diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_act.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_act.c index c2e2773792..fc385d7c3f 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_act.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_act.c @@ -91,6 +91,9 @@ const tBTA_AG_ATCMD_CBACK bta_ag_at_cback_tbl[BTA_AG_NUM_IDX] = static void bta_ag_cback_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data, tBTA_AG_STATUS status) { tBTA_AG_OPEN open; + if (p_scb->conn_service >= BTA_AG_NUM_IDX) { + return; + } /* call app callback with open event */ open.hdr.handle = bta_ag_scb_to_idx(p_scb); open.hdr.app_id = p_scb->app_id; @@ -102,7 +105,9 @@ static void bta_ag_cback_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data, tBTA_AG_ } else { bdcpy(open.bd_addr, p_scb->peer_addr); } - (*bta_ag_cb.p_cback)(BTA_AG_OPEN_EVT, (tBTA_AG *) &open); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_OPEN_EVT, (tBTA_AG *) &open); + } } /******************************************************************************* @@ -132,7 +137,9 @@ void bta_ag_register(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) reg.hdr.handle = bta_ag_scb_to_idx(p_scb); reg.hdr.app_id = p_scb->app_id; reg.hdr.status = BTA_AG_SUCCESS; - (*bta_ag_cb.p_cback)(BTA_AG_REGISTER_EVT, (tBTA_AG *) ®); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_REGISTER_EVT, (tBTA_AG *) ®); + } } /******************************************************************************* @@ -188,7 +195,7 @@ void bta_ag_start_dereg(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) *******************************************************************************/ void bta_ag_start_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) { - BD_ADDR pending_bd_addr; + BD_ADDR pending_bd_addr = {0}; /* store parameters */ if (p_data) { bdcpy(p_scb->peer_addr, p_data->api_open.bd_addr); @@ -199,7 +206,7 @@ void bta_ag_start_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) if (PORT_IsOpening (pending_bd_addr)) { /* Let the incoming connection goes through. */ /* Issue collision for this scb for now. */ - /* We will decide what to do when we find incoming connetion later. */ + /* We will decide what to do when we find incoming connection later. */ bta_ag_collision_cback (0, BTA_ID_AG, 0, p_scb->peer_addr); return; } @@ -398,7 +405,9 @@ void bta_ag_rfc_close(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) bta_sys_conn_close(BTA_ID_AG, p_scb->app_id, p_scb->peer_addr); /* call close cback */ - (*bta_ag_cb.p_cback)(BTA_AG_CLOSE_EVT, (tBTA_AG *) &close); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_CLOSE_EVT, (tBTA_AG *) &close); + } /* if not deregistering (deallocating) reopen registered servers */ if (p_scb->dealloc == FALSE) { @@ -444,6 +453,9 @@ void bta_ag_rfc_close(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) *******************************************************************************/ void bta_ag_rfc_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) { + if (p_scb->conn_service >= BTA_AG_NUM_IDX) { + return; + } /* initialize AT feature variables */ p_scb->clip_enabled = FALSE; p_scb->ccwa_enabled = FALSE; @@ -670,7 +682,7 @@ void bta_ag_post_sco_close(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) case BTA_AG_POST_SCO_CALL_END_INCALL: { bta_ag_send_call_inds(p_scb, BTA_AG_END_CALL_RES); - /* Sending callsetup IND and Ring were defered to after SCO close. */ + /* Sending callsetup IND and Ring were deferred to after SCO close. */ bta_ag_send_call_inds(p_scb, BTA_AG_IN_CALL_RES); if (bta_ag_inband_enabled(p_scb) && !(p_scb->features & BTA_AG_FEAT_NOSCO)) { @@ -722,7 +734,9 @@ void bta_ag_svc_conn_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) (p_scb->callsetup_ind != BTA_AG_CALLSETUP_NONE)) { bta_sys_sco_use(BTA_ID_AG, p_scb->app_id, p_scb->peer_addr); } - (*bta_ag_cb.p_cback)(BTA_AG_CONN_EVT, (tBTA_AG *) &evt); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_CONN_EVT, (tBTA_AG *) &evt); + } } } @@ -794,7 +808,9 @@ void bta_ag_setcodec(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) (codec_type != BTA_AG_CODEC_MSBC)) { val.hdr.status = BTA_AG_FAIL_RESOURCES; APPL_TRACE_ERROR("%s error: unsupported codec type %d", __func__, codec_type); - (*bta_ag_cb.p_cback)(BTA_AG_WBS_EVT, (tBTA_AG *) &val); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_WBS_EVT, (tBTA_AG *) &val); + } return; } @@ -809,7 +825,9 @@ void bta_ag_setcodec(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) val.hdr.status = BTA_AG_FAIL_RESOURCES; APPL_TRACE_ERROR("%s error: unsupported codec type %d",__func__, codec_type); } - (*bta_ag_cb.p_cback)(BTA_AG_WBS_EVT, (tBTA_AG *) &val); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_WBS_EVT, (tBTA_AG *) &val); + } #endif } diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_api.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_api.c index 331f6595e6..d1b9cc80e5 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_api.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_api.c @@ -67,14 +67,17 @@ tBTA_STATUS BTA_AgEnable(tBTA_AG_PARSE_MODE parse_mode, tBTA_AG_CBACK *p_cback) return BTA_FAILURE; } } - /* register with BTA system manager */ - bta_sys_register(BTA_ID_AG, &bta_ag_reg); if ((p_buf = (tBTA_AG_API_ENABLE *) osi_malloc(sizeof(tBTA_AG_API_ENABLE))) != NULL) { + /* register with BTA system manager */ + bta_sys_register(BTA_ID_AG, &bta_ag_reg); + p_buf->hdr.event = BTA_AG_API_ENABLE_EVT; p_buf->parse_mode = parse_mode; p_buf->p_cback = p_cback; bta_sys_sendmsg(p_buf); + } else { + return BTA_NO_RESOURCES; } return BTA_SUCCESS; } @@ -121,7 +124,7 @@ void BTA_AgRegister(tBTA_SERVICE_MASK services, tBTA_SEC sec_mask,tBTA_AG_FEAT f p_buf->services = services; p_buf->app_id = app_id; for (i = 0; i < BTA_AG_NUM_IDX; i++) { - if(p_service_names[i]) { + if (p_service_names != NULL && p_service_names[i]) { BCM_STRNCPY_S(p_buf->p_name[i], p_service_names[i], BTA_SERVICE_NAME_LEN); p_buf->p_name[i][BTA_SERVICE_NAME_LEN] = '\0'; } else { diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_at.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_at.c index 82066d8f79..bebd282a44 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_at.