@ void bta_ag_process_at(tBTA_AG_AT_CB *p_cb) if (int_arg < (INT16) p_cb->p_at_tbl[idx].min || int_arg > (INT16) p_cb->p_at_tbl[idx].max) { /* arg out of range; error */ - (*p_cb->p_err_cback)(p_cb->p_user, FALSE, NULL); + if (p_cb->p_err_cback) { + (*p_cb->p_err_cback)(p_cb->p_user, FALSE, NULL); + } } else { - (*p_cb->p_cmd_cback)(p_cb->p_user, idx, arg_type, p_arg, int_arg); + if (p_cb->p_cmd_cback) { + (*p_cb->p_cmd_cback)(p_cb->p_user, idx, arg_type, p_arg, int_arg); + } } } else { - (*p_cb->p_cmd_cback)(p_cb->p_user, idx, arg_type, p_arg, int_arg); + if (p_cb->p_cmd_cback) { + (*p_cb->p_cmd_cback)(p_cb->p_user, idx, arg_type, p_arg, int_arg); + } } } else { /* else error */ - (*p_cb->p_err_cback)(p_cb->p_user, FALSE, NULL); + if (p_cb->p_err_cback) { + (*p_cb->p_err_cback)(p_cb->p_user, FALSE, NULL); + } } } else { /* else no match call error callback */ - (*p_cb->p_err_cback)(p_cb->p_user, TRUE, p_cb->p_cmd_buf); + if (p_cb->p_err_cback) { + (*p_cb->p_err_cback)(p_cb->p_user, TRUE, p_cb->p_cmd_buf); + } } } @@ -185,7 +195,9 @@ void bta_ag_at_parse(tBTA_AG_AT_CB *p_cb, char *p_buf, UINT16 len) p_cb->cmd_pos = 0; } else if( p_cb->p_cmd_buf[p_cb->cmd_pos] == 0x1A || p_cb->p_cmd_buf[p_cb->cmd_pos] == 0x1B) { p_cb->p_cmd_buf[++p_cb->cmd_pos] = 0; - (*p_cb->p_err_cback)(p_cb->p_user, TRUE, p_cb->p_cmd_buf); + if (p_cb->p_err_cback) { + (*p_cb->p_err_cback)(p_cb->p_user, TRUE, p_cb->p_cmd_buf); + } p_cb->cmd_pos = 0; } else { ++p_cb->cmd_pos; diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cfg.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cfg.c index 3c059cea72..fd15b2e39b 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cfg.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cfg.c @@ -31,7 +31,7 @@ #if (BTA_AG_INCLUDED == TRUE) #ifndef BTA_AG_CIND_INFO -#define BTA_AG_CIND_INFO "(\"call\",(0,1)),(\"callsetup\",(0-3)),(\"service\",(0-3)),(\"signal\",(0-6)),(\"roam\",(0,1)),(\"battchg\",(0-5)),(\"callheld\",(0-2))" +#define BTA_AG_CIND_INFO "(\"call\",(0,1)),(\"callsetup\",(0-3)),(\"service\",(0-1)),(\"signal\",(0-5)),(\"roam\",(0,1)),(\"battchg\",(0-5)),(\"callheld\",(0-2))" #endif #ifndef BTA_AG_CONN_TIMEOUT diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cmd.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cmd.c index 2cf985c703..499b1435e6 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cmd.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cmd.c @@ -376,7 +376,7 @@ static void bta_ag_send_result(tBTA_AG_SCB *p_scb, UINT8 code, char *p_arg, INT1 char *p = buf; UINT16 len; #if (BTIF_TRACE_DEBUG == TRUE) - memset(buf, NULL, sizeof(buf)); + memset(buf, 0, sizeof(buf)); #endif /* init with \r\n */ *p++ = '\r'; @@ -444,7 +444,7 @@ static void bta_ag_send_multi_result(tBTA_AG_SCB *p_scb, tBTA_AG_MULTI_RESULT_CB } #if defined(BTA_AG_RESULT_DEBUG) && (BTA_AG_RESULT_DEBUG == TRUE) - memset(buf, NULL, sizeof(buf)); + memset(buf, 0, sizeof(buf)); #endif while(res_idx < m_res_cb->num_result) { @@ -604,13 +604,14 @@ static BOOLEAN bta_ag_parse_cmer(char *p_s, BOOLEAN *p_enabled) for (i = 0; i < 4; i++) { /* skip to comma delimiter */ for (p = p_s; *p != ',' && *p != 0; p++); + if (*p == 0) { + n[i] = utl_str2int(p_s); + break; + } /* get integer value */ *p = 0; n[i] = utl_str2int(p_s); p_s = p + 1; - if (p_s == 0) { - break; - } } /* process values */ if (n[0] < 0 || n[3] < 0) { @@ -721,9 +722,9 @@ static tBTA_AG_PEER_CODEC bta_ag_parse_bac(tBTA_AG_SCB *p_scb, char *p_s) *******************************************************************************/ static void bta_ag_process_unat_res(char *unat_result) { - UINT8 str_leng; - UINT8 i = 0; - UINT8 j = 0; + size_t str_leng; + size_t i = 0; + size_t j = 0; UINT8 pairs_of_nl_cr; char trim_data[BTA_AG_AT_MAX_LEN]; @@ -737,16 +738,18 @@ static void bta_ag_process_unat_res(char *unat_result) while(unat_result[0] =='\r' && unat_result[1] =='\n' && unat_result[str_leng-2] =='\r' && unat_result[str_leng-1] =='\n') { pairs_of_nl_cr = 1; - for (i=0;i<(str_leng-4*pairs_of_nl_cr);i++) { - trim_data[j++] = unat_result[i+pairs_of_nl_cr*2]; + for (i = 0; i < (str_leng - 4 * pairs_of_nl_cr); i++) { + trim_data[j++] = unat_result[i + pairs_of_nl_cr * 2]; } /* Add EOF */ - trim_data[j] = '\0'; + if (j < BTA_AG_AT_MAX_LEN) { + trim_data[j] = '\0'; + } str_leng = str_leng - 4; BCM_STRNCPY_S(unat_result, trim_data, BTA_AG_AT_MAX_LEN); - i=0; - j=0; - if(str_leng <4) { + i = 0; + j = 0; + if (str_leng < 4) { return; } } @@ -827,7 +830,9 @@ void bta_ag_at_hsp_cback(tBTA_AG_SCB *p_scb, UINT16 cmd, UINT8 arg_type, BCM_STRNCPY_S(val.str, p_arg, BTA_AG_AT_MAX_LEN); val.str[BTA_AG_AT_MAX_LEN] = '\0'; /* call callback with event */ - (*bta_ag_cb.p_cback)(bta_ag_hsp_cb_evt[cmd], (tBTA_AG *) &val); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(bta_ag_hsp_cb_evt[cmd], (tBTA_AG *) &val); + } } /******************************************************************************* @@ -1233,7 +1238,9 @@ void bta_ag_at_hfp_cback(tBTA_AG_SCB *p_scb, UINT16 cmd, UINT8 arg_type, } /* call callback */ if (event != 0) { - (*bta_ag_cb.p_cback)(event, (tBTA_AG *) &val); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(event, (tBTA_AG *) &val); + } } } @@ -1264,7 +1271,9 @@ void bta_ag_at_err_cback(tBTA_AG_SCB *p_scb, BOOLEAN unknown, char *p_arg) val.num = 0; BCM_STRNCPY_S(val.str, p_arg, BTA_AG_AT_MAX_LEN); val.str[BTA_AG_AT_MAX_LEN] = '\0'; - (*bta_ag_cb.p_cback)(BTA_AG_AT_UNAT_EVT, (tBTA_AG *) &val); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_AT_UNAT_EVT, (tBTA_AG *) &val); + } } else { bta_ag_send_error(p_scb, BTA_AG_ERR_OP_NOT_SUPPORTED); } diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_main.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_main.c index 39daa0de6b..b52ab14ea6 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_main.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_main.c @@ -517,8 +517,15 @@ void bta_ag_scb_dealloc(tBTA_AG_SCB *p_scb) *******************************************************************************/ UINT16 bta_ag_scb_to_idx(tBTA_AG_SCB *p_scb) { + if (p_scb == NULL) { + return 0; + } /* use array arithmetic to determine index */ - return ((UINT16) (p_scb - bta_ag_cb.scb)) + 1; + UINT16 idx = ((UINT16) (p_scb - bta_ag_cb.scb)) + 1; + if (idx < 1 || idx > BTA_AG_NUM_SCB) { + return 0; + } + return idx; } /******************************************************************************* @@ -731,7 +738,7 @@ void bta_ag_collision_cback (tBTA_SYS_CONN_STATUS status, UINT8 id, UINT8 app_id } /* Start timer to han */ p_scb->colli_timer.p_cback = (TIMER_CBACK*)&bta_ag_colli_timer_cback; - p_scb->colli_timer.param = (INT32)p_scb; + p_scb->colli_timer.param = (UINT32)p_scb; bta_sys_start_timer(&p_scb->colli_timer, 0, BTA_AG_COLLISION_TIMER); p_scb->colli_tmr_on = TRUE; } @@ -905,12 +912,16 @@ void bta_ag_sm_execute(tBTA_AG_SCB *p_scb, UINT16 event, tBTA_AG_DATA *p_data) #if BTA_AG_DEBUG == TRUE UINT16 in_event = event; UINT8 in_state = p_scb->state; + tBTA_AG_RES dbg_api_result = (tBTA_AG_RES)0; + if (p_data != NULL && in_event == BTA_AG_API_RESULT_EVT) { + dbg_api_result = p_data->api_result.result; + } /* Ignore displaying of AT results when not connected (Ignored in state machine) */ if (in_event != BTA_AG_API_RESULT_EVT || p_scb->state == BTA_AG_OPEN_ST) { APPL_TRACE_EVENT("AG evt (hdl 0x%04x): State %d (%s), Event 0x%04x (%s)", bta_ag_scb_to_idx(p_scb), p_scb->state, bta_ag_state_str(p_scb->state), - event, bta_ag_evt_str(event, p_data->api_result.result)); + event, bta_ag_evt_str(event, dbg_api_result)); } #else APPL_TRACE_EVENT("AG evt (hdl 0x%04x): State %d, Event 0x%04x", @@ -938,7 +949,7 @@ void bta_ag_sm_execute(tBTA_AG_SCB *p_scb, UINT16 event, tBTA_AG_DATA *p_data) APPL_TRACE_EVENT("BTA AG State Change: [%s] -> [%s] after Event [%s]", bta_ag_state_str(in_state), bta_ag_state_str(p_scb->state), - bta_ag_evt_str(in_event, p_data->api_result.result)); + bta_ag_evt_str(in_event, dbg_api_result)); } #endif } diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_rfc.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_rfc.c index 49ca54af0e..2bfdd430ea 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_rfc.