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_at.c @@ -122,20 +122,30 @@ void bta_ag_process_at(tBTA_AG_AT_CB *p_cb) if (int_arg < (INT16) p_cb->p_at_tbl[idx].min || int_arg > (INT16) p_cb->p_at_tbl[idx].max) { /* arg out of range; error */ - (*p_cb->p_err_cback)(p_cb->p_user, FALSE, NULL); + if (p_cb->p_err_cback) { + (*p_cb->p_err_cback)(p_cb->p_user, FALSE, NULL); + } } else { - (*p_cb->p_cmd_cback)(p_cb->p_user, idx, arg_type, p_arg, int_arg); + if (p_cb->p_cmd_cback) { + (*p_cb->p_cmd_cback)(p_cb->p_user, idx, arg_type, p_arg, int_arg); + } } } else { - (*p_cb->p_cmd_cback)(p_cb->p_user, idx, arg_type, p_arg, int_arg); + if (p_cb->p_cmd_cback) { + (*p_cb->p_cmd_cback)(p_cb->p_user, idx, arg_type, p_arg, int_arg); + } } } else { /* else error */ - (*p_cb->p_err_cback)(p_cb->p_user, FALSE, NULL); + if (p_cb->p_err_cback) { + (*p_cb->p_err_cback)(p_cb->p_user, FALSE, NULL); + } } } else { /* else no match call error callback */ - (*p_cb->p_err_cback)(p_cb->p_user, TRUE, p_cb->p_cmd_buf); + if (p_cb->p_err_cback) { + (*p_cb->p_err_cback)(p_cb->p_user, TRUE, p_cb->p_cmd_buf); + } } } @@ -185,7 +195,9 @@ void bta_ag_at_parse(tBTA_AG_AT_CB *p_cb, char *p_buf, UINT16 len) p_cb->cmd_pos = 0; } else if( p_cb->p_cmd_buf[p_cb->cmd_pos] == 0x1A || p_cb->p_cmd_buf[p_cb->cmd_pos] == 0x1B) { p_cb->p_cmd_buf[++p_cb->cmd_pos] = 0; - (*p_cb->p_err_cback)(p_cb->p_user, TRUE, p_cb->p_cmd_buf); + if (p_cb->p_err_cback) { + (*p_cb->p_err_cback)(p_cb->p_user, TRUE, p_cb->p_cmd_buf); + } p_cb->cmd_pos = 0; } else { ++p_cb->cmd_pos; diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cfg.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cfg.c index 3c059cea72..fd15b2e39b 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cfg.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cfg.c @@ -31,7 +31,7 @@ #if (BTA_AG_INCLUDED == TRUE) #ifndef BTA_AG_CIND_INFO -#define BTA_AG_CIND_INFO "(\"call\",(0,1)),(\"callsetup\",(0-3)),(\"service\",(0-3)),(\"signal\",(0-6)),(\"roam\",(0,1)),(\"battchg\",(0-5)),(\"callheld\",(0-2))" +#define BTA_AG_CIND_INFO "(\"call\",(0,1)),(\"callsetup\",(0-3)),(\"service\",(0-1)),(\"signal\",(0-5)),(\"roam\",(0,1)),(\"battchg\",(0-5)),(\"callheld\",(0-2))" #endif #ifndef BTA_AG_CONN_TIMEOUT diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cmd.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cmd.c index 2cf985c703..499b1435e6 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cmd.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_cmd.c @@ -376,7 +376,7 @@ static void bta_ag_send_result(tBTA_AG_SCB *p_scb, UINT8 code, char *p_arg, INT1 char *p = buf; UINT16 len; #if (BTIF_TRACE_DEBUG == TRUE) - memset(buf, NULL, sizeof(buf)); + memset(buf, 0, sizeof(buf)); #endif /* init with \r\n */ *p++ = '\r'; @@ -444,7 +444,7 @@ static void bta_ag_send_multi_result(tBTA_AG_SCB *p_scb, tBTA_AG_MULTI_RESULT_CB } #if defined(BTA_AG_RESULT_DEBUG) && (BTA_AG_RESULT_DEBUG == TRUE) - memset(buf, NULL, sizeof(buf)); + memset(buf, 0, sizeof(buf)); #endif while(res_idx < m_res_cb->num_result) { @@ -604,13 +604,14 @@ static BOOLEAN bta_ag_parse_cmer(char *p_s, BOOLEAN *p_enabled) for (i = 0; i < 4; i++) { /* skip to comma delimiter */ for (p = p_s; *p != ',' && *p != 0; p++); + if (*p == 0) { + n[i] = utl_str2int(p_s); + break; + } /* get integer value */ *p = 0; n[i] = utl_str2int(p_s); p_s = p + 1; - if (p_s == 0) { - break; - } } /* process values */ if (n[0] < 0 || n[3] < 0) { @@ -721,9 +722,9 @@ static tBTA_AG_PEER_CODEC bta_ag_parse_bac(tBTA_AG_SCB *p_scb, char *p_s) *******************************************************************************/ static void bta_ag_process_unat_res(char *unat_result) { - UINT8 str_leng; - UINT8 i = 0; - UINT8 j = 0; + size_t str_leng; + size_t i = 0; + size_t j = 0; UINT8 pairs_of_nl_cr; char trim_data[BTA_AG_AT_MAX_LEN]; @@ -737,16 +738,18 @@ static void bta_ag_process_unat_res(char *unat_result) while(unat_result[0] =='\r' && unat_result[1] =='\n' && unat_result[str_leng-2] =='\r' && unat_result[str_leng-1] =='\n') { pairs_of_nl_cr = 1; - for (i=0;i<(str_leng-4*pairs_of_nl_cr);i++) { - trim_data[j++] = unat_result[i+pairs_of_nl_cr*2]; + for (i = 0; i < (str_leng - 4 * pairs_of_nl_cr); i++) { + trim_data[j++] = unat_result[i + pairs_of_nl_cr * 2]; } /* Add EOF */ - trim_data[j] = '\0'; + if (j < BTA_AG_AT_MAX_LEN) { + trim_data[j] = '\0'; + } str_leng = str_leng - 4; BCM_STRNCPY_S(unat_result, trim_data, BTA_AG_AT_MAX_LEN); - i=0; - j=0; - if(str_leng <4) { + i = 0; + j = 0; + if (str_leng < 4) { return; } } @@ -827,7 +830,9 @@ void bta_ag_at_hsp_cback(tBTA_AG_SCB *p_scb, UINT16 cmd, UINT8 arg_type, BCM_STRNCPY_S(val.str, p_arg, BTA_AG_AT_MAX_LEN); val.str[BTA_AG_AT_MAX_LEN] = '\0'; /* call callback with event */ - (*bta_ag_cb.p_cback)(bta_ag_hsp_cb_evt[cmd], (tBTA_AG *) &val); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(bta_ag_hsp_cb_evt[cmd], (tBTA_AG *) &val); + } } /******************************************************************************* @@ -1233,7 +1238,9 @@ void bta_ag_at_hfp_cback(tBTA_AG_SCB *p_scb, UINT16 cmd, UINT8 arg_type, } /* call callback */ if (event != 0) { - (*bta_ag_cb.p_cback)(event, (tBTA_AG *) &val); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(event, (tBTA_AG *) &val); + } } } @@ -1264,7 +1271,9 @@ void bta_ag_at_err_cback(tBTA_AG_SCB *p_scb, BOOLEAN unknown, char *p_arg) val.num = 0; BCM_STRNCPY_S(val.str, p_arg, BTA_AG_AT_MAX_LEN); val.str[BTA_AG_AT_MAX_LEN] = '\0'; - (*bta_ag_cb.p_cback)(BTA_AG_AT_UNAT_EVT, (tBTA_AG *) &val); + if (bta_ag_cb.p_cback) { + (*bta_ag_cb.p_cback)(BTA_AG_AT_UNAT_EVT, (tBTA_AG *) &val); + } } else { bta_ag_send_error(p_scb, BTA_AG_ERR_OP_NOT_SUPPORTED); } diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_main.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_main.c index 39daa0de6b..b52ab14ea6 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_main.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_main.c @@ -517,8 +517,15 @@ void bta_ag_scb_dealloc(tBTA_AG_SCB *p_scb) *******************************************************************************/ UINT16 bta_ag_scb_to_idx(tBTA_AG_SCB *p_scb) { + if (p_scb == NULL) { + return 0; + } /* use array arithmetic to determine index */ - return ((UINT16) (p_scb - bta_ag_cb.scb)) + 1; + UINT16 idx = ((UINT16) (p_scb - bta_ag_cb.scb)) + 1; + if (idx < 1 || idx > BTA_AG_NUM_SCB) { + return 0; + } + return idx; } /******************************************************************************* @@ -731,7 +738,7 @@ void bta_ag_collision_cback (tBTA_SYS_CONN_STATUS status, UINT8 id, UINT8 app_id } /* Start timer to han */ p_scb->colli_timer.p_cback = (TIMER_CBACK*)&bta_ag_colli_timer_cback; - p_scb->colli_timer.param = (INT32)p_scb; + p_scb->colli_timer.param = (UINT32)p_scb; bta_sys_start_timer(&p_scb->colli_timer, 0, BTA_AG_COLLISION_TIMER); p_scb->colli_tmr_on = TRUE; } @@ -905,12 +912,16 @@ void bta_ag_sm_execute(tBTA_AG_SCB *p_scb, UINT16 event, tBTA_AG_DATA *p_data) #if BTA_AG_DEBUG == TRUE UINT16 in_event = event; UINT8 in_state = p_scb->state; + tBTA_AG_RES dbg_api_result = (tBTA_AG_RES)0; + if (p_data != NULL && in_event == BTA_AG_API_RESULT_EVT) { + dbg_api_result = p_data->api_result.result; + } /* Ignore displaying of AT results when not connected (Ignored in state machine) */ if (in_event != BTA_AG_API_RESULT_EVT || p_scb->state == BTA_AG_OPEN_ST) { APPL_TRACE_EVENT("AG evt (hdl 0x%04x): State %d (%s), Event 0x%04x (%s)", bta_ag_scb_to_idx(p_scb), p_scb->state, bta_ag_state_str(p_scb->state), - event, bta_ag_evt_str(event, p_data->api_result.result)); + event, bta_ag_evt_str(event, dbg_api_result)); } #else APPL_TRACE_EVENT("AG evt (hdl 0x%04x): State %d, Event 0x%04x", @@ -938,7 +949,7 @@ void bta_ag_sm_execute(tBTA_AG_SCB *p_scb, UINT16 event, tBTA_AG_DATA *p_data) APPL_TRACE_EVENT("BTA AG State Change: [%s] -> [%s] after Event [%s]", bta_ag_state_str(in_state), bta_ag_state_str(p_scb->state), - bta_ag_evt_str(in_event, p_data->api_result.result)); + bta_ag_evt_str(in_event, dbg_api_result)); } #endif } diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_rfc.