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_rfc.c @@ -252,6 +252,10 @@ void bta_ag_setup_port(tBTA_AG_SCB *p_scb, UINT16 handle) { UINT16 i = bta_ag_scb_to_idx(p_scb) - 1; + if (i >= BTA_AG_NUM_SCB) { + return; + } + /* set up data callback if using pass through mode */ if (bta_ag_cb.parse_mode == BTA_AG_PASS_THROUGH) { PORT_SetDataCallback(handle, bta_ag_data_cback_tbl[i]); @@ -274,6 +278,10 @@ void bta_ag_start_servers(tBTA_AG_SCB *p_scb, tBTA_SERVICE_MASK services) { int bta_ag_port_status; + if (bta_ag_scb_to_idx(p_scb) < 1 || bta_ag_scb_to_idx(p_scb) > BTA_AG_NUM_SCB) { + return; + } + services >>= BTA_HSP_SERVICE_ID; for (int i = 0; i < BTA_AG_NUM_IDX && services != 0; i++, services >>= 1) { /* if service is set in mask */ @@ -353,6 +361,12 @@ BOOLEAN bta_ag_is_server_closed (tBTA_AG_SCB *p_scb) *******************************************************************************/ void bta_ag_rfc_do_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) { + if (bta_ag_scb_to_idx(p_scb) < 1 || bta_ag_scb_to_idx(p_scb) > BTA_AG_NUM_SCB) { + APPL_TRACE_ERROR("bta_ag_rfc_do_open: EINVAL idx %u", bta_ag_scb_to_idx(p_scb)); + bta_ag_sm_execute(p_scb, BTA_AG_RFC_CLOSE_EVT, p_data); + return; + } + BTM_SetSecurityLevel(TRUE, "", bta_ag_sec_id[p_scb->conn_service], p_scb->cli_sec_mask, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, p_scb->peer_scn); diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sco.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sco.c index f3bf70e80c..b77b002e14 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sco.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sco.c @@ -199,7 +199,7 @@ static void bta_ag_sco_conn_cback(UINT16 sco_idx) handle = 0; } - if (handle != 0) + if (handle != 0 && p_scb) { BTM_ReadEScoLinkParms(sco_idx, &sco_data); @@ -672,10 +672,13 @@ static void bta_ag_create_sco(tBTA_AG_SCB *p_scb, BOOLEAN is_orig) #if (BTM_SCO_HCI_INCLUDED == TRUE) #if (BTM_WBS_INCLUDED == TRUE) - if (esco_codec == BTA_AG_CODEC_MSBC) - pcm_sample_rate = BTA_HFP_SCO_SAMP_RATE_16K; + if (esco_codec == BTA_AG_CODEC_MSBC) { + pcm_sample_rate = BTA_HFP_SCO_SAMP_RATE_16K; + } else #endif - pcm_sample_rate = BTA_HFP_SCO_SAMP_RATE_8K; + { + pcm_sample_rate = BTA_HFP_SCO_SAMP_RATE_8K; + } sco_route = bta_ag_sco_co_init(pcm_sample_rate, pcm_sample_rate, &codec_info, p_scb->app_id); #endif @@ -786,7 +789,7 @@ void bta_ag_codec_negotiate(tBTA_AG_SCB *p_scb) /* Start timer to handle timeout */ p_scb->cn_timer.p_cback = (TIMER_CBACK*)&bta_ag_cn_timer_cback; - p_scb->cn_timer.param = (INT32)p_scb; + p_scb->cn_timer.param = (UINT32)p_scb; bta_sys_start_timer(&p_scb->cn_timer, 0, BTA_AG_CODEC_NEGO_TIMEOUT); } else @@ -1688,7 +1691,7 @@ void bta_ag_sco_conn_close(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) *******************************************************************************/ void bta_ag_sco_conn_rsp(tBTA_AG_SCB *p_scb, tBTM_ESCO_CONN_REQ_EVT_DATA *p_data) { - tBTM_ESCO_PARAMS resp; + tBTM_ESCO_PARAMS resp = {0}; UINT8 hci_status = HCI_SUCCESS; #if (BTM_SCO_HCI_INCLUDED == TRUE) tBTA_HFP_CODEC_INFO codec_info = {BTA_HFP_SCO_CODEC_PCM}; diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sdp.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sdp.c index 0b02557b08..9864f66390 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sdp.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sdp.c @@ -92,6 +92,10 @@ static void bta_ag_sdp_cback(UINT16 status, UINT8 idx) p_buf->hdr.layer_specific = idx; p_buf->status = status; bta_sys_sendmsg(p_buf); + } else { + APPL_TRACE_ERROR("bta_ag_sdp_cback: ENOMEM"); + bta_ag_free_db(p_scb, NULL); + bta_ag_sm_execute(p_scb, BTA_AG_DISC_FAIL_EVT, NULL); } } } @@ -243,16 +247,13 @@ void bta_ag_del_records(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) UNUSED(p_data); /* get services of all other registered servers */ - for (i = 0; i < BTA_AG_NUM_IDX; i++) { + for (i = 0; i < BTA_AG_NUM_SCB; i++, p++) { if (p_scb == p) { continue; } if (p->in_use && p->dealloc == FALSE) { others |= p->reg_services; } - if (i < BTA_AG_NUM_SCB) { - p++; - } } others >>= BTA_HSP_SERVICE_ID; services = p_scb->reg_services >> BTA_HSP_SERVICE_ID; @@ -414,7 +415,9 @@ void bta_ag_do_disc(tBTA_AG_SCB *p_scb, tBTA_SERVICE_MASK service) if(p_scb->p_disc_db) { /* set up service discovery database; attr happens to be attr_list len */ uuid_list[0].len = LEN_UUID_16; - uuid_list[1].len = LEN_UUID_16; + if (num_uuid >= 2) { + uuid_list[1].len = LEN_UUID_16; + } db_inited = SDP_InitDiscoveryDb(p_scb->p_disc_db, BTA_AG_DISC_BUF_SIZE, num_uuid, uuid_list, num_attr, attr_list); } diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_act.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_act.c index 930f30a57d..680eee6e78 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_act.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_act.c @@ -84,7 +84,9 @@ void bta_hf_client_register(tBTA_HF_CLIENT_DATA *p_data) /* call app callback with register event */ evt.status = BTA_HF_CLIENT_SUCCESS; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_REGISTER_EVT, &evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_REGISTER_EVT, &evt); + } } /******************************************************************************* @@ -177,7 +179,7 @@ void bta_hf_client_start_close(tBTA_HF_CLIENT_DATA *p_data) *******************************************************************************/ void bta_hf_client_start_open(tBTA_HF_CLIENT_DATA *p_data) { - BD_ADDR pending_bd_addr; + BD_ADDR pending_bd_addr = {0}; /* store parameters */ if (p_data) { @@ -229,7 +231,9 @@ static void bta_hf_client_cback_open(tBTA_HF_CLIENT_DATA *p_data, tBTA_HF_CLIENT bdcpy(evt.bd_addr, bta_hf_client_cb.scb.peer_addr); } - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_OPEN_EVT, &evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_OPEN_EVT, &evt); + } } /******************************************************************************* @@ -352,11 +356,19 @@ void bta_hf_client_disc_fail(tBTA_HF_CLIENT_DATA *p_data) { UNUSED(p_data); + bta_hf_client_cb.scb.conn_handle = 0; + bta_hf_client_cb.scb.peer_features = 0; + bta_hf_client_cb.scb.chld_features = 0; + bta_hf_client_cb.scb.role = BTA_HF_CLIENT_ACP; + bta_hf_client_cb.scb.svc_conn = FALSE; + bta_hf_client_cb.scb.send_at_reply = FALSE; + bta_hf_client_cb.scb.negotiated_codec = BTM_SCO_CODEC_CVSD; + + bta_hf_client_at_reset(); + /* reopen server */ bta_hf_client_start_server(); - /* reinitialize stuff */ - /* call open cback w. failure */ bta_hf_client_cback_open(NULL, BTA_HF_CLIENT_FAIL_SDP); } @@ -404,10 +416,13 @@ void bta_hf_client_rfc_close(tBTA_HF_CLIENT_DATA *p_data) bta_sys_conn_close(BTA_ID_HS, 1, bta_hf_client_cb.scb.peer_addr); /* call close cback */ - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CLOSE_EVT, NULL); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CLOSE_EVT, NULL); + } /* if not deregistering reopen server */ if (bta_hf_client_cb.scb.deregister == FALSE) { + bta_sys_sco_unuse(BTA_ID_HS, 1, bta_hf_client_cb.scb.peer_addr); /* Clear peer bd_addr so instance can be reused */ bdcpy(bta_hf_client_cb.scb.peer_addr, bd_addr_null); @@ -418,8 +433,6 @@ void bta_hf_client_rfc_close(tBTA_HF_CLIENT_DATA *p_data) /* Make sure SCO is shutdown */ bta_hf_client_sco_shutdown(NULL); - - bta_sys_sco_unuse(BTA_ID_HS, 1, bta_hf_client_cb.scb.peer_addr); } /* else close port and deallocate scb */ else { @@ -548,7 +561,9 @@ void bta_hf_client_svc_conn_open(tBTA_HF_CLIENT_DATA *p_data) evt.peer_feat = bta_hf_client_cb.scb.peer_features; evt.chld_feat = bta_hf_client_cb.scb.chld_features; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CONN_EVT, &evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CONN_EVT, &evt); + } } } @@ -570,7 +585,9 @@ void bta_hf_client_ind(tBTA_HF_CLIENT_IND_TYPE type, UINT16 value) evt.type = type; evt.value = value; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_IND_EVT, &evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_IND_EVT, &evt); + } } /******************************************************************************* @@ -592,7 +609,9 @@ void bta_hf_client_evt_val(tBTA_HF_CLIENT_EVT type, UINT16 value) evt.value = value; - (*bta_hf_client_cb.p_cback)(type, &evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(type, &evt); + } } /******************************************************************************* @@ -613,7 +632,9 @@ void bta_hf_client_operator_name(char *name) strlcpy(evt->name, name, BTA_HF_CLIENT_OPERATOR_NAME_LEN + 1); evt->name[BTA_HF_CLIENT_OPERATOR_NAME_LEN] = '\0'; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_OPERATOR_NAME_EVT, evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_OPERATOR_NAME_EVT, evt); + } osi_free(evt); } else { APPL_TRACE_ERROR("No mem: %s", __func__); @@ -639,7 +660,9 @@ void bta_hf_client_clip(char *number) strlcpy(evt->number, number, BTA_HF_CLIENT_NUMBER_LEN + 1); evt->number[BTA_HF_CLIENT_NUMBER_LEN] = '\0'; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CLIP_EVT, evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CLIP_EVT, evt); + } osi_free(evt); } else { APPL_TRACE_ERROR("No mem: %s", __func__); @@ -664,8 +687,9 @@ void bta_hf_client_ccwa(char *number) strlcpy(evt->number, number, BTA_HF_CLIENT_NUMBER_LEN + 1); evt->number[BTA_HF_CLIENT_NUMBER_LEN] = '\0'; - - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CCWA_EVT, evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CCWA_EVT, evt); + } osi_free(evt); } else { APPL_TRACE_ERROR("No mem: %s", __func__); @@ -691,7 +715,9 @@ void bta_hf_client_at_result(tBTA_HF_CLIENT_AT_RESULT_TYPE type, UINT16 cme) evt.type = type; evt.cme = cme; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_AT_RESULT_EVT, &evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_AT_RESULT_EVT, &evt); + } } /******************************************************************************* @@ -720,7 +746,9 @@ void bta_hf_client_clcc(UINT32 idx, BOOLEAN incoming, UINT8 status, BOOLEAN mpty evt->number[BTA_HF_CLIENT_NUMBER_LEN] = '\0'; } - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CLCC_EVT, evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CLCC_EVT, evt); + } osi_free(evt); } else { APPL_TRACE_ERROR("No mem, %s\n", __func__); @@ -747,7 +775,9 @@ void bta_hf_client_cnum(char *number, UINT16 service) strlcpy(evt->number, number, BTA_HF_CLIENT_NUMBER_LEN + 1); evt->number[BTA_HF_CLIENT_NUMBER_LEN] = '\0'; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CNUM_EVT, evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CNUM_EVT, evt); + } osi_free(evt); } else { APPL_TRACE_ERROR("No mem, %s", __func__); @@ -772,7 +802,9 @@ void bta_hf_client_binp(char *number) strlcpy(evt->number, number, BTA_HF_CLIENT_NUMBER_LEN + 1); evt->number[BTA_HF_CLIENT_NUMBER_LEN] = '\0'; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_BINP_EVT, evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_BINP_EVT, evt); + } osi_free(evt); } else { APPL_TRACE_ERROR("No mem: %s", __func__); diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_api.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_api.c index 748d62db0f..934ec1be2e 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_api.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_api.c @@ -90,13 +90,16 @@ tBTA_STATUS BTA_HfClientEnable(tBTA_HF_CLIENT_CBACK *p_cback) return BTA_FAILURE; } - /* register with BTA system manager */ - bta_sys_register(BTA_ID_HS, &bta_hf_client_reg); - if ((p_buf = (tBTA_HF_CLIENT_API_ENABLE *) osi_malloc(sizeof(tBTA_HF_CLIENT_API_ENABLE))) != NULL) { + /* register with BTA system manager */ + bta_sys_register(BTA_ID_HS, &bta_hf_client_reg); + p_buf->hdr.event = BTA_HF_CLIENT_API_ENABLE_EVT; p_buf->p_cback = p_cback; bta_sys_sendmsg(p_buf); + } else { + APPL_TRACE_ERROR("BTA_HfClientEnable ENOMEM"); + return BTA_NO_RESOURCES; } return BTA_SUCCESS; @@ -354,8 +357,20 @@ void BTA_HfClientCiData(void) *******************************************************************************/ void BTA_HfClientAudioBuffAlloc(UINT16 size, UINT8 **pp_buff, UINT8 **pp_data) { + BT_HDR *p_buf; + + if (pp_buff != NULL) { + *pp_buff = NULL; + } + if (pp_data != NULL) { + *pp_data = NULL; + } + if (pp_buff == NULL || pp_data == NULL) { + return; + } + /* reserve 1 byte at last, when the size is mSBC frame size (57), then we got a buffer that can hold 60 bytes data */ - BT_HDR *p_buf= (BT_HDR *)osi_calloc(sizeof(BT_HDR) + BTA_HF_CLIENT_BUFF_OFFSET_MIN + BTA_HF_CLIENT_H2_HEADER_LEN + size + 1); + p_buf = (BT_HDR *)osi_calloc(sizeof(BT_HDR) + BTA_HF_CLIENT_BUFF_OFFSET_MIN + BTA_HF_CLIENT_H2_HEADER_LEN + size + 1); if (p_buf != NULL) { /* mSBC offset is large than CVSD, so this is work in CVSD air mode */ p_buf->offset = BTA_HF_CLIENT_BUFF_OFFSET_MIN + BTA_HF_CLIENT_H2_HEADER_LEN; diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_at.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_at.c index bd5bca8658..4b89796e25 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_at.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_at.c @@ -174,6 +174,11 @@ static void bta_hf_client_start_at_resp_timer(void) static void bta_hf_client_send_at(tBTA_HF_CLIENT_AT_CMD cmd, char *buf, UINT16 buf_len) { + if (buf_len > BTA_HF_CLIENT_AT_MAX_LEN) { + APPL_TRACE_ERROR("hf_client_send_at EINVAL buf_len %u", buf_len); + buf_len = BTA_HF_CLIENT_AT_MAX_LEN; + } + if ((bta_hf_client_cb.scb.at_cb.current_cmd == BTA_HF_CLIENT_AT_NONE || bta_hf_client_cb.scb.svc_conn == FALSE) && bta_hf_client_cb.scb.at_cb.hold_timer_on == FALSE) { @@ -202,6 +207,16 @@ static void bta_hf_client_send_at(tBTA_HF_CLIENT_AT_CMD cmd, char *buf, UINT16 b bta_hf_client_queue_at(cmd, buf, buf_len); } +static void bta_hf_client_send_at_nomem_err_print(char *cmd) +{ + APPL_TRACE_ERROR("AT command '%s' no mem", cmd ? cmd : "NULL"); +} + +static void bta_hf_client_send_at_len_err_print(char *cmd, int at_len) +{ + APPL_TRACE_ERROR("AT command '%s' len err: length=%d", cmd ? cmd : "NULL", at_len); +} + static void bta_hf_client_send_queued_at(void) { tBTA_HF_CLIENT_AT_QCMD *cur = bta_hf_client_cb.scb.at_cb.queued_cmd; @@ -406,7 +421,13 @@ static void bta_hf_client_handle_cind_value(UINT32 index, UINT32 value) } /* get the real array index from lookup table */ - index = bta_hf_client_cb.scb.at_cb.indicator_lookup[index]; + { + int lk = bta_hf_client_cb.scb.at_cb.indicator_lookup[index]; + if (lk < 0 || lk >= (int)BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT) { + return; + } + index = (UINT32)lk; + } /* Ignore out of range values */ if (value > bta_hf_client_indicators[index].max || @@ -715,7 +736,7 @@ static char *bta_hf_client_parse_cind_list(char *buffer) osi_free(name); - if (res > 2) { + if (res > 2 && offset > 0) { AT_CHECK_RN(buffer); return buffer; } @@ -1396,7 +1417,7 @@ void bta_hf_client_send_at_brsf(void) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("brsf"); return; } @@ -1404,6 +1425,13 @@ void bta_hf_client_send_at_brsf(void) at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+BRSF=%u\r", bta_hf_client_cb.scb.features); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("brsf", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_BRSF , buf, at_len); osi_free(buf); } @@ -1429,12 +1457,19 @@ void bta_hf_client_send_at_bcs(UINT32 codec) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("bcs"); return; } at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+BCS=%u\r", codec); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("bcs", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_BCS, buf, at_len); osi_free(buf); } @@ -1478,7 +1513,7 @@ void bta_hf_client_send_at_chld(char cmd, UINT32 idx) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("chld"); return; } @@ -1488,6 +1523,13 @@ void bta_hf_client_send_at_chld(char cmd, UINT32 idx) at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+CHLD=%c\r", cmd); } + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("chld", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_CHLD, buf, at_len); osi_free(buf); } @@ -1567,9 +1609,16 @@ void bta_hf_client_send_at_clcc(void) void bta_hf_client_send_at_xapl(char *information, UINT32 features) { - APPL_TRACE_DEBUG("%s(%s, %u)", __FUNCTION__, information, features); + char *buf; + const char *inf = (information != NULL) ? information : ""; - char *buf = osi_malloc(BTA_HF_CLIENT_AT_MAX_LEN); + APPL_TRACE_DEBUG("%s(%s, %u)", __FUNCTION__, inf, features); + + buf = osi_malloc(BTA_HF_CLIENT_AT_MAX_LEN); + if (buf == NULL) { + bta_hf_client_send_at_nomem_err_print("xapl"); + return; + } /* Format: AT+XAPL=vendorID-productID-version,features @@ -1586,7 +1635,8 @@ void bta_hf_client_send_at_xapl(char *information, UINT32 features) *All other values are reserved. */ - snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+XAPL=%s,%u\r", information, features); + snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+XAPL=%.