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_rfc.c index 49ca54af0e..2bfdd430ea 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_rfc.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_rfc.c @@ -252,6 +252,10 @@ void bta_ag_setup_port(tBTA_AG_SCB *p_scb, UINT16 handle) { UINT16 i = bta_ag_scb_to_idx(p_scb) - 1; + if (i >= BTA_AG_NUM_SCB) { + return; + } + /* set up data callback if using pass through mode */ if (bta_ag_cb.parse_mode == BTA_AG_PASS_THROUGH) { PORT_SetDataCallback(handle, bta_ag_data_cback_tbl[i]); @@ -274,6 +278,10 @@ void bta_ag_start_servers(tBTA_AG_SCB *p_scb, tBTA_SERVICE_MASK services) { int bta_ag_port_status; + if (bta_ag_scb_to_idx(p_scb) < 1 || bta_ag_scb_to_idx(p_scb) > BTA_AG_NUM_SCB) { + return; + } + services >>= BTA_HSP_SERVICE_ID; for (int i = 0; i < BTA_AG_NUM_IDX && services != 0; i++, services >>= 1) { /* if service is set in mask */ @@ -353,6 +361,12 @@ BOOLEAN bta_ag_is_server_closed (tBTA_AG_SCB *p_scb) *******************************************************************************/ void bta_ag_rfc_do_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) { + if (bta_ag_scb_to_idx(p_scb) < 1 || bta_ag_scb_to_idx(p_scb) > BTA_AG_NUM_SCB) { + APPL_TRACE_ERROR("bta_ag_rfc_do_open: EINVAL idx %u", bta_ag_scb_to_idx(p_scb)); + bta_ag_sm_execute(p_scb, BTA_AG_RFC_CLOSE_EVT, p_data); + return; + } + BTM_SetSecurityLevel(TRUE, "", bta_ag_sec_id[p_scb->conn_service], p_scb->cli_sec_mask, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, p_scb->peer_scn); diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sco.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sco.c index f3bf70e80c..b77b002e14 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sco.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sco.c @@ -199,7 +199,7 @@ static void bta_ag_sco_conn_cback(UINT16 sco_idx) handle = 0; } - if (handle != 0) + if (handle != 0 && p_scb) { BTM_ReadEScoLinkParms(sco_idx, &sco_data); @@ -672,10 +672,13 @@ static void bta_ag_create_sco(tBTA_AG_SCB *p_scb, BOOLEAN is_orig) #if (BTM_SCO_HCI_INCLUDED == TRUE) #if (BTM_WBS_INCLUDED == TRUE) - if (esco_codec == BTA_AG_CODEC_MSBC) - pcm_sample_rate = BTA_HFP_SCO_SAMP_RATE_16K; + if (esco_codec == BTA_AG_CODEC_MSBC) { + pcm_sample_rate = BTA_HFP_SCO_SAMP_RATE_16K; + } else #endif - pcm_sample_rate = BTA_HFP_SCO_SAMP_RATE_8K; + { + pcm_sample_rate = BTA_HFP_SCO_SAMP_RATE_8K; + } sco_route = bta_ag_sco_co_init(pcm_sample_rate, pcm_sample_rate, &codec_info, p_scb->app_id); #endif @@ -786,7 +789,7 @@ void bta_ag_codec_negotiate(tBTA_AG_SCB *p_scb) /* Start timer to handle timeout */ p_scb->cn_timer.p_cback = (TIMER_CBACK*)&bta_ag_cn_timer_cback; - p_scb->cn_timer.param = (INT32)p_scb; + p_scb->cn_timer.param = (UINT32)p_scb; bta_sys_start_timer(&p_scb->cn_timer, 0, BTA_AG_CODEC_NEGO_TIMEOUT); } else @@ -1688,7 +1691,7 @@ void bta_ag_sco_conn_close(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) *******************************************************************************/ void bta_ag_sco_conn_rsp(tBTA_AG_SCB *p_scb, tBTM_ESCO_CONN_REQ_EVT_DATA *p_data) { - tBTM_ESCO_PARAMS resp; + tBTM_ESCO_PARAMS resp = {0}; UINT8 hci_status = HCI_SUCCESS; #if (BTM_SCO_HCI_INCLUDED == TRUE) tBTA_HFP_CODEC_INFO codec_info = {BTA_HFP_SCO_CODEC_PCM}; diff --git a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sdp.c b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sdp.c index 0b02557b08..9864f66390 100644 --- a/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sdp.c +++ b/components/bt/host/bluedroid/bta/hf_ag/bta_ag_sdp.c @@ -92,6 +92,10 @@ static void bta_ag_sdp_cback(UINT16 status, UINT8 idx) p_buf->hdr.layer_specific = idx; p_buf->status = status; bta_sys_sendmsg(p_buf); + } else { + APPL_TRACE_ERROR("bta_ag_sdp_cback: ENOMEM"); + bta_ag_free_db(p_scb, NULL); + bta_ag_sm_execute(p_scb, BTA_AG_DISC_FAIL_EVT, NULL); } } } @@ -243,16 +247,13 @@ void bta_ag_del_records(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data) UNUSED(p_data); /* get services of all other registered servers */ - for (i = 0; i < BTA_AG_NUM_IDX; i++) { + for (i = 0; i < BTA_AG_NUM_SCB; i++, p++) { if (p_scb == p) { continue; } if (p->in_use && p->dealloc == FALSE) { others |= p->reg_services; } - if (i < BTA_AG_NUM_SCB) { - p++; - } } others >>= BTA_HSP_SERVICE_ID; services = p_scb->reg_services >> BTA_HSP_SERVICE_ID; @@ -414,7 +415,9 @@ void bta_ag_do_disc(tBTA_AG_SCB *p_scb, tBTA_SERVICE_MASK service) if(p_scb->p_disc_db) { /* set up service discovery database; attr happens to be attr_list len */ uuid_list[0].len = LEN_UUID_16; - uuid_list[1].len = LEN_UUID_16; + if (num_uuid >= 2) { + uuid_list[1].len = LEN_UUID_16; + } db_inited = SDP_InitDiscoveryDb(p_scb->p_disc_db, BTA_AG_DISC_BUF_SIZE, num_uuid, uuid_list, num_attr, attr_list); } diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_act.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_act.c index 930f30a57d..680eee6e78 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_act.