*s,%u\r", + BTA_HF_CLIENT_AT_MAX_LEN - 48, inf, features); bta_hf_client_send_at(BTA_HF_CLIENT_AT_XAPL, buf, strlen(buf)); osi_free(buf); @@ -1597,6 +1647,10 @@ void bta_hf_client_send_at_iphoneaccev(UINT32 bat_level, BOOLEAN docked) APPL_TRACE_DEBUG("%s(%u, %s)", __FUNCTION__, bat_level, docked ? "docked" : "undocked"); char *buf = osi_malloc(BTA_HF_CLIENT_AT_MAX_LEN); + if (buf == NULL) { + bta_hf_client_send_at_nomem_err_print("iphoneaccev"); + return; + } /* Format: AT+IPHONEACCEV=Number of key/value pairs,key1,val1,key2,val2,... @@ -1636,13 +1690,20 @@ void bta_hf_client_send_at_vgs(UINT32 volume) char *buf = osi_malloc(BTA_HF_CLIENT_AT_MAX_LEN); int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("vgs"); return; } APPL_TRACE_DEBUG("%s", __FUNCTION__); at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+VGS=%u\r", volume); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("vgs", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_VGS, buf, at_len); osi_free(buf); } @@ -1653,13 +1714,20 @@ void bta_hf_client_send_at_vgm(UINT32 volume) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("vgm"); return; } APPL_TRACE_DEBUG("%s", __FUNCTION__); at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+VGM=%u\r", volume); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("vgm", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_VGM, buf, at_len); osi_free(buf); } @@ -1670,18 +1738,24 @@ void bta_hf_client_send_at_atd(char *number, UINT32 memory) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("atd"); return; } APPL_TRACE_DEBUG("%s", __FUNCTION__); - if (number[0] != '\0') { - at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "ATD%s;\r", number); + if (number && number[0] != '\0') { + at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "ATD%.*s;\r", + (int)(BTA_HF_CLIENT_AT_MAX_LEN - 8), number); } else { at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "ATD>%u;\r", memory); } - at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("atd", at_len); + osi_free(buf); + return; + } bta_hf_client_send_at(BTA_HF_CLIENT_AT_ATD, buf, at_len); osi_free(buf); @@ -1726,7 +1800,7 @@ void bta_hf_client_send_at_btrh(BOOLEAN query, UINT32 val) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("btrh"); return; } APPL_TRACE_DEBUG("%s", __FUNCTION__); @@ -1737,6 +1811,13 @@ void bta_hf_client_send_at_btrh(BOOLEAN query, UINT32 val) at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+BTRH=%u\r", val); } + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("btrh", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_BTRH, buf, at_len); osi_free(buf); } @@ -1746,13 +1827,20 @@ void bta_hf_client_send_at_vts(char code) char *buf = osi_malloc(BTA_HF_CLIENT_AT_MAX_LEN); int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("vts"); return; } APPL_TRACE_DEBUG("%s", __FUNCTION__); at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+VTS=%c\r", code); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("vts", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_VTS, buf, at_len); osi_free(buf); } @@ -1801,12 +1889,19 @@ void bta_hf_client_send_at_binp(UINT32 action) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("binp"); return; } at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+BINP=%u\r", action); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("binp", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_BINP, buf, at_len); osi_free(buf); } @@ -1825,7 +1920,7 @@ void bta_hf_client_send_at_bia(void) buf = osi_malloc(BTA_HF_CLIENT_AT_MAX_LEN); if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("bia"); return; } at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+BIA="); @@ -1836,9 +1931,15 @@ void bta_hf_client_send_at_bia(void) at_len += snprintf(buf + at_len, BTA_HF_CLIENT_AT_MAX_LEN - at_len, "%d,", sup); } + at_len = (int)strnlen(buf, BTA_HF_CLIENT_AT_MAX_LEN); + if (at_len < 1) { + bta_hf_client_send_at_len_err_print("bia", at_len); + osi_free(buf); + return; + } buf[at_len - 1] = '\r'; - bta_hf_client_send_at(BTA_HF_CLIENT_AT_BIA, buf, at_len); + bta_hf_client_send_at(BTA_HF_CLIENT_AT_BIA, buf, (UINT16)at_len); osi_free(buf); } diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_cmd.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_cmd.c index 08e321d351..b225e738df 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_cmd.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_cmd.c @@ -37,10 +37,14 @@ void bta_hf_client_send_at_cmd(tBTA_HF_CLIENT_DATA *p_data) case BTA_HF_CLIENT_AT_CMD_CHUP: bta_hf_client_send_at_chup(); break; - case BTA_HF_CLIENT_AT_CMD_CHLD: - /* expects ascii code for command */ - bta_hf_client_send_at_chld('0' + p_val->uint32_val1, p_val->uint32_val2); + case BTA_HF_CLIENT_AT_CMD_CHLD: { + UINT32 chld_n = p_val->uint32_val1; + if (chld_n > 9) { + break; + } + bta_hf_client_send_at_chld((char)('0' + chld_n), p_val->uint32_val2); break; + } case BTA_HF_CLIENT_AT_CMD_BCC: bta_hf_client_send_at_bcc(); break; @@ -81,7 +85,7 @@ void bta_hf_client_send_at_cmd(tBTA_HF_CLIENT_DATA *p_data) bta_hf_client_send_at_xapl(p_val->str, p_val->uint32_val1); break; case BTA_HF_CLIENT_AT_CMD_IPHONEACCEV: - bta_hf_client_send_at_iphoneaccev(p_val->uint32_val1, p_val->uint32_val1 == 0 ? FALSE : TRUE); + bta_hf_client_send_at_iphoneaccev(p_val->uint32_val1, p_val->uint32_val2 == 0 ? FALSE : TRUE); break; default: APPL_TRACE_ERROR("Default case, %s", __FUNCTION__); diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_main.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_main.c index b87c4869c3..e72bd2b945 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_main.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_main.c @@ -316,7 +316,9 @@ void bta_hf_client_scb_disable(void) bta_hf_client_scb_init(); - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_DISABLE_EVT, NULL); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_DISABLE_EVT, NULL); + } } /******************************************************************************* @@ -419,6 +421,19 @@ void bta_hf_client_collision_cback (tBTA_SYS_CONN_STATUS status, UINT8 id, *******************************************************************************/ static void bta_hf_client_api_enable(tBTA_HF_CLIENT_DATA *p_data) { + if (bta_hf_client_cb.scb.p_disc_db != NULL) { + (void)SDP_CancelServiceSearch(bta_hf_client_cb.scb.p_disc_db); + bta_hf_client_free_db(NULL); + } + if (bta_hf_client_cb.scb.p_sco_data != NULL) { + osi_free(bta_hf_client_cb.scb.p_sco_data); + bta_hf_client_cb.scb.p_sco_data = NULL; + } + if (bta_hf_client_cb.scb.colli_tmr_on) { + bta_sys_stop_timer(&bta_hf_client_cb.scb.colli_timer); + bta_hf_client_cb.scb.colli_tmr_on = FALSE; + } + /* initialize control block */ memset(&bta_hf_client_cb, 0, sizeof(tBTA_HF_CLIENT_CB)); @@ -501,7 +516,7 @@ BOOLEAN bta_hf_client_hdl_event(BT_HDR *p_msg) break; #if (BTM_SCO_HCI_INCLUDED == TRUE) && (BTA_HFP_EXT_CODEC == TRUE) case BTA_HF_CLIENT_SCO_DATA_SEND_EVT: - free_msg = false; + free_msg = FALSE; /* fall through */ #endif default: diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_rfc.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_rfc.c index b64b623702..2df87de4c5 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_rfc.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_rfc.c @@ -79,7 +79,9 @@ static void bta_hf_client_mgmt_cback(UINT32 code, UINT16 port_handle, void* data code, port_handle, bta_hf_client_cb.scb.conn_handle, bta_hf_client_cb.scb.serv_handle); /* ignore close event for port handles other than connected handle */ - if ((code != PORT_SUCCESS) && (port_handle != bta_hf_client_cb.scb.conn_handle)) { + if ((code != PORT_SUCCESS) && + (port_handle != bta_hf_client_cb.scb.conn_handle) && + (port_handle != bta_hf_client_cb.scb.serv_handle)) { APPL_TRACE_DEBUG("bta_hf_client_mgmt_cback ignoring handle:%d", port_handle); return; } @@ -206,6 +208,7 @@ void bta_hf_client_rfc_do_open(tBTA_HF_CLIENT_DATA *p_data) } /* RFCOMM create connection failed; send ourselves RFCOMM close event */ else { + bta_hf_client_cb.scb.conn_handle = 0; bta_hf_client_sm_execute(BTA_HF_CLIENT_RFC_CLOSE_EVT, p_data); } } diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_sco.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_sco.c index 11437fb92a..e8b40aa15e 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_sco.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_sco.c @@ -229,7 +229,9 @@ void bta_hf_client_cback_sco(UINT8 event) } #endif /* call app cback */ - (*bta_hf_client_cb.p_cback)(event, &audio_stat); + if (bta_hf_client_cb.p_cback != NULL) { + (*bta_hf_client_cb.p_cback)(event, &audio_stat); + } } #if (BTM_SCO_HCI_INCLUDED == TRUE ) @@ -266,7 +268,7 @@ static void bta_hf_client_sco_read_cback (UINT16 sco_idx, BT_HDR *p_data, tBTM_S *******************************************************************************/ static void bta_hf_client_sco_conn_rsp(tBTM_ESCO_CONN_REQ_EVT_DATA *p_data) { - tBTM_ESCO_PARAMS resp; + tBTM_ESCO_PARAMS resp = {0}; UINT8 hci_status = HCI_SUCCESS; UINT8 index = BTA_HF_CLIENT_ESCO_PARAM_IDX_CVSD_S3; #if (BTM_SCO_HCI_INCLUDED == TRUE ) @@ -281,8 +283,8 @@ static void bta_hf_client_sco_conn_rsp(tBTM_ESCO_CONN_REQ_EVT_DATA *p_data) index = BTA_HF_CLIENT_SCO_PARAM_IDX_CVSD; } else { if ((bta_hf_client_cb.scb.negotiated_codec == BTM_SCO_CODEC_CVSD) && - (bta_hf_client_cb.scb.features && BTA_HF_CLIENT_FEAT_ESCO_S4) && - (bta_hf_client_cb.scb.peer_features && BTA_HF_CLIENT_PEER_ESCO_S4)) { + (bta_hf_client_cb.scb.features & BTA_HF_CLIENT_FEAT_ESCO_S4) && + (bta_hf_client_cb.scb.peer_features & BTA_HF_CLIENT_PEER_ESCO_S4)) { index = BTA_HF_CLIENT_ESCO_PARAM_IDX_CVSD_S4; #if BT_HF_CLIENT_BQB_INCLUDED if (s_bta_hf_client_bqb_esco_s1_flag == true) { @@ -380,7 +382,7 @@ static void bta_hf_client_write_sco_data(BT_HDR *p_buf1, BT_HDR *p_buf2) ** Returns void ** *******************************************************************************/ -static void bta_hf_client_sco_data_send_cvsd(BT_HDR *p_buf, UINT8 out_pkt_len) +static void bta_hf_client_sco_data_send_cvsd(BT_HDR *p_buf, UINT16 out_pkt_len) { if (bta_hf_client_cb.scb.p_sco_data != NULL) { /* the remaining data of last sending operation */ @@ -468,7 +470,7 @@ static void bta_hf_client_sco_data_send_cvsd(BT_HDR *p_buf, UINT8 out_pkt_len) ** Returns void ** *******************************************************************************/ -static void bta_hf_client_sco_data_send_msbc(BT_HDR *p_buf, UINT8 out_pkt_len) +static void bta_hf_client_sco_data_send_msbc(BT_HDR *p_buf, UINT16 out_pkt_len) { if (p_buf->len == BTA_HF_CLIENT_MSBC_FRAME_SIZE && p_buf->offset >= BTA_HF_CLIENT_BUFF_OFFSET_MIN + BTA_HF_CLIENT_H2_HEADER_LEN) { /* add H2 header */ @@ -592,7 +594,7 @@ void bta_hf_client_sco_data_send(tBTA_HF_CLIENT_DATA *p_data) return; } - UINT8 out_pkt_len = bta_hf_client_cb.scb.out_pkt_len; + UINT16 out_pkt_len = bta_hf_client_cb.scb.out_pkt_len; UINT8 air_mode = bta_hf_client_cb.scb.air_mode; switch (air_mode) @@ -768,8 +770,8 @@ static void bta_hf_client_sco_create(BOOLEAN is_orig) } if (bta_hf_client_cb.scb.negotiated_codec == BTM_SCO_CODEC_CVSD) { - if ((bta_hf_client_cb.scb.features && BTA_HF_CLIENT_FEAT_ESCO_S4) && - (bta_hf_client_cb.scb.peer_features && BTA_HF_CLIENT_PEER_ESCO_S4)) { + if ((bta_hf_client_cb.scb.features & BTA_HF_CLIENT_FEAT_ESCO_S4) && + (bta_hf_client_cb.scb.peer_features & BTA_HF_CLIENT_PEER_ESCO_S4)) { index = BTA_HF_CLIENT_ESCO_PARAM_IDX_CVSD_S4; } } else if (bta_hf_client_cb.scb.negotiated_codec == BTM_SCO_CODEC_MSBC) { diff --git a/components/bt/host/bluedroid/bta/pba/bta_pba_client_act.c b/components/bt/host/bluedroid/bta/pba/bta_pba_client_act.c index 7ed5aaa8fc..7786a610e4 100644 --- a/components/bt/host/bluedroid/bta/pba/bta_pba_client_act.c +++ b/components/bt/host/bluedroid/bta/pba/bta_pba_client_act.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -47,10 +47,11 @@ static void close_goepc_and_report(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_E conn.handle = p_ccb->allocated; conn.error = reason; bdcpy(conn.bd_addr, p_ccb->bd_addr); - bta_pba_client_cb.p_cback(BTA_PBA_CLIENT_CONN_CLOSE_EVT, (tBTA_PBA_CLIENT *)&conn); /* free ccb */ free_ccb(p_ccb); + + bta_pba_client_cb.p_cback(BTA_PBA_CLIENT_CONN_CLOSE_EVT, (tBTA_PBA_CLIENT *)&conn); } static void build_and_send_empty_get_req(tBTA_PBA_CLIENT_CCB *p_ccb) @@ -280,8 +281,10 @@ void bta_pba_client_api_req(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA *p_ ret |= GOEPC_RequestAddHeader(p_ccb->goep_handle, OBEX_HEADER_ID_NAME, NULL, 0); } else { - UINT8 *utf16_name = osi_malloc(2 * name_len); - assert(utf16_name != NULL); + UINT8 *utf16_name = (UINT8 *)osi_malloc(2 * name_len); + if (utf16_name == NULL) { + goto error; + } ascii_to_utf16((UINT8 *)p_data->api_req.name, name_len, utf16_name); ret |= GOEPC_RequestAddHeader(p_ccb->goep_handle, OBEX_HEADER_ID_NAME, utf16_name, 2 * name_len); osi_free(utf16_name); @@ -308,6 +311,7 @@ void bta_pba_client_api_req(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA *p_ if (p_data->api_req.app_param) { ret |= GOEPC_RequestAddHeader(p_ccb->goep_handle, OBEX_HEADER_ID_APP_PARAM, p_data->api_req.app_param, p_data->api_req.app_param_len); osi_free(p_data->api_req.app_param); + p_data->api_req.app_param = NULL; } ret |= GOEPC_SendRequest(p_ccb->goep_handle); @@ -320,9 +324,11 @@ void bta_pba_client_api_req(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA *p_ error: if (p_data->api_req.name) { osi_free(p_data->api_req.name); + p_data->api_req.name = NULL; } if (p_data->api_req.app_param) { osi_free(p_data->api_req.app_param); + p_data->api_req.app_param = NULL; } close_goepc_and_report(p_ccb, BTA_PBA_CLIENT_GOEP_ERROR); } @@ -335,32 +341,35 @@ static void goep_event_callback(UINT16 handle, UINT8 event, tGOEPC_MSG *p_msg) { case GOEPC_OPENED_EVT: p_data = (tBTA_PBA_CLIENT_DATA *)osi_malloc(sizeof(tBTA_PBA_CLIENT_DATA)); - assert(p_data != NULL); - p_data->goep_connect.hdr.event = BTA_PBA_CLIENT_GOEP_CONNECT_EVT; - p_data->goep_connect.hdr.layer_specific = handle; - p_data->goep_connect.our_mtu = p_msg->opened.our_mtu; - p_data->goep_connect.peer_mtu = p_msg->opened.peer_mtu; + if (p_data) { + p_data->goep_connect.hdr.event = BTA_PBA_CLIENT_GOEP_CONNECT_EVT; + p_data->goep_connect.hdr.layer_specific = handle; + p_data->goep_connect.our_mtu = p_msg->opened.our_mtu; + p_data->goep_connect.peer_mtu = p_msg->opened.peer_mtu; + } break; case GOEPC_CLOSED_EVT: p_data = (tBTA_PBA_CLIENT_DATA *)osi_malloc(sizeof(tBTA_PBA_CLIENT_DATA)); - assert(p_data != NULL); - p_data->goep_disconnect.hdr.event = BTA_PBA_CLIENT_GOEP_DISCONNECT_EVT; - p_data->goep_disconnect.hdr.layer_specific = handle; - p_data->goep_disconnect.reason = p_msg->closed.reason; + if (p_data) { + p_data->goep_disconnect.hdr.event = BTA_PBA_CLIENT_GOEP_DISCONNECT_EVT; + p_data->goep_disconnect.hdr.layer_specific = handle; + p_data->goep_disconnect.reason = p_msg->closed.reason; + } break; case GOEPC_RESPONSE_EVT: p_data = (tBTA_PBA_CLIENT_DATA *)osi_malloc(sizeof(tBTA_PBA_CLIENT_DATA)); - assert(p_data != NULL); - p_data->goep_response.hdr.layer_specific = handle; - p_data->goep_response.pkt = p_msg->response.pkt; - p_data->goep_response.opcode = p_msg->response.opcode; - p_data->goep_response.srm_en = p_msg->response.srm_en; - p_data->goep_response.srm_wait = p_msg->response.srm_wait; - if (p_msg->response.final) { - p_data->goep_response.hdr.event = BTA_PBA_CLIENT_RESPONSE_FINAL_EVT; - } - else { - p_data->hdr.event = BTA_PBA_CLIENT_RESPONSE_EVT; + if (p_data) { + p_data->goep_response.hdr.layer_specific = handle; + p_data->goep_response.pkt = p_msg->response.pkt; + p_data->goep_response.opcode = p_msg->response.opcode; + p_data->goep_response.srm_en = p_msg->response.srm_en; + p_data->goep_response.srm_wait = p_msg->response.srm_wait; + if (p_msg->response.final) { + p_data->goep_response.hdr.event = BTA_PBA_CLIENT_RESPONSE_FINAL_EVT; + } + else { + p_data->goep_response.hdr.event = BTA_PBA_CLIENT_RESPONSE_EVT; + } } break; case GOEPC_MTU_CHANGED_EVT: @@ -419,10 +428,10 @@ void bta_pba_client_do_connect(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA conn.handle = 0; conn.error = reason; bdcpy(conn.bd_addr, p_ccb->bd_addr); - bta_pba_client_cb.p_cback(BTA_PBA_CLIENT_CONN_CLOSE_EVT, (tBTA_PBA_CLIENT *)&conn); - /* free ccb */ free_ccb(p_ccb); + + bta_pba_client_cb.p_cback(BTA_PBA_CLIENT_CONN_CLOSE_EVT, (tBTA_PBA_CLIENT *)&conn); } void bta_pba_client_authenticate(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA *p_data) @@ -467,22 +476,36 @@ void bta_pba_client_response(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA *p { case OBEX_HEADER_ID_BODY: case OBEX_HEADER_ID_END_OF_BODY: + { + UINT16 hi_len = OBEX_GetHeaderLength(header); + if (hi_len < 3) { + reason = BTA_PBA_CLIENT_BAD_REQUEST; + goto error; + } if (body_data == NULL) { /* first body header */ body_data = header + 3; /* skip opcode, length */ - body_data_len = OBEX_GetHeaderLength(header) - 3; + body_data_len = hi_len - 3; } else { /* another body header found */ report_data_event(p_ccb, body_data, body_data_len, NULL, 0, FALSE, NULL); body_data = header + 3; /* skip opcode, length */ - body_data_len = OBEX_GetHeaderLength(header) - 3; + body_data_len = hi_len - 3; } break; + } case OBEX_HEADER_ID_APP_PARAM: + { + UINT16 hi_len = OBEX_GetHeaderLength(header); + if (hi_len < 3) { + reason = BTA_PBA_CLIENT_BAD_REQUEST; + goto error; + } app_param = header + 3; - app_param_len = OBEX_GetHeaderLength(header) - 