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_act.c @@ -84,7 +84,9 @@ void bta_hf_client_register(tBTA_HF_CLIENT_DATA *p_data) /* call app callback with register event */ evt.status = BTA_HF_CLIENT_SUCCESS; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_REGISTER_EVT, &evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_REGISTER_EVT, &evt); + } } /******************************************************************************* @@ -177,7 +179,7 @@ void bta_hf_client_start_close(tBTA_HF_CLIENT_DATA *p_data) *******************************************************************************/ void bta_hf_client_start_open(tBTA_HF_CLIENT_DATA *p_data) { - BD_ADDR pending_bd_addr; + BD_ADDR pending_bd_addr = {0}; /* store parameters */ if (p_data) { @@ -229,7 +231,9 @@ static void bta_hf_client_cback_open(tBTA_HF_CLIENT_DATA *p_data, tBTA_HF_CLIENT bdcpy(evt.bd_addr, bta_hf_client_cb.scb.peer_addr); } - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_OPEN_EVT, &evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_OPEN_EVT, &evt); + } } /******************************************************************************* @@ -352,11 +356,19 @@ void bta_hf_client_disc_fail(tBTA_HF_CLIENT_DATA *p_data) { UNUSED(p_data); + bta_hf_client_cb.scb.conn_handle = 0; + bta_hf_client_cb.scb.peer_features = 0; + bta_hf_client_cb.scb.chld_features = 0; + bta_hf_client_cb.scb.role = BTA_HF_CLIENT_ACP; + bta_hf_client_cb.scb.svc_conn = FALSE; + bta_hf_client_cb.scb.send_at_reply = FALSE; + bta_hf_client_cb.scb.negotiated_codec = BTM_SCO_CODEC_CVSD; + + bta_hf_client_at_reset(); + /* reopen server */ bta_hf_client_start_server(); - /* reinitialize stuff */ - /* call open cback w. failure */ bta_hf_client_cback_open(NULL, BTA_HF_CLIENT_FAIL_SDP); } @@ -404,10 +416,13 @@ void bta_hf_client_rfc_close(tBTA_HF_CLIENT_DATA *p_data) bta_sys_conn_close(BTA_ID_HS, 1, bta_hf_client_cb.scb.peer_addr); /* call close cback */ - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CLOSE_EVT, NULL); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CLOSE_EVT, NULL); + } /* if not deregistering reopen server */ if (bta_hf_client_cb.scb.deregister == FALSE) { + bta_sys_sco_unuse(BTA_ID_HS, 1, bta_hf_client_cb.scb.peer_addr); /* Clear peer bd_addr so instance can be reused */ bdcpy(bta_hf_client_cb.scb.peer_addr, bd_addr_null); @@ -418,8 +433,6 @@ void bta_hf_client_rfc_close(tBTA_HF_CLIENT_DATA *p_data) /* Make sure SCO is shutdown */ bta_hf_client_sco_shutdown(NULL); - - bta_sys_sco_unuse(BTA_ID_HS, 1, bta_hf_client_cb.scb.peer_addr); } /* else close port and deallocate scb */ else { @@ -548,7 +561,9 @@ void bta_hf_client_svc_conn_open(tBTA_HF_CLIENT_DATA *p_data) evt.peer_feat = bta_hf_client_cb.scb.peer_features; evt.chld_feat = bta_hf_client_cb.scb.chld_features; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CONN_EVT, &evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CONN_EVT, &evt); + } } } @@ -570,7 +585,9 @@ void bta_hf_client_ind(tBTA_HF_CLIENT_IND_TYPE type, UINT16 value) evt.type = type; evt.value = value; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_IND_EVT, &evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_IND_EVT, &evt); + } } /******************************************************************************* @@ -592,7 +609,9 @@ void bta_hf_client_evt_val(tBTA_HF_CLIENT_EVT type, UINT16 value) evt.value = value; - (*bta_hf_client_cb.p_cback)(type, &evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(type, &evt); + } } /******************************************************************************* @@ -613,7 +632,9 @@ void bta_hf_client_operator_name(char *name) strlcpy(evt->name, name, BTA_HF_CLIENT_OPERATOR_NAME_LEN + 1); evt->name[BTA_HF_CLIENT_OPERATOR_NAME_LEN] = '\0'; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_OPERATOR_NAME_EVT, evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_OPERATOR_NAME_EVT, evt); + } osi_free(evt); } else { APPL_TRACE_ERROR("No mem: %s", __func__); @@ -639,7 +660,9 @@ void bta_hf_client_clip(char *number) strlcpy(evt->number, number, BTA_HF_CLIENT_NUMBER_LEN + 1); evt->number[BTA_HF_CLIENT_NUMBER_LEN] = '\0'; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CLIP_EVT, evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CLIP_EVT, evt); + } osi_free(evt); } else { APPL_TRACE_ERROR("No mem: %s", __func__); @@ -664,8 +687,9 @@ void bta_hf_client_ccwa(char *number) strlcpy(evt->number, number, BTA_HF_CLIENT_NUMBER_LEN + 1); evt->number[BTA_HF_CLIENT_NUMBER_LEN] = '\0'; - - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CCWA_EVT, evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CCWA_EVT, evt); + } osi_free(evt); } else { APPL_TRACE_ERROR("No mem: %s", __func__); @@ -691,7 +715,9 @@ void bta_hf_client_at_result(tBTA_HF_CLIENT_AT_RESULT_TYPE type, UINT16 cme) evt.type = type; evt.cme = cme; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_AT_RESULT_EVT, &evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_AT_RESULT_EVT, &evt); + } } /******************************************************************************* @@ -720,7 +746,9 @@ void bta_hf_client_clcc(UINT32 idx, BOOLEAN incoming, UINT8 status, BOOLEAN mpty evt->number[BTA_HF_CLIENT_NUMBER_LEN] = '\0'; } - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CLCC_EVT, evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CLCC_EVT, evt); + } osi_free(evt); } else { APPL_TRACE_ERROR("No mem, %s\n", __func__); @@ -747,7 +775,9 @@ void bta_hf_client_cnum(char *number, UINT16 service) strlcpy(evt->number, number, BTA_HF_CLIENT_NUMBER_LEN + 1); evt->number[BTA_HF_CLIENT_NUMBER_LEN] = '\0'; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CNUM_EVT, evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_CNUM_EVT, evt); + } osi_free(evt); } else { APPL_TRACE_ERROR("No mem, %s", __func__); @@ -772,7 +802,9 @@ void bta_hf_client_binp(char *number) strlcpy(evt->number, number, BTA_HF_CLIENT_NUMBER_LEN + 1); evt->number[BTA_HF_CLIENT_NUMBER_LEN] = '\0'; - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_BINP_EVT, evt); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_BINP_EVT, evt); + } osi_free(evt); } else { APPL_TRACE_ERROR("No mem: %s", __func__); diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_api.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_api.c index 748d62db0f..934ec1be2e 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_api.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_api.c @@ -90,13 +90,16 @@ tBTA_STATUS BTA_HfClientEnable(tBTA_HF_CLIENT_CBACK *p_cback) return BTA_FAILURE; } - /* register with BTA system manager */ - bta_sys_register(BTA_ID_HS, &bta_hf_client_reg); - if ((p_buf = (tBTA_HF_CLIENT_API_ENABLE *) osi_malloc(sizeof(tBTA_HF_CLIENT_API_ENABLE))) != NULL) { + /* register with BTA system manager */ + bta_sys_register(BTA_ID_HS, &bta_hf_client_reg); + p_buf->hdr.event = BTA_HF_CLIENT_API_ENABLE_EVT; p_buf->p_cback = p_cback; bta_sys_sendmsg(p_buf); + } else { + APPL_TRACE_ERROR("BTA_HfClientEnable ENOMEM"); + return BTA_NO_RESOURCES; } return BTA_SUCCESS; @@ -354,8 +357,20 @@ void BTA_HfClientCiData(void) *******************************************************************************/ void BTA_HfClientAudioBuffAlloc(UINT16 size, UINT8 **pp_buff, UINT8 **pp_data) { + BT_HDR *p_buf; + + if (pp_buff != NULL) { + *pp_buff = NULL; + } + if (pp_data != NULL) { + *pp_data = NULL; + } + if (pp_buff == NULL || pp_data == NULL) { + return; + } + /* reserve 1 byte at last, when the size is mSBC frame size (57), then we got a buffer that can hold 60 bytes data */ - BT_HDR *p_buf= (BT_HDR *)osi_calloc(sizeof(BT_HDR) + BTA_HF_CLIENT_BUFF_OFFSET_MIN + BTA_HF_CLIENT_H2_HEADER_LEN + size + 1); + p_buf = (BT_HDR *)osi_calloc(sizeof(BT_HDR) + BTA_HF_CLIENT_BUFF_OFFSET_MIN + BTA_HF_CLIENT_H2_HEADER_LEN + size + 1); if (p_buf != NULL) { /* mSBC offset is large than CVSD, so this is work in CVSD air mode */ p_buf->offset = BTA_HF_CLIENT_BUFF_OFFSET_MIN + BTA_HF_CLIENT_H2_HEADER_LEN; diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_at.