3; + app_param_len = hi_len - 3; break; + } default: break; } @@ -544,7 +567,10 @@ void bta_pba_client_response_final(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_D } BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR)); - assert(p_buf != NULL); + if (p_buf == NULL) { + APPL_TRACE_ERROR("pba_client_response_final: ENOMEM"); + goto error; + } p_buf->event = BTA_PBA_CLIENT_CONNECT_EVT; p_buf->layer_specific = p_ccb->allocated; bta_sys_sendmsg(p_buf); @@ -580,22 +606,36 @@ void bta_pba_client_response_final(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_D /* actually, BODY should not in this final response */ case OBEX_HEADER_ID_BODY: case OBEX_HEADER_ID_END_OF_BODY: + { + UINT16 hi_len = OBEX_GetHeaderLength(header); + if (hi_len < 3) { + reason = BTA_PBA_CLIENT_BAD_REQUEST; + goto error; + } if (body_data == NULL) { /* first body header */ body_data = header + 3; /* skip opcode, length */ - body_data_len = OBEX_GetHeaderLength(header) - 3; + body_data_len = hi_len - 3; } else { /* another body header found */ report_data_event(p_ccb, body_data, body_data_len, NULL, 0, FALSE, NULL); body_data = header + 3; /* skip opcode, length */ - body_data_len = OBEX_GetHeaderLength(header) - 3; + body_data_len = hi_len - 3; } break; + } case OBEX_HEADER_ID_APP_PARAM: + { + UINT16 hi_len = OBEX_GetHeaderLength(header); + if (hi_len < 3) { + reason = BTA_PBA_CLIENT_BAD_REQUEST; + goto error; + } app_param = header + 3; - app_param_len = OBEX_GetHeaderLength(header) - 3; + app_param_len = hi_len - 3; break; + } default: break; } @@ -606,6 +646,8 @@ void bta_pba_client_response_final(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_D /* done, return */ return; } + report_data_event(p_ccb, NULL, 0, NULL, 0, TRUE, p_data->goep_response.pkt); + return; } /* unexpected response code or body data not found */ reason = calculate_response_error(info.response_code); @@ -687,8 +729,8 @@ void bta_pba_client_goep_disconnect(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_ conn.handle = p_ccb->allocated; bdcpy(conn.bd_addr, p_ccb->bd_addr); conn.error = BTA_PBA_CLIENT_GOEP_ERROR; - bta_pba_client_cb.p_cback(BTA_PBA_CLIENT_CONN_CLOSE_EVT, (tBTA_PBA_CLIENT *)&conn); free_ccb(p_ccb); + bta_pba_client_cb.p_cback(BTA_PBA_CLIENT_CONN_CLOSE_EVT, (tBTA_PBA_CLIENT *)&conn); } void bta_pba_client_free_response(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA *p_data) diff --git a/components/bt/host/bluedroid/bta/pba/bta_pba_client_main.c b/components/bt/host/bluedroid/bta/pba/bta_pba_client_main.c index 81c389bb3e..e6e7ba1de4 100644 --- a/components/bt/host/bluedroid/bta/pba/bta_pba_client_main.c +++ b/components/bt/host/bluedroid/bta/pba/bta_pba_client_main.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -176,6 +176,7 @@ static tBTA_PBA_CLIENT_CCB *find_ccb_by_handle(UINT16 handle) for (int i = 0; i < PBA_CLIENT_MAX_CONNECTION; ++i) { if (bta_pba_client_cb.ccb[i].allocated != 0 && bta_pba_client_cb.ccb[i].allocated == handle) { p_ccb = &bta_pba_client_cb.ccb[i]; + break; } } return p_ccb; @@ -187,6 +188,7 @@ static tBTA_PBA_CLIENT_CCB *find_ccb_by_goep_handle(UINT16 goep_handle) for (int i = 0; i < PBA_CLIENT_MAX_CONNECTION; ++i) { if (bta_pba_client_cb.ccb[i].allocated != 0 && bta_pba_client_cb.ccb[i].goep_handle == goep_handle) { p_ccb = &bta_pba_client_cb.ccb[i]; + break; } } return p_ccb; @@ -198,6 +200,7 @@ static tBTA_PBA_CLIENT_CCB *find_ccb_by_bd_addr(BD_ADDR bd_addr) for (int i = 0; i < PBA_CLIENT_MAX_CONNECTION; ++i) { if (bta_pba_client_cb.ccb[i].allocated != 0 && bdcmp(bta_pba_client_cb.ccb[i].bd_addr, bd_addr) == 0) { p_ccb = &bta_pba_client_cb.ccb[i]; + break; } } return p_ccb; diff --git a/components/bt/host/bluedroid/bta/pba/bta_pba_client_sdp.c b/components/bt/host/bluedroid/bta/pba/bta_pba_client_sdp.c index 030ddad66c..a65dc9a8ac 100644 --- a/components/bt/host/bluedroid/bta/pba/bta_pba_client_sdp.c +++ b/components/bt/host/bluedroid/bta/pba/bta_pba_client_sdp.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -35,6 +35,11 @@ static void bta_pba_client_sdp_cback(UINT16 status, void *user_data) APPL_TRACE_DEBUG("bta_pba_client_sdp_cback status:0x%x", status); + if (p_ccb == NULL || p_ccb->allocated == 0) { + APPL_TRACE_ERROR("bta_pba_client_sdp_cback EINVAL CCB"); + return; + } + if ((p_buf = (tBTA_PBA_CLIENT_DISC_RESULT *) osi_malloc(sizeof(tBTA_PBA_CLIENT_DISC_RESULT))) != NULL) { p_buf->hdr.event = BTA_PBA_CLIENT_DISC_RES_EVT; p_buf->hdr.layer_specific = p_ccb->allocated; @@ -141,6 +146,8 @@ BOOLEAN bta_pba_client_sdp_find_attr(tBTA_PBA_CLIENT_CCB *p_ccb) tSDP_PROTOCOL_ELEM pe; BOOLEAN result = FALSE; + p_ccb->peer_version = 0; + /* loop through all records we found */ while (TRUE) { /* get next record; if none found, we're done */ @@ -260,7 +267,7 @@ BOOLEAN bta_pba_client_do_disc(tBTA_PBA_CLIENT_CCB *p_ccb) /******************************************************************************* ** -** Function bta_hf_client_free_db +** Function bta_pba_client_free_db ** ** Description Free discovery database. ** diff --git a/components/bt/host/bluedroid/btc/profile/std/hf_ag/bta_ag_co.c b/components/bt/host/bluedroid/btc/profile/std/hf_ag/bta_ag_co.c index a604136dc6..3a0d8f465a 100644 --- a/components/bt/host/bluedroid/btc/profile/std/hf_ag/bta_ag_co.c +++ b/components/bt/host/bluedroid/btc/profile/std/hf_ag/bta_ag_co.c @@ -70,7 +70,10 @@ static bta_hf_ct_plc_t *bta_hf_ct_plc_ptr; #define BTA_HF_H2_HEADER_SN1_BIT_OFFSET1 14 #define BTA_HF_H2_HEADER_SN1_BIT_OFFSET2 15 -#define BTA_HF_H2_HEADER_SYNC_WORD_CHECK(p) ((*((uint16_t *)p) & BTA_HF_H2_HEADER_SYNC_WORD_MASK) == BTA_HF_H2_HEADER_SYNC_WORD) +#define BTA_HF_H2_HEADER_SYNC_WORD_CHECK(p) \ + ((((UINT16)(((UINT8 *)(p))[0])) | (((UINT16)(((UINT8 *)(p))[1])) << 8)) & \ + BTA_HF_H2_HEADER_SYNC_WORD_MASK) == \ + BTA_HF_H2_HEADER_SYNC_WORD) /* BTA-AG-CO control block to map bdaddr to BTA handle */ typedef struct @@ -154,7 +157,7 @@ void bta_ag_ci_rx_write(UINT16 handle, char *p_data, UINT16 len) p_buf->hdr.event = BTA_AG_CI_RX_WRITE_EVT; p_buf->hdr.layer_specific = handle; p_data_area = (char *)(p_buf+1); /* Point to data area after header */ - strncpy(p_data_area, p_data, len); + memcpy(p_data_area, p_data, len); p_data_area[len] = 0; bta_sys_sendmsg(p_buf); } else { @@ -309,6 +312,7 @@ static void bta_ag_decode_msbc_frame(UINT8 **data, UINT8 *length, BOOLEAN is_bad { bta_hf_ct_plc.first_good_frame_found = TRUE; sbc_plc_good_frame(&(bta_hf_ct_plc.plc_state), (int16_t *)bta_ag_co_cb.decode_raw_data, bta_hf_ct_plc.sbc_plc_out); + break; } case OI_CODEC_SBC_NOT_ENOUGH_HEADER_DATA: @@ -581,10 +585,16 @@ uint32_t bta_ag_sco_co_out_data(UINT8 *p_buf) void bta_ag_sco_co_in_data(BT_HDR *p_buf, tBTM_SCO_DATA_FLAG status) { UINT8 *p = (UINT8 *)(p_buf + 1) + p_buf->offset; + UINT8 * const data_end = p + p_buf->len; UINT8 pkt_size = 0; STREAM_SKIP_UINT16(p); STREAM_TO_UINT8(pkt_size, p); + UINT16 rem = (data_end > p) ? (UINT16)(data_end - p) : 0; + if (pkt_size > rem) { + pkt_size = (UINT8)rem; + } + #if (BTC_HFP_EXT_CODEC == TRUE) if (hf_air_mode == BTM_SCO_AIR_MODE_CVSD) { btc_hf_audio_data_cb_to_app((uint8_t *)p_buf, (uint8_t *)p, pkt_size, status != BTM_SCO_DATA_CORRECT); @@ -605,21 +615,29 @@ void bta_ag_sco_co_in_data(BT_HDR *p_buf, tBTM_SCO_DATA_FLAG status) osi_free(p_buf); } else { BT_HDR *p_new_buf = osi_calloc(sizeof(BT_HDR) + BTM_MSBC_FRAME_SIZE); - p_new_buf->offset = 0; - UINT8 *p_data = (UINT8 *)(p_new_buf + 1) + p_new_buf->offset; - memcpy(p_data, bta_ag_co_cb.rx_half_msbc_data, BTM_MSBC_FRAME_SIZE / 2); - memcpy(p_data + BTM_MSBC_FRAME_SIZE / 2, p, pkt_size); - osi_free(p_buf); - if (BTA_HF_H2_HEADER_SYNC_WORD_CHECK(p_data)) { - /* H2 header sync word found, skip */ - p_data += 2; + if (p_new_buf == NULL) { + APPL_TRACE_ERROR("bta_ag_sco_co_in_data ENOMEM"); + osi_free(p_buf); + } else { + p_new_buf->offset = 0; + UINT8 *p_data = (UINT8 *)(p_new_buf + 1) + p_new_buf->offset; + UINT16 data_len = BTM_MSBC_FRAME_SIZE; + memcpy(p_data, bta_ag_co_cb.rx_half_msbc_data, BTM_MSBC_FRAME_SIZE / 2); + memcpy(p_data + BTM_MSBC_FRAME_SIZE / 2, p, pkt_size); + osi_free(p_buf); + if (BTA_HF_H2_HEADER_SYNC_WORD_CHECK(p_data)) { + /* H2 header sync word found, skip */ + p_data += 2; + data_len -= 2; + } else if (!bta_ag_co_cb.is_bad_frame) { + /* not a bad frame, assume as H1 header */ + p_data += 1; + data_len -= 1; + } + btc_hf_audio_data_cb_to_app((uint8_t *)p_new_buf, (uint8_t *)p_data, data_len, + bta_ag_co_cb.is_bad_frame); + bta_ag_co_cb.is_bad_frame = FALSE; } - else if (!bta_ag_co_cb.is_bad_frame){ - /* not a bad frame, assume as H1 header */ - p_data += 1; - } - btc_hf_audio_data_cb_to_app((uint8_t *)p_new_buf, (uint8_t *)p_data, BTM_MSBC_FRAME_SIZE, bta_ag_co_cb.is_bad_frame); - bta_ag_co_cb.is_bad_frame = false; } bta_ag_co_cb.rx_first_pkt = !bta_ag_co_cb.rx_first_pkt; } @@ -627,21 +645,28 @@ void bta_ag_sco_co_in_data(BT_HDR *p_buf, tBTM_SCO_DATA_FLAG status) if (pkt_size > BTM_MSBC_FRAME_SIZE) { pkt_size = BTM_MSBC_FRAME_SIZE; } + UINT16 data_len = pkt_size; if (BTA_HF_H2_HEADER_SYNC_WORD_CHECK(p)) { /* H2 header sync word found, skip */ p += 2; + data_len -= 2; } else if (!bta_ag_co_cb.is_bad_frame){ /* not a bad frame, assume as H1 header */ p += 1; + data_len -= 1; } - btc_hf_audio_data_cb_to_app((uint8_t *)p_buf, (uint8_t *)p, pkt_size, bta_ag_co_cb.is_bad_frame); + btc_hf_audio_data_cb_to_app((uint8_t *)p_buf, (uint8_t *)p, data_len, bta_ag_co_cb.is_bad_frame); bta_ag_co_cb.is_bad_frame = false; } else { osi_free(p_buf); } } + else { + APPL_TRACE_ERROR("bta_ag_sco_co_in_data EINVAL air mode: %d", hf_air_mode); + osi_free(p_buf); + } #else if (hf_air_mode == BTM_SCO_AIR_MODE_CVSD) { // CVSD diff --git a/components/bt/host/bluedroid/btc/profile/std/hf_ag/btc_hf_ag.c b/components/bt/host/bluedroid/btc/profile/std/hf_ag/btc_hf_ag.c index b0482b2f07..1bea764c4b 100644 --- a/components/bt/host/bluedroid/btc/profile/std/hf_ag/btc_hf_ag.c +++ b/components/bt/host/bluedroid/btc/profile/std/hf_ag/btc_hf_ag.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -598,7 +598,7 @@ static bt_status_t btc_hf_cind_response(bt_bdaddr_t *bd_addr, if (is_connected(idx, bd_addr)) { tBTA_AG_RES_DATA ag_res; memset(&ag_res, 0, sizeof (ag_res)); - sprintf(ag_res.str, "%d,%d,%d,%d,%d,%d,%d", + snprintf(ag_res.str, sizeof(ag_res.str), "%d,%d,%d,%d,%d,%d,%d", call_status, /* Call state*/ call_setup_status, /* Callsetup state */ ntk_state, /* network service */ @@ -623,7 +623,7 @@ static bt_status_t btc_hf_cops_response(bt_bdaddr_t *bd_addr, const char *name) tBTA_AG_RES_DATA ag_res; memset (&ag_res, 0, sizeof (ag_res)); /* Format the response */ - sprintf(ag_res.str, "0,0,\"%s\"", name); + snprintf(ag_res.str, sizeof(ag_res.str), "0,0,\"%s\"", name); ag_res.ok_flag = BTA_AG_OK_DONE; BTA_AgResult(hf_local_param.btc_hf_cb[idx].handle, BTA_AG_COPS_RES, &ag_res); return BT_STATUS_SUCCESS; @@ -648,12 +648,12 @@ static bt_status_t btc_hf_clcc_response(bt_bdaddr_t *bd_addr, int index, esp_hf_ } else { BTC_TRACE_EVENT("clcc_response: [%d] dir: %d current_call_state: %d mode: %d number: %s type: %d", index, dir, current_call_state, mode, number, type); - int loc = sprintf (ag_res.str, "%d,%d,%d,%d,%d", index, dir, current_call_state, mode, mpty); - if (number) { + int loc = snprintf(ag_res.str, sizeof(ag_res.str), "%d,%d,%d,%d,%d", index, dir, current_call_state, mode, mpty); + if (number && loc >= 0 && (size_t)loc < sizeof(ag_res.str)) { if ((type == ESP_HF_CALL_ADDR_TYPE_INTERNATIONAL) && (*number != '+')) { - sprintf(&ag_res.str[loc], ",\"+%s\",%d", number, type); + snprintf(ag_res.str + loc, sizeof(ag_res.str) - (size_t)loc, ",\"+%s\",%d", number, type); } else { - sprintf(&ag_res.str[loc], ",\"%s\",%d", number, type); + snprintf(ag_res.str + loc, sizeof(ag_res.str) - (size_t)loc, ",\"%s\",%d", number, type); } } } @@ -674,9 +674,9 @@ static bt_status_t btc_hf_cnum_response(bt_bdaddr_t *bd_addr, const char *number memset(&ag_res, 0, sizeof (ag_res)); BTC_TRACE_EVENT("cnum_response: number = %s, number type = %d, service type = %d", number, number_type, service_type); if (service_type) { - sprintf(ag_res.str, ",\"%s\",%d,,%d",number, number_type, service_type); + snprintf(ag_res.str, sizeof(ag_res.str), ",\"%s\",%d,,%d", number, number_type, service_type); } else { - sprintf(ag_res.str, ",\"%s\",%d,,",number, number_type); + snprintf(ag_res.str, sizeof(ag_res.str), ",\"%s\",%d,,", number, number_type); } ag_res.ok_flag = BTA_AG_OK_DONE; BTA_AgResult(hf_local_param.btc_hf_cb[idx].handle, BTA_AG_CNUM_RES, &ag_res); @@ -835,13 +835,13 @@ static bt_status_t btc_hf_phone_state_update(bt_bdaddr_t *bd_addr,int num_active if (number) { int loc = 0; if ((type == ESP_HF_CALL_ADDR_TYPE_INTERNATIONAL) && (*number != '+')) { - loc = sprintf (ag_res.str, "\"+%s\"", number); + loc = snprintf(ag_res.str, sizeof(ag_res.str), "\"+%s\"", number); } else { - loc = sprintf (ag_res.str, "\"%s\"", number); + loc = snprintf(ag_res.str, sizeof(ag_res.str), "\"%s\"", number); } ag_res.num = type; - if (res == BTA_AG_CALL_WAIT_RES) { - sprintf(&ag_res.str[loc], ",%d", type); + if (res == BTA_AG_CALL_WAIT_RES && loc >= 0 && (size_t)loc < sizeof(ag_res.str)) { + snprintf(ag_res.str + loc, sizeof(ag_res.str) - (size_t)loc, ",%d", type); } } break; @@ -1585,9 +1585,11 @@ void btc_hf_cb_handler(btc_msg_t *msg) memcpy(param.out_call.remote_addr, &hf_local_param.btc_hf_cb[idx].connected_bda,sizeof(esp_bd_addr_t)); param.out_call.type = p_data->val.value; param.out_call.num_or_loc = osi_malloc((strlen(p_data->val.str) + 1) * sizeof(char)); - sprintf(param.out_call.num_or_loc, "%s", p_data->val.str); - btc_hf_cb_to_app(ESP_HF_DIAL_EVT, ¶m); - osi_free(param.out_call.num_or_loc); + if (param.out_call.num_or_loc) { + snprintf(param.out_call.num_or_loc, strlen(p_data->val.str) + 1, "%s", p_data->val.str); + btc_hf_cb_to_app(ESP_HF_DIAL_EVT, ¶m); + osi_free(param.out_call.num_or_loc); + } } else if (event == BTA_AG_AT_BLDN_EVT) { //dial_last memcpy(param.out_call.remote_addr, &hf_local_param.btc_hf_cb[idx].connected_bda,sizeof(esp_bd_addr_t)); param.out_call.num_or_loc = NULL; diff --git a/components/bt/host/bluedroid/btc/profile/std/hf_client/bta_hf_client_co.c b/components/bt/host/bluedroid/btc/profile/std/hf_client/bta_hf_client_co.c index c785c73907..3f37a3ae07 100644 --- a/components/bt/host/bluedroid/btc/profile/std/hf_client/bta_hf_client_co.c +++ b/components/bt/host/bluedroid/btc/profile/std/hf_client/bta_hf_client_co.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -30,7 +30,10 @@ #define BTA_HF_H2_HEADER_SN1_BIT_OFFSET1 14 #define BTA_HF_H2_HEADER_SN1_BIT_OFFSET2 15 -#define BTA_HF_H2_HEADER_SYNC_WORD_CHECK(p) ((*((uint16_t *)p) & BTA_HF_H2_HEADER_SYNC_WORD_MASK) == BTA_HF_H2_HEADER_SYNC_WORD) +#define BTA_HF_H2_HEADER_SYNC_WORD_CHECK(p) \ + ((((UINT16)(((UINT8 *)(p))[0])) | (((UINT16)(((UINT8 *)(p))[1])) << 8)) & \ + BTA_HF_H2_HEADER_SYNC_WORD_MASK) == \ + BTA_HF_H2_HEADER_SYNC_WORD) #if (PLC_INCLUDED == TRUE) #include "sbc_plc.h" @@ -230,7 +233,7 @@ void bta_hf_client_sco_co_open(UINT16 handle, UINT8 air_mode, UINT8 inout_pkt_si #if (PLC_INCLUDED == TRUE) bta_hf_ct_plc_ptr = (bta_hf_ct_plc_t *)osi_calloc(sizeof(bta_hf_ct_plc_t)); - if (!bta_hf_ct_plc_ptr) { + if (!bta_hf_ct_plc_ptr) { APPL_TRACE_ERROR("%s malloc fail.", __FUNCTION__); goto error_exit; } @@ -287,12 +290,16 @@ void bta_hf_client_sco_co_close(void) if (hf_air_mode == BTM_SCO_AIR_MODE_TRANSPNT) { #if (PLC_INCLUDED == TRUE) +#if (HFP_DYNAMIC_MEMORY == TRUE) + if (bta_hf_ct_plc_ptr != NULL) { + sbc_plc_deinit(&(bta_hf_ct_plc.plc_state)); + bta_hf_ct_plc.first_good_frame_found = FALSE; + osi_free(bta_hf_ct_plc_ptr); + bta_hf_ct_plc_ptr = NULL; + } +#else sbc_plc_deinit(&(bta_hf_ct_plc.plc_state)); bta_hf_ct_plc.first_good_frame_found = FALSE; - -#if (HFP_DYNAMIC_MEMORY == TRUE) - osi_free(bta_hf_ct_plc_ptr); - bta_hf_ct_plc_ptr = NULL; #endif /// (HFP_DYNAMIC_MEMORY == TRUE) #endif ///(PLC_INCLUDED == TRUE) @@ -430,6 +437,7 @@ static void bta_hf_client_decode_msbc_frame(UINT8 **data, UINT8 *length, BOOLEAN case OI_OK: bta_hf_ct_plc.first_good_frame_found = TRUE; sbc_plc_good_frame(&(bta_hf_ct_plc.plc_state), (int16_t *)bta_hf_client_co_cb.decode_raw_data, bta_hf_ct_plc.sbc_plc_out); + break; case OI_CODEC_SBC_NOT_ENOUGH_HEADER_DATA: case OI_CODEC_SBC_NOT_ENOUGH_BODY_DATA: case OI_CODEC_SBC_NOT_ENOUGH_AUDIO_DATA: @@ -463,11 +471,11 @@ static void bta_hf_client_decode_msbc_frame(UINT8 **data, UINT8 *length, BOOLEAN APPL_TRACE_ERROR("Frame decode error: %d", status); break; } -#endif ///(PLC_INCLUDED == TRUE) - if (OI_SUCCESS(status)){ + if (OI_SUCCESS(status)) { btc_hf_client_incoming_data_cb_to_app((const uint8_t *)(bta_hf_ct_plc.sbc_plc_out), sbc_raw_data_size); } +#endif ///(PLC_INCLUDED == TRUE) } #endif diff --git a/components/bt/host/bluedroid/btc/profile/std/hf_client/btc_hf_client.c b/components/bt/host/bluedroid/btc/profile/std/hf_client/btc_hf_client.c index cac3afb5e0..b4813c1633 100644 --- a/components/bt/host/bluedroid/btc/profile/std/hf_client/btc_hf_client.c +++ b/components/bt/host/bluedroid/btc/profile/std/hf_client/btc_hf_client.