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_at.c index bd5bca8658..4b89796e25 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_at.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_at.c @@ -174,6 +174,11 @@ static void bta_hf_client_start_at_resp_timer(void) static void bta_hf_client_send_at(tBTA_HF_CLIENT_AT_CMD cmd, char *buf, UINT16 buf_len) { + if (buf_len > BTA_HF_CLIENT_AT_MAX_LEN) { + APPL_TRACE_ERROR("hf_client_send_at EINVAL buf_len %u", buf_len); + buf_len = BTA_HF_CLIENT_AT_MAX_LEN; + } + if ((bta_hf_client_cb.scb.at_cb.current_cmd == BTA_HF_CLIENT_AT_NONE || bta_hf_client_cb.scb.svc_conn == FALSE) && bta_hf_client_cb.scb.at_cb.hold_timer_on == FALSE) { @@ -202,6 +207,16 @@ static void bta_hf_client_send_at(tBTA_HF_CLIENT_AT_CMD cmd, char *buf, UINT16 b bta_hf_client_queue_at(cmd, buf, buf_len); } +static void bta_hf_client_send_at_nomem_err_print(char *cmd) +{ + APPL_TRACE_ERROR("AT command '%s' no mem", cmd ? cmd : "NULL"); +} + +static void bta_hf_client_send_at_len_err_print(char *cmd, int at_len) +{ + APPL_TRACE_ERROR("AT command '%s' len err: length=%d", cmd ? cmd : "NULL", at_len); +} + static void bta_hf_client_send_queued_at(void) { tBTA_HF_CLIENT_AT_QCMD *cur = bta_hf_client_cb.scb.at_cb.queued_cmd; @@ -406,7 +421,13 @@ static void bta_hf_client_handle_cind_value(UINT32 index, UINT32 value) } /* get the real array index from lookup table */ - index = bta_hf_client_cb.scb.at_cb.indicator_lookup[index]; + { + int lk = bta_hf_client_cb.scb.at_cb.indicator_lookup[index]; + if (lk < 0 || lk >= (int)BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT) { + return; + } + index = (UINT32)lk; + } /* Ignore out of range values */ if (value > bta_hf_client_indicators[index].max || @@ -715,7 +736,7 @@ static char *bta_hf_client_parse_cind_list(char *buffer) osi_free(name); - if (res > 2) { + if (res > 2 && offset > 0) { AT_CHECK_RN(buffer); return buffer; } @@ -1396,7 +1417,7 @@ void bta_hf_client_send_at_brsf(void) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("brsf"); return; } @@ -1404,6 +1425,13 @@ void bta_hf_client_send_at_brsf(void) at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+BRSF=%u\r", bta_hf_client_cb.scb.features); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("brsf", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_BRSF , buf, at_len); osi_free(buf); } @@ -1429,12 +1457,19 @@ void bta_hf_client_send_at_bcs(UINT32 codec) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("bcs"); return; } at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+BCS=%u\r", codec); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("bcs", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_BCS, buf, at_len); osi_free(buf); } @@ -1478,7 +1513,7 @@ void bta_hf_client_send_at_chld(char cmd, UINT32 idx) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("chld"); return; } @@ -1488,6 +1523,13 @@ void bta_hf_client_send_at_chld(char cmd, UINT32 idx) at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+CHLD=%c\r", cmd); } + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("chld", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_CHLD, buf, at_len); osi_free(buf); } @@ -1567,9 +1609,16 @@ void bta_hf_client_send_at_clcc(void) void bta_hf_client_send_at_xapl(char *information, UINT32 features) { - APPL_TRACE_DEBUG("%s(%s, %u)", __FUNCTION__, information, features); + char *buf; + const char *inf = (information != NULL) ? information : ""; - char *buf = osi_malloc(BTA_HF_CLIENT_AT_MAX_LEN); + APPL_TRACE_DEBUG("%s(%s, %u)", __FUNCTION__, inf, features); + + buf = osi_malloc(BTA_HF_CLIENT_AT_MAX_LEN); + if (buf == NULL) { + bta_hf_client_send_at_nomem_err_print("xapl"); + return; + } /* Format: AT+XAPL=vendorID-productID-version,features @@ -1586,7 +1635,8 @@ void bta_hf_client_send_at_xapl(char *information, UINT32 features) *All other values are reserved. */ - snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+XAPL=%s,%u\r", information, features); + snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+XAPL=%.*s,%u\r", + BTA_HF_CLIENT_AT_MAX_LEN - 48, inf, features); bta_hf_client_send_at(BTA_HF_CLIENT_AT_XAPL, buf, strlen(buf)); osi_free(buf); @@ -1597,6 +1647,10 @@ void bta_hf_client_send_at_iphoneaccev(UINT32 bat_level, BOOLEAN docked) APPL_TRACE_DEBUG("%s(%u, %s)", __FUNCTION__, bat_level, docked ? "docked" : "undocked"); char *buf = osi_malloc(BTA_HF_CLIENT_AT_MAX_LEN); + if (buf == NULL) { + bta_hf_client_send_at_nomem_err_print("iphoneaccev"); + return; + } /* Format: AT+IPHONEACCEV=Number of key/value pairs,key1,val1,key2,val2,... @@ -1636,13 +1690,20 @@ void bta_hf_client_send_at_vgs(UINT32 volume) char *buf = osi_malloc(BTA_HF_CLIENT_AT_MAX_LEN); int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("vgs"); return; } APPL_TRACE_DEBUG("%s", __FUNCTION__); at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+VGS=%u\r", volume); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("vgs", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_VGS, buf, at_len); osi_free(buf); } @@ -1653,13 +1714,20 @@ void bta_hf_client_send_at_vgm(UINT32 volume) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("vgm"); return; } APPL_TRACE_DEBUG("%s", __FUNCTION__); at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+VGM=%u\r", volume); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("vgm", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_VGM, buf, at_len); osi_free(buf); } @@ -1670,18 +1738,24 @@ void bta_hf_client_send_at_atd(char *number, UINT32 memory) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("atd"); return; } APPL_TRACE_DEBUG("%s", __FUNCTION__); - if (number[0] != '\0') { - at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "ATD%s;\r", number); + if (number && number[0] != '\0') { + at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "ATD%.*s;\r", + (int)(BTA_HF_CLIENT_AT_MAX_LEN - 8), number); } else { at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "ATD>%u;\r", memory); } - at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("atd", at_len); + osi_free(buf); + return; + } bta_hf_client_send_at(BTA_HF_CLIENT_AT_ATD, buf, at_len); osi_free(buf); @@ -1726,7 +1800,7 @@ void bta_hf_client_send_at_btrh(BOOLEAN query, UINT32 val) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("btrh"); return; } APPL_TRACE_DEBUG("%s", __FUNCTION__); @@ -1737,6 +1811,13 @@ void bta_hf_client_send_at_btrh(BOOLEAN query, UINT32 val) at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+BTRH=%u\r", val); } + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("btrh", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_BTRH, buf, at_len); osi_free(buf); } @@ -1746,13 +1827,20 @@ void bta_hf_client_send_at_vts(char code) char *buf = osi_malloc(BTA_HF_CLIENT_AT_MAX_LEN); int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("vts"); return; } APPL_TRACE_DEBUG("%s", __FUNCTION__); at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+VTS=%c\r", code); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("vts", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_VTS, buf, at_len); osi_free(buf); } @@ -1801,12 +1889,19 @@ void bta_hf_client_send_at_binp(UINT32 action) int at_len; if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("binp"); return; } at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+BINP=%u\r", action); + at_len = MIN(at_len, BTA_HF_CLIENT_AT_MAX_LEN - 1); + if (at_len < 0) { + bta_hf_client_send_at_len_err_print("binp", at_len); + osi_free(buf); + return; + } + bta_hf_client_send_at(BTA_HF_CLIENT_AT_BINP, buf, at_len); osi_free(buf); } @@ -1825,7 +1920,7 @@ void bta_hf_client_send_at_bia(void) buf = osi_malloc(BTA_HF_CLIENT_AT_MAX_LEN); if (buf == NULL) { - APPL_TRACE_ERROR("No mem %s", __FUNCTION__); + bta_hf_client_send_at_nomem_err_print("bia"); return; } at_len = snprintf(buf, BTA_HF_CLIENT_AT_MAX_LEN, "AT+BIA="); @@ -1836,9 +1931,15 @@ void bta_hf_client_send_at_bia(void) at_len += snprintf(buf + at_len, BTA_HF_CLIENT_AT_MAX_LEN - at_len, "%d,", sup); } + at_len = (int)strnlen(buf, BTA_HF_CLIENT_AT_MAX_LEN); + if (at_len < 1) { + bta_hf_client_send_at_len_err_print("bia", at_len); + osi_free(buf); + return; + } buf[at_len - 1] = '\r'; - bta_hf_client_send_at(BTA_HF_CLIENT_AT_BIA, buf, at_len); + bta_hf_client_send_at(BTA_HF_CLIENT_AT_BIA, buf, (UINT16)at_len); osi_free(buf); } diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_cmd.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_cmd.c index 08e321d351..b225e738df 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_cmd.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_cmd.c @@ -37,10 +37,14 @@ void bta_hf_client_send_at_cmd(tBTA_HF_CLIENT_DATA *p_data) case BTA_HF_CLIENT_AT_CMD_CHUP: bta_hf_client_send_at_chup(); break; - case BTA_HF_CLIENT_AT_CMD_CHLD: - /* expects ascii code for command */ - bta_hf_client_send_at_chld('0' + p_val->uint32_val1, p_val->uint32_val2); + case BTA_HF_CLIENT_AT_CMD_CHLD: { + UINT32 chld_n = p_val->uint32_val1; + if (chld_n > 9) { + break; + } + bta_hf_client_send_at_chld((char)('0' + chld_n), p_val->uint32_val2); break; + } case BTA_HF_CLIENT_AT_CMD_BCC: bta_hf_client_send_at_bcc(); break; @@ -81,7 +85,7 @@ void bta_hf_client_send_at_cmd(tBTA_HF_CLIENT_DATA *p_data) bta_hf_client_send_at_xapl(p_val->str, p_val->uint32_val1); break; case BTA_HF_CLIENT_AT_CMD_IPHONEACCEV: - bta_hf_client_send_at_iphoneaccev(p_val->uint32_val1, p_val->uint32_val1 == 0 ? FALSE : TRUE); + bta_hf_client_send_at_iphoneaccev(p_val->uint32_val1, p_val->uint32_val2 == 0 ? FALSE : TRUE); break; default: APPL_TRACE_ERROR("Default case, %s", __FUNCTION__); diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_main.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_main.c index b87c4869c3..e72bd2b945 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_main.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_main.c @@ -316,7 +316,9 @@ void bta_hf_client_scb_disable(void) bta_hf_client_scb_init(); - (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_DISABLE_EVT, NULL); + if (bta_hf_client_cb.p_cback) { + (*bta_hf_client_cb.p_cback)(BTA_HF_CLIENT_DISABLE_EVT, NULL); + } } /******************************************************************************* @@ -419,6 +421,19 @@ void bta_hf_client_collision_cback (tBTA_SYS_CONN_STATUS status, UINT8 id, *******************************************************************************/ static void bta_hf_client_api_enable(tBTA_HF_CLIENT_DATA *p_data) { + if (bta_hf_client_cb.scb.p_disc_db != NULL) { + (void)SDP_CancelServiceSearch(bta_hf_client_cb.scb.p_disc_db); + bta_hf_client_free_db(NULL); + } + if (bta_hf_client_cb.scb.p_sco_data != NULL) { + osi_free(bta_hf_client_cb.scb.p_sco_data); + bta_hf_client_cb.scb.p_sco_data = NULL; + } + if (bta_hf_client_cb.scb.colli_tmr_on) { + bta_sys_stop_timer(&bta_hf_client_cb.scb.colli_timer); + bta_hf_client_cb.scb.colli_tmr_on = FALSE; + } + /* initialize control block */ memset(&bta_hf_client_cb, 0, sizeof(tBTA_HF_CLIENT_CB)); @@ -501,7 +516,7 @@ BOOLEAN bta_hf_client_hdl_event(BT_HDR *p_msg) break; #if (BTM_SCO_HCI_INCLUDED == TRUE) && (BTA_HFP_EXT_CODEC == TRUE) case BTA_HF_CLIENT_SCO_DATA_SEND_EVT: - free_msg = false; + free_msg = FALSE; /* fall through */ #endif default: diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_rfc.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_rfc.c index b64b623702..2df87de4c5 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_rfc.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_rfc.c @@ -79,7 +79,9 @@ static void bta_hf_client_mgmt_cback(UINT32 code, UINT16 port_handle, void* data code, port_handle, bta_hf_client_cb.scb.conn_handle, bta_hf_client_cb.scb.serv_handle); /* ignore close event for port handles other than connected handle */ - if ((code != PORT_SUCCESS) && (port_handle != bta_hf_client_cb.scb.conn_handle)) { + if ((code != PORT_SUCCESS) && + (port_handle != bta_hf_client_cb.scb.conn_handle) && + (port_handle != bta_hf_client_cb.scb.serv_handle)) { APPL_TRACE_DEBUG("bta_hf_client_mgmt_cback ignoring handle:%d", port_handle); return; } @@ -206,6 +208,7 @@ void bta_hf_client_rfc_do_open(tBTA_HF_CLIENT_DATA *p_data) } /* RFCOMM create connection failed; send ourselves RFCOMM close event */ else { + bta_hf_client_cb.scb.conn_handle = 0; bta_hf_client_sm_execute(BTA_HF_CLIENT_RFC_CLOSE_EVT, p_data); } } diff --git a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_sco.c b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_sco.c index 11437fb92a..e8b40aa15e 100644 --- a/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_sco.c +++ b/components/bt/host/bluedroid/bta/hf_client/bta_hf_client_sco.c @@ -229,7 +229,9 @@ void bta_hf_client_cback_sco(UINT8 event) } #endif /* call app cback */ - (*bta_hf_client_cb.p_cback)(event, &audio_stat); + if (bta_hf_client_cb.p_cback != NULL) { + (*bta_hf_client_cb.p_cback)(event, &audio_stat); + } } #if (BTM_SCO_HCI_INCLUDED == TRUE ) @@ -266,7 +268,7 @@ static void bta_hf_client_sco_read_cback (UINT16 sco_idx, BT_HDR *p_data, tBTM_S *******************************************************************************/ static void bta_hf_client_sco_conn_rsp(tBTM_ESCO_CONN_REQ_EVT_DATA *p_data) { - tBTM_ESCO_PARAMS