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -14,7 +14,6 @@ #include #include #include -#include #include "common/bt_defs.h" #include "device/bdaddr.h" #include "btc/btc_dm.h" @@ -537,6 +536,8 @@ static bt_status_t btc_hf_client_send_chld_cmd(esp_hf_chld_type_t type, int idx) } return BT_STATUS_UNSUPPORTED; + default: + return BT_STATUS_FAIL; } return BT_STATUS_SUCCESS; } @@ -1069,7 +1070,6 @@ void btc_hf_client_cb_handler(btc_msg_t *msg) param.cnum.type = ESP_HF_SUBSCRIBER_SERVICE_TYPE_UNKNOWN; } btc_hf_client_cb_to_app(ESP_HF_CLIENT_CNUM_EVT, ¶m); - break; } while (0); break; case BTA_HF_CLIENT_BTRH_EVT: diff --git a/components/bt/host/bluedroid/btc/profile/std/pba/btc_pba_client.c b/components/bt/host/bluedroid/btc/profile/std/pba/btc_pba_client.c index 6bc1819872..8f3e2a7fa1 100644 --- a/components/bt/host/bluedroid/btc/profile/std/pba/btc_pba_client.c +++ b/components/bt/host/bluedroid/btc/profile/std/pba/btc_pba_client.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -14,6 +14,8 @@ #include "btc/btc_task.h" #include "btc_pba_client.h" #include "esp_pbac_api.h" +#include +#include #if BTC_PBA_CLIENT_INCLUDED @@ -227,7 +229,12 @@ static bool btc_pba_client_pull_phone_book(uint16_t handle, char *name, bool inc UINT8_TO_BE_STREAM(p, app_param->vcard_selector_operator); } app_param_len = p - app_param_buff; - assert(app_param_len <= BTA_PBAP_PULL_PHONE_BOOK_APP_PARAM_BUFF_SIZE_MIN); + if (app_param_len > BTA_PBAP_PULL_PHONE_BOOK_APP_PARAM_BUFF_SIZE_MIN) { + osi_free(app_param_buff); + app_param_buff = NULL; + err = BT_STATUS_FAIL; + break; + } if (app_param_len == 0) { /* user give us an empty app param, allow but not recommend */ osi_free(app_param_buff); @@ -391,9 +398,18 @@ static bool btc_pba_client_pull_vcard_listing(uint16_t handle, char *name, bool } if (include_app_param) { - uint8_t search_value_len = 0; - if (app_param->include_search_value && app_param->search_value) { - search_value_len = strlen(app_param->search_value) + 1; + size_t search_value_len = 0; + if (app_param->include_search_value) { + if (app_param->search_value == NULL) { + err = BT_STATUS_PARM_INVALID; + break; + } + size_t sl = strlen(app_param->search_value); + if (sl >= UINT8_MAX) { + err = BT_STATUS_PARM_INVALID; + break; + } + search_value_len = sl + 1; } app_param_buff = osi_malloc(BTA_PBAP_PULL_VCARD_LISTING_APP_PARAM_BUFF_SIZE_MIN + search_value_len); if (app_param_buff == NULL) { @@ -409,7 +425,7 @@ static bool btc_pba_client_pull_vcard_listing(uint16_t handle, char *name, bool } if (app_param->include_search_value) { UINT8_TO_BE_STREAM(p, BTA_PBAP_APP_PARAM_SEARCH_VALUE); - UINT8_TO_BE_STREAM(p, search_value_len); + UINT8_TO_BE_STREAM(p, (uint8_t)search_value_len); memcpy(p, app_param->search_value, search_value_len); p += search_value_len; } @@ -444,7 +460,12 @@ static bool btc_pba_client_pull_vcard_listing(uint16_t handle, char *name, bool UINT8_TO_BE_STREAM(p, app_param->vcard_selector_operator); } app_param_len = p - app_param_buff; - assert(app_param_len <= BTA_PBAP_PULL_VCARD_LISTING_APP_PARAM_BUFF_SIZE_MIN + search_value_len); + if (app_param_len > BTA_PBAP_PULL_VCARD_LISTING_APP_PARAM_BUFF_SIZE_MIN + search_value_len) { + osi_free(app_param_buff); + app_param_buff = NULL; + err = BT_STATUS_FAIL; + break; + } if (app_param_len == 0) { /* user give us an empty app param, allow but not recommend */ osi_free(app_param_buff); @@ -520,7 +541,12 @@ static bool btc_pba_client_pull_vcard_entry(uint16_t handle, char *name, bool in UINT8_TO_BE_STREAM(p, app_param->format); } app_param_len = p - app_param_buff; - assert(app_param_len <= BTA_PBAP_PULL_VCARD_ENTRY_APP_PARAM_BUFF_SIZE_MIN); + if (app_param_len > BTA_PBAP_PULL_VCARD_ENTRY_APP_PARAM_BUFF_SIZE_MIN) { + osi_free(app_param_buff); + app_param_buff = NULL; + err = BT_STATUS_FAIL; + break; + } if (app_param_len == 0) { /* user give us an empty app param, allow but not recommend */ osi_free(app_param_buff); @@ -564,6 +590,7 @@ void btc_pba_client_args_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) memcpy(dst->pull_vcard_listing.name, src->pull_vcard_listing.name, len); } else { BTC_TRACE_ERROR("%s %d no mem\n", __FUNCTION__, msg->act); + break; } if (src->pull_vcard_listing.include_app_param && src->pull_vcard_listing.app_param.include_search_value) { len = strlen(src->pull_vcard_listing.app_param.search_value) + 1; @@ -572,6 +599,8 @@ void btc_pba_client_args_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) memcpy(dst->pull_vcard_listing.app_param.search_value, src->pull_vcard_listing.app_param.search_value, len); } else { BTC_TRACE_ERROR("%s %d no mem\n", __FUNCTION__, msg->act); + osi_free(dst->pull_vcard_listing.name); + dst->pull_vcard_listing.name = NULL; } } break; @@ -834,15 +863,20 @@ void btc_pba_client_cb_handler(btc_msg_t *msg) switch (event) { case BTA_PBA_CLIENT_CONN_OPEN_EVT: if (p_data->conn.error == BTA_PBA_CLIENT_NO_ERROR) { - /* allocate ccb */ - p_ccb = &btc_pba_client_cb.ccb[p_data->conn.handle - 1]; - p_ccb->handle = p_data->conn.handle; - bdcpy(p_ccb->bd_addr.address, p_data->conn.bd_addr); - p_ccb->busy = false; - param.conn_stat.connected = true; - param.conn_stat.peer_supported_repo = p_data->conn.peer_supported_repo; - param.conn_stat.peer_supported_feat = p_data->conn.peer_supported_feat; - param.conn_stat.reason = BTA_PBA_CLIENT_NO_ERROR; + if (p_data->conn.handle >= 1 && p_data->conn.handle <= BTC_PBA_CLIENT_MAX_CONN_NUM) { + p_ccb = &btc_pba_client_cb.ccb[p_data->conn.handle - 1]; + p_ccb->handle = p_data->conn.handle; + bdcpy(p_ccb->bd_addr.address, p_data->conn.bd_addr); + p_ccb->busy = false; + param.conn_stat.connected = true; + param.conn_stat.peer_supported_repo = p_data->conn.peer_supported_repo; + param.conn_stat.peer_supported_feat = p_data->conn.peer_supported_feat; + param.conn_stat.reason = BTA_PBA_CLIENT_NO_ERROR; + } else { + BTC_TRACE_ERROR("CONN_OPEN EINVAL handle:%u", p_data->conn.handle); + param.conn_stat.connected = false; + param.conn_stat.reason = BTA_PBA_CLIENT_FAIL; + } } else { param.conn_stat.connected = false; @@ -855,8 +889,7 @@ void btc_pba_client_cb_handler(btc_msg_t *msg) btc_queue_advance(); break; case BTA_PBA_CLIENT_CONN_CLOSE_EVT: - if (p_data->conn.handle != 0) { - /* clear ccb */ + if (p_data->conn.handle >= 1 && p_data->conn.handle <= BTC_PBA_CLIENT_MAX_CONN_NUM) { p_ccb = &btc_pba_client_cb.ccb[p_data->conn.handle - 1]; if (p_ccb->path) { osi_free(p_ccb->path); @@ -873,8 +906,16 @@ void btc_pba_client_cb_handler(btc_msg_t *msg) break; case BTA_PBA_CLIENT_PULL_PHONE_BOOK_RSP_EVT: if (p_data->response.final) { - p_ccb = &btc_pba_client_cb.ccb[p_data->response.handle - 1]; - p_ccb->busy = false; + if (p_data->response.handle >= 1 && p_data->response.handle <= BTC_PBA_CLIENT_MAX_CONN_NUM) { + p_ccb = &btc_pba_client_cb.ccb[p_data->response.handle - 1]; + p_ccb->busy = false; + } else { + BTC_TRACE_ERROR("PULL_PHONE_BOOK_RSP EINVAL handle:%u", p_data->response.handle); + if (p_data->response.pkt != NULL) { + osi_free(p_data->response.pkt); + } + break; + } } param.pull_phone_book_rsp.handle = p_data->response.handle; param.pull_phone_book_rsp.final = p_data->response.final; @@ -888,6 +929,13 @@ void btc_pba_client_cb_handler(btc_msg_t *msg) } break; case BTA_PBA_CLIENT_SET_PHONE_BOOK_RSP_EVT: + if (!(p_data->response.handle >= 1 && p_data->response.handle <= BTC_PBA_CLIENT_MAX_CONN_NUM)) { + BTC_TRACE_ERROR("SET_PHONE_BOOK_RSP EINVAL handle:%u", p_data->response.handle); + if (p_data->response.pkt != NULL) { + osi_free(p_data->response.pkt); + } + break; + } p_ccb = &btc_pba_client_cb.ccb[p_data->response.handle - 1]; if (p_data->response.status == BTA_PBA_CLIENT_NO_ERROR && p_ccb->path_pos < p_ccb->path_len) { /* since path_len is not zero, path should not be NULL, use asset to check */ @@ -920,7 +968,7 @@ void btc_pba_client_cb_handler(btc_msg_t *msg) } break; case BTA_PBA_CLIENT_PULL_VCARD_LISTING_RSP_EVT: - if (p_data->response.final) { + if (p_data->response.final && p_data->response.handle >= 1 && p_data->response.handle <= BTC_PBA_CLIENT_MAX_CONN_NUM) { p_ccb = &btc_pba_client_cb.ccb[p_data->response.handle - 1]; p_ccb->busy = false; } @@ -936,7 +984,7 @@ void btc_pba_client_cb_handler(btc_msg_t *msg) } break; case BTA_PBA_CLIENT_PULL_VCARD_ENTRY_RSP_EVT: - if (p_data->response.final) { + if (p_data->response.final && p_data->response.handle >= 1 && p_data->response.handle <= BTC_PBA_CLIENT_MAX_CONN_NUM) { p_ccb = &btc_pba_client_cb.ccb[p_data->response.handle - 1]; p_ccb->busy = false; }