resp; + tBTM_ESCO_PARAMS resp = {0}; UINT8 hci_status = HCI_SUCCESS; UINT8 index = BTA_HF_CLIENT_ESCO_PARAM_IDX_CVSD_S3; #if (BTM_SCO_HCI_INCLUDED == TRUE ) @@ -281,8 +283,8 @@ static void bta_hf_client_sco_conn_rsp(tBTM_ESCO_CONN_REQ_EVT_DATA *p_data) index = BTA_HF_CLIENT_SCO_PARAM_IDX_CVSD; } else { if ((bta_hf_client_cb.scb.negotiated_codec == BTM_SCO_CODEC_CVSD) && - (bta_hf_client_cb.scb.features && BTA_HF_CLIENT_FEAT_ESCO_S4) && - (bta_hf_client_cb.scb.peer_features && BTA_HF_CLIENT_PEER_ESCO_S4)) { + (bta_hf_client_cb.scb.features & BTA_HF_CLIENT_FEAT_ESCO_S4) && + (bta_hf_client_cb.scb.peer_features & BTA_HF_CLIENT_PEER_ESCO_S4)) { index = BTA_HF_CLIENT_ESCO_PARAM_IDX_CVSD_S4; #if BT_HF_CLIENT_BQB_INCLUDED if (s_bta_hf_client_bqb_esco_s1_flag == true) { @@ -380,7 +382,7 @@ static void bta_hf_client_write_sco_data(BT_HDR *p_buf1, BT_HDR *p_buf2) ** Returns void ** *******************************************************************************/ -static void bta_hf_client_sco_data_send_cvsd(BT_HDR *p_buf, UINT8 out_pkt_len) +static void bta_hf_client_sco_data_send_cvsd(BT_HDR *p_buf, UINT16 out_pkt_len) { if (bta_hf_client_cb.scb.p_sco_data != NULL) { /* the remaining data of last sending operation */ @@ -468,7 +470,7 @@ static void bta_hf_client_sco_data_send_cvsd(BT_HDR *p_buf, UINT8 out_pkt_len) ** Returns void ** *******************************************************************************/ -static void bta_hf_client_sco_data_send_msbc(BT_HDR *p_buf, UINT8 out_pkt_len) +static void bta_hf_client_sco_data_send_msbc(BT_HDR *p_buf, UINT16 out_pkt_len) { if (p_buf->len == BTA_HF_CLIENT_MSBC_FRAME_SIZE && p_buf->offset >= BTA_HF_CLIENT_BUFF_OFFSET_MIN + BTA_HF_CLIENT_H2_HEADER_LEN) { /* add H2 header */ @@ -592,7 +594,7 @@ void bta_hf_client_sco_data_send(tBTA_HF_CLIENT_DATA *p_data) return; } - UINT8 out_pkt_len = bta_hf_client_cb.scb.out_pkt_len; + UINT16 out_pkt_len = bta_hf_client_cb.scb.out_pkt_len; UINT8 air_mode = bta_hf_client_cb.scb.air_mode; switch (air_mode) @@ -768,8 +770,8 @@ static void bta_hf_client_sco_create(BOOLEAN is_orig) } if (bta_hf_client_cb.scb.negotiated_codec == BTM_SCO_CODEC_CVSD) { - if ((bta_hf_client_cb.scb.features && BTA_HF_CLIENT_FEAT_ESCO_S4) && - (bta_hf_client_cb.scb.peer_features && BTA_HF_CLIENT_PEER_ESCO_S4)) { + if ((bta_hf_client_cb.scb.features & BTA_HF_CLIENT_FEAT_ESCO_S4) && + (bta_hf_client_cb.scb.peer_features & BTA_HF_CLIENT_PEER_ESCO_S4)) { index = BTA_HF_CLIENT_ESCO_PARAM_IDX_CVSD_S4; } } else if (bta_hf_client_cb.scb.negotiated_codec == BTM_SCO_CODEC_MSBC) { diff --git a/components/bt/host/bluedroid/bta/pba/bta_pba_client_act.c b/components/bt/host/bluedroid/bta/pba/bta_pba_client_act.c index 7ed5aaa8fc..7786a610e4 100644 --- a/components/bt/host/bluedroid/bta/pba/bta_pba_client_act.c +++ b/components/bt/host/bluedroid/bta/pba/bta_pba_client_act.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -47,10 +47,11 @@ static void close_goepc_and_report(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_E conn.handle = p_ccb->allocated; conn.error = reason; bdcpy(conn.bd_addr, p_ccb->bd_addr); - bta_pba_client_cb.p_cback(BTA_PBA_CLIENT_CONN_CLOSE_EVT, (tBTA_PBA_CLIENT *)&conn); /* free ccb */ free_ccb(p_ccb); + + bta_pba_client_cb.p_cback(BTA_PBA_CLIENT_CONN_CLOSE_EVT, (tBTA_PBA_CLIENT *)&conn); } static void build_and_send_empty_get_req(tBTA_PBA_CLIENT_CCB *p_ccb) @@ -280,8 +281,10 @@ void bta_pba_client_api_req(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA *p_ ret |= GOEPC_RequestAddHeader(p_ccb->goep_handle, OBEX_HEADER_ID_NAME, NULL, 0); } else { - UINT8 *utf16_name = osi_malloc(2 * name_len); - assert(utf16_name != NULL); + UINT8 *utf16_name = (UINT8 *)osi_malloc(2 * name_len); + if (utf16_name == NULL) { + goto error; + } ascii_to_utf16((UINT8 *)p_data->api_req.name, name_len, utf16_name); ret |= GOEPC_RequestAddHeader(p_ccb->goep_handle, OBEX_HEADER_ID_NAME, utf16_name, 2 * name_len); osi_free(utf16_name); @@ -308,6 +311,7 @@ void bta_pba_client_api_req(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA *p_ if (p_data->api_req.app_param) { ret |= GOEPC_RequestAddHeader(p_ccb->goep_handle, OBEX_HEADER_ID_APP_PARAM, p_data->api_req.app_param, p_data->api_req.app_param_len); osi_free(p_data->api_req.app_param); + p_data->api_req.app_param = NULL; } ret |= GOEPC_SendRequest(p_ccb->goep_handle); @@ -320,9 +324,11 @@ void bta_pba_client_api_req(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA *p_ error: if (p_data->api_req.name) { osi_free(p_data->api_req.name); + p_data->api_req.name = NULL; } if (p_data->api_req.app_param) { osi_free(p_data->api_req.app_param); + p_data->api_req.app_param = NULL; } close_goepc_and_report(p_ccb, BTA_PBA_CLIENT_GOEP_ERROR); } @@ -335,32 +341,35 @@ static void goep_event_callback(UINT16 handle, UINT8 event, tGOEPC_MSG *p_msg) { case GOEPC_OPENED_EVT: p_data = (tBTA_PBA_CLIENT_DATA *)osi_malloc(sizeof(tBTA_PBA_CLIENT_DATA)); - assert(p_data != NULL); - p_data->goep_connect.hdr.event = BTA_PBA_CLIENT_GOEP_CONNECT_EVT; - p_data->goep_connect.hdr.layer_specific = handle; - p_data->goep_connect.our_mtu = p_msg->opened.our_mtu; - p_data->goep_connect.peer_mtu = p_msg->opened.peer_mtu; + if (p_data) { + p_data->goep_connect.hdr.event = BTA_PBA_CLIENT_GOEP_CONNECT_EVT; + p_data->goep_connect.hdr.layer_specific = handle; + p_data->goep_connect.our_mtu = p_msg->opened.our_mtu; + p_data->goep_connect.peer_mtu = p_msg->opened.peer_mtu; + } break; case GOEPC_CLOSED_EVT: p_data = (tBTA_PBA_CLIENT_DATA *)osi_malloc(sizeof(tBTA_PBA_CLIENT_DATA)); - assert(p_data != NULL); - p_data->goep_disconnect.hdr.event = BTA_PBA_CLIENT_GOEP_DISCONNECT_EVT; - p_data->goep_disconnect.hdr.layer_specific = handle; - p_data->goep_disconnect.reason = p_msg->closed.reason; + if (p_data) { + p_data->goep_disconnect.hdr.event = BTA_PBA_CLIENT_GOEP_DISCONNECT_EVT; + p_data->goep_disconnect.hdr.layer_specific = handle; + p_data->goep_disconnect.reason = p_msg->closed.reason; + } break; case GOEPC_RESPONSE_EVT: p_data = (tBTA_PBA_CLIENT_DATA *)osi_malloc(sizeof(tBTA_PBA_CLIENT_DATA)); - assert(p_data != NULL); - p_data->goep_response.hdr.layer_specific = handle; - p_data->goep_response.pkt = p_msg->response.pkt; - p_data->goep_response.opcode = p_msg->response.opcode; - p_data->goep_response.srm_en = p_msg->response.srm_en; - p_data->goep_response.srm_wait = p_msg->response.srm_wait; - if (p_msg->response.final) { - p_data->goep_response.hdr.event = BTA_PBA_CLIENT_RESPONSE_FINAL_EVT; - } - else { - p_data->hdr.event = BTA_PBA_CLIENT_RESPONSE_EVT; + if (p_data) { + p_data->goep_response.hdr.layer_specific = handle; + p_data->goep_response.pkt = p_msg->response.pkt; + p_data->goep_response.opcode = p_msg->response.opcode; + p_data->goep_response.srm_en = p_msg->response.srm_en; + p_data->goep_response.srm_wait = p_msg->response.srm_wait; + if (p_msg->response.final) { + p_data->goep_response.hdr.event = BTA_PBA_CLIENT_RESPONSE_FINAL_EVT; + } + else { + p_data->goep_response.hdr.event = BTA_PBA_CLIENT_RESPONSE_EVT; + } } break; case GOEPC_MTU_CHANGED_EVT: @@ -419,10 +428,10 @@ void bta_pba_client_do_connect(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA conn.handle = 0; conn.error = reason; bdcpy(conn.bd_addr, p_ccb->bd_addr); - bta_pba_client_cb.p_cback(BTA_PBA_CLIENT_CONN_CLOSE_EVT, (tBTA_PBA_CLIENT *)&conn); - /* free ccb */ free_ccb(p_ccb); + + bta_pba_client_cb.p_cback(BTA_PBA_CLIENT_CONN_CLOSE_EVT, (tBTA_PBA_CLIENT *)&conn); } void bta_pba_client_authenticate(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA *p_data) @@ -467,22 +476,36 @@ void bta_pba_client_response(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA *p { case OBEX_HEADER_ID_BODY: case OBEX_HEADER_ID_END_OF_BODY: + { + UINT16 hi_len = OBEX_GetHeaderLength(header); + if (hi_len < 3) { + reason = BTA_PBA_CLIENT_BAD_REQUEST; + goto error; + } if (body_data == NULL) { /* first body header */ body_data = header + 3; /* skip opcode, length */ - body_data_len = OBEX_GetHeaderLength(header) - 3; + body_data_len = hi_len - 3; } else { /* another body header found */ report_data_event(p_ccb, body_data, body_data_len, NULL, 0, FALSE, NULL); body_data = header + 3; /* skip opcode, length */ - body_data_len = OBEX_GetHeaderLength(header) - 3; + body_data_len = hi_len - 3; } break; + } case OBEX_HEADER_ID_APP_PARAM: + { + UINT16 hi_len = OBEX_GetHeaderLength(header); + if (hi_len < 3) { + reason = BTA_PBA_CLIENT_BAD_REQUEST; + goto error; + } app_param = header + 3; - app_param_len = OBEX_GetHeaderLength(header) - 3; + app_param_len = hi_len - 3; break; + } default: break; } @@ -544,7 +567,10 @@ void bta_pba_client_response_final(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_D } BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR)); - assert(p_buf != NULL); + if (p_buf == NULL) { + APPL_TRACE_ERROR("pba_client_response_final: ENOMEM"); + goto error; + } p_buf->event = BTA_PBA_CLIENT_CONNECT_EVT; p_buf->layer_specific = p_ccb->allocated; bta_sys_sendmsg(p_buf); @@ -580,22 +606,36 @@ void bta_pba_client_response_final(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_D /* actually, BODY should not in this final response */ case OBEX_HEADER_ID_BODY: case OBEX_HEADER_ID_END_OF_BODY: + { + UINT16 hi_len = OBEX_GetHeaderLength(header); + if (hi_len < 3) { + reason = BTA_PBA_CLIENT_BAD_REQUEST; + goto error; + } if (body_data == NULL) { /* first body header */ body_data = header + 3; /* skip opcode, length */ - body_data_len = OBEX_GetHeaderLength(header) - 3; + body_data_len = hi_len - 3; } else { /* another body header found */ report_data_event(p_ccb, body_data, body_data_len, NULL, 0, FALSE, NULL); body_data = header + 3; /* skip opcode, length */ - body_data_len = OBEX_GetHeaderLength(header) - 3; + body_data_len = hi_len - 3; } break; + } case OBEX_HEADER_ID_APP_PARAM: + { + UINT16 hi_len = OBEX_GetHeaderLength(header); + if (hi_len < 3) { + reason = BTA_PBA_CLIENT_BAD_REQUEST; + goto error; + } app_param = header + 3; - app_param_len = OBEX_GetHeaderLength(header) - 3; + app_param_len = hi_len - 3; break; + } default: break; } @@ -606,6 +646,8 @@ void bta_pba_client_response_final(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_D /* done, return */ return; } + report_data_event(p_ccb, NULL, 0, NULL, 0, TRUE, p_data->goep_response.pkt); + return; } /* unexpected response code or body data not found */ reason = calculate_response_error(info.response_code); @@ -687,8 +729,8 @@ void bta_pba_client_goep_disconnect(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_ conn.handle = p_ccb->allocated; bdcpy(conn.bd_addr, p_ccb->bd_addr); conn.error = BTA_PBA_CLIENT_GOEP_ERROR; - bta_pba_client_cb.p_cback(BTA_PBA_CLIENT_CONN_CLOSE_EVT, (tBTA_PBA_CLIENT *)&conn); free_ccb(p_ccb); + bta_pba_client_cb.p_cback(BTA_PBA_CLIENT_CONN_CLOSE_EVT, (tBTA_PBA_CLIENT *)&conn); } void bta_pba_client_free_response(tBTA_PBA_CLIENT_CCB *p_ccb, tBTA_PBA_CLIENT_DATA *p_data) diff --git a/components/bt/host/bluedroid/bta/pba/bta_pba_client_main.c b/components/bt/host/bluedroid/bta/pba/bta_pba_client_main.c index 81c389bb3e..e6e7ba1de4 100644 --- a/components/bt/host/bluedroid/bta/pba/bta_pba_client_main.c +++ b/components/bt/host/bluedroid/bta/pba/bta_pba_client_main.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -176,6 +176,7 @@ static tBTA_PBA_CLIENT_CCB *find_ccb_by_handle(UINT16 handle) for (int i = 0; i < PBA_CLIENT_MAX_CONNECTION; ++i) { if (bta_pba_client_cb.ccb[i].allocated != 0 && bta_pba_client_cb.ccb[i].allocated == handle) { p_ccb = &bta_pba_client_cb.ccb[i]; + break; } } return p_ccb; @@ -187,6 +188,7 @@ static tBTA_PBA_CLIENT_CCB *find_ccb_by_goep_handle(UINT16 goep_handle) for (int i = 0; i < PBA_CLIENT_MAX_CONNECTION; ++i) { if (bta_pba_client_cb.ccb[i].allocated != 0 && bta_pba_client_cb.ccb[i].goep_handle == goep_handle) { p_ccb = &bta_pba_client_cb.ccb[i]; + break; } } return p_ccb; @@ -198,6 +200,7 @@ static tBTA_PBA_CLIENT_CCB *find_ccb_by_bd_addr(BD_ADDR bd_addr) for (int i = 0; i < PBA_CLIENT_MAX_CONNECTION; ++i) { if (bta_pba_client_cb.ccb[i].allocated != 0 && bdcmp(bta_pba_client_cb.ccb[i].bd_addr, bd_addr) == 0) { p_ccb = &bta_pba_client_cb.ccb[i]; + break; } } return p_ccb; diff --git a/components/bt/host/bluedroid/bta/pba/bta_pba_client_sdp.c b/components/bt/host/bluedroid/bta/pba/bta_pba_client_sdp.c index 030ddad66c..a65dc9a8ac 100644 --- a/components/bt/host/bluedroid/bta/pba/bta_pba_client_sdp.c +++ b/components/bt/host/bluedroid/bta/pba/bta_pba_client_sdp.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -35,6 +35,11 @@ static void bta_pba_client_sdp_cback(UINT16 status, void *user_data) APPL_TRACE_DEBUG("bta_pba_client_sdp_cback status:0x%x", status); + if (p_ccb == NULL || p_ccb->allocated == 0) { + APPL_TRACE_ERROR("bta_pba_client_sdp_cback EINVAL CCB"); + return; + } + if ((p_buf = (tBTA_PBA_CLIENT_DISC_RESULT *) osi_malloc(sizeof(tBTA_PBA_CLIENT_DISC_RESULT))) != NULL) { p_buf->hdr.event = BTA_PBA_CLIENT_DISC_RES_EVT; p_buf->hdr.layer_specific = p_ccb->allocated; @@ -141,6 +146,8 @@ BOOLEAN bta_pba_client_sdp_find_attr(tBTA_PBA_CLIENT_CCB *p_ccb) tSDP_PROTOCOL_ELEM pe; BOOLEAN result = FALSE; + p_ccb->peer_version = 0; + /* loop through all records we found */ while (TRUE) { /* get next record; if none found, we're done */ @@ -260,7 +267,7 @@ BOOLEAN bta_pba_client_do_disc(tBTA_PBA_CLIENT_CCB *p_ccb) /******************************************************************************* ** -** Function bta_hf_client_free_db +** Function bta_pba_client_free_db ** ** Description Free discovery database. **