diff --git a/components/bt/host/bluedroid/api/esp_bt_main.c b/components/bt/host/bluedroid/api/esp_bt_main.c index fd5a0e2a92..55cd9e3cae 100644 --- a/components/bt/host/bluedroid/api/esp_bt_main.c +++ b/components/bt/host/bluedroid/api/esp_bt_main.c @@ -92,6 +92,7 @@ esp_err_t esp_bluedroid_disable(void) if (btc_transfer_context(&msg, NULL, 0, NULL, NULL) != BT_STATUS_SUCCESS) { LOG_ERROR("Bluedroid disable failed\n"); + future_free(*future_p); s_bt_host_state = ESP_BLUEDROID_STATUS_ENABLED; return ESP_FAIL; } @@ -260,6 +261,7 @@ esp_err_t esp_bluedroid_deinit(void) if (btc_transfer_context(&msg, NULL, 0, NULL, NULL) != BT_STATUS_SUCCESS) { LOG_ERROR("Bluedroid de-initialise failed\n"); + future_free(*future_p); return ESP_FAIL; } diff --git a/components/bt/host/bluedroid/bta/dm/bta_dm_pm.c b/components/bt/host/bluedroid/bta/dm/bta_dm_pm.c index 35727779ee..74712870bf 100644 --- a/components/bt/host/bluedroid/bta/dm/bta_dm_pm.c +++ b/components/bt/host/bluedroid/bta/dm/bta_dm_pm.c @@ -522,6 +522,10 @@ static void bta_dm_pm_set_mode(BD_ADDR peer_addr, tBTA_DM_PM_ACTION pm_request, } } + if (j > p_bta_dm_pm_cfg[0].app_id) { + continue; + } + p_pm_cfg = &p_bta_dm_pm_cfg[j]; p_pm_spec = &p_bta_dm_pm_spec[p_pm_cfg->spec_idx]; p_act0 = &p_pm_spec->actn_tbl[p_srvcs->state][0]; @@ -757,6 +761,10 @@ static void bta_dm_pm_ssr(BD_ADDR peer_addr) } } + if (j > p_bta_dm_pm_cfg[0].app_id) { + continue; + } + /* find the ssr index with the smallest max latency. */ p_spec_cur = &p_bta_dm_ssr_spec[p_bta_dm_pm_spec[p_bta_dm_pm_cfg[j].spec_idx].ssr]; p_spec = &p_bta_dm_ssr_spec[ssr]; diff --git a/components/bt/host/bluedroid/bta/sdp/bta_sdp_act.c b/components/bt/host/bluedroid/bta/sdp/bta_sdp_act.c index 045672f0dc..913eb7c45e 100644 --- a/components/bt/host/bluedroid/bta/sdp/bta_sdp_act.c +++ b/components/bt/host/bluedroid/bta/sdp/bta_sdp_act.c @@ -425,7 +425,10 @@ static void bta_sdp_search_cback(UINT16 result, void *user_data) bta_sdp_cb.sdp_active = BTA_SDP_ACTIVE_NONE; - if (bta_sdp_cb.p_dm_cback == NULL) { + if ((bta_sdp_cb.p_dm_cback == NULL) || (user_data == NULL)) { + if (user_data) { + osi_free(user_data); + } return; } @@ -517,12 +520,15 @@ void bta_sdp_enable(tBTA_SDP_MSG *p_data) void bta_sdp_search(tBTA_SDP_MSG *p_data) { int x = 0; - // TODO: Leaks!!! but needed as user-data pointer - tBT_UUID *bta_sdp_search_uuid = osi_malloc(sizeof(tBT_UUID)); if (p_data == NULL) { APPL_TRACE_DEBUG("SDP control block handle is null\n"); return; } + tBT_UUID *bta_sdp_search_uuid = osi_malloc(sizeof(tBT_UUID)); + if (bta_sdp_search_uuid == NULL) { + APPL_TRACE_DEBUG("SDP search param malloc failed\n"); + return; + } tBTA_SDP_STATUS status = BTA_SDP_FAILURE; APPL_TRACE_DEBUG("%s in, sdp_active:%d\n", __func__, bta_sdp_cb.sdp_active); @@ -537,6 +543,7 @@ void bta_sdp_search(tBTA_SDP_MSG *p_data) result.status = status; bta_sdp_cb.p_dm_cback(BTA_SDP_SEARCH_COMP_EVT, (tBTA_SDP *)&result, NULL); } + osi_free(bta_sdp_search_uuid); return; } @@ -560,6 +567,7 @@ void bta_sdp_search(tBTA_SDP_MSG *p_data) if (!SDP_ServiceSearchAttributeRequest2(p_data->get_search.bd_addr, p_bta_sdp_cfg->p_sdp_db, bta_sdp_search_cback, (void *)bta_sdp_search_uuid)) { + osi_free(bta_sdp_search_uuid); bta_sdp_cb.sdp_active = BTA_SDP_ACTIVE_NONE; /* failed to start SDP. report the failure right away */ diff --git a/components/bt/host/bluedroid/bta/sdp/bta_sdp_api.c b/components/bt/host/bluedroid/bta/sdp/bta_sdp_api.c index d46f784bf1..a96b87fe15 100644 --- a/components/bt/host/bluedroid/bta/sdp/bta_sdp_api.c +++ b/components/bt/host/bluedroid/bta/sdp/bta_sdp_api.c @@ -62,6 +62,11 @@ tBTA_SDP_STATUS BTA_SdpEnable(tBTA_SDP_DM_CBACK *p_cback) APPL_TRACE_API("%s\n", __FUNCTION__); + /* do not allocate sdp_db / raw buffers unless we can run the enable path */ + if (p_cback == NULL || bta_sys_is_register(BTA_ID_SDP)) { + return BTA_SDP_FAILURE; + } + #if BTA_DYNAMIC_MEMORY == TRUE /* Malloc buffer for SDP configuration structure */ p_bta_sdp_cfg->p_sdp_db = (tSDP_DISCOVERY_DB *)osi_malloc(p_bta_sdp_cfg->sdp_db_size); @@ -72,19 +77,20 @@ tBTA_SDP_STATUS BTA_SdpEnable(tBTA_SDP_DM_CBACK *p_cback) } #endif - if (p_cback && FALSE == bta_sys_is_register(BTA_ID_SDP)) { - memset(&bta_sdp_cb, 0, sizeof(tBTA_SDP_CB)); + memset(&bta_sdp_cb, 0, sizeof(tBTA_SDP_CB)); - /* register with BTA system manager */ + if ((p_buf = (tBTA_SDP_API_ENABLE *) osi_malloc(sizeof(tBTA_SDP_API_ENABLE))) != NULL) { + /* register with BTA system manager only after buffer alloc succeeds */ bta_sys_register(BTA_ID_SDP, &bta_sdp_reg); - - if (p_cback && - (p_buf = (tBTA_SDP_API_ENABLE *) osi_malloc(sizeof(tBTA_SDP_API_ENABLE))) != NULL) { - p_buf->hdr.event = BTA_SDP_API_ENABLE_EVT; - p_buf->p_cback = p_cback; - bta_sys_sendmsg(p_buf); - status = BTA_SDP_SUCCESS; - } + p_buf->hdr.event = BTA_SDP_API_ENABLE_EVT; + p_buf->p_cback = p_cback; + bta_sys_sendmsg(p_buf); + status = BTA_SDP_SUCCESS; + } else { +#if BTA_DYNAMIC_MEMORY == TRUE + /* undo sdp_db / sdp_raw_data from above; not registered yet */ + BTA_SdpCleanup(); +#endif } return (status); } @@ -104,12 +110,12 @@ tBTA_SDP_STATUS BTA_SdpEnable(tBTA_SDP_DM_CBACK *p_cback) tBTA_SDP_STATUS BTA_SdpDisable(void) { BT_HDR *p_buf = NULL; - tBTA_SDP_STATUS status = BTA_SDP_SUCCESS; + tBTA_SDP_STATUS status = BTA_SDP_FAILURE; if ((p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR))) != NULL) { p_buf->event = BTA_SDP_API_DISABLE_EVT; bta_sys_sendmsg(p_buf); - status = BTA_SDP_FAILURE; + status = BTA_SDP_SUCCESS; } return status; diff --git a/components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_bt.c b/components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_bt.c index 9d22b7e418..9c95c7527f 100644 --- a/components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_bt.c +++ b/components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_bt.c @@ -1057,6 +1057,9 @@ static void btc_gap_bt_get_dev_name_callback(UINT8 status, char *name) ret = btc_transfer_context(&msg, ¶m, sizeof(esp_bt_gap_cb_param_t), NULL, NULL); if (ret != BT_STATUS_SUCCESS) { BTC_TRACE_ERROR("%s btc_transfer_context failed\n", __func__); + if (param.get_dev_name_cmpl.name) { + osi_free(param.get_dev_name_cmpl.name); + } } } @@ -1395,8 +1398,14 @@ void btc_gap_bt_cb_deep_free(btc_msg_t *msg) #if (ENC_KEY_SIZE_CTRL_MODE != ENC_KEY_SIZE_CTRL_MODE_NONE) case BTC_GAP_BT_SET_MIN_ENC_KEY_SIZE_EVT: #endif /// ENC_KEY_SIZE_CTRL_MODE != ENC_KEY_SIZE_CTRL_MODE_NONE - case BTC_GAP_BT_GET_DEV_NAME_CMPL_EVT: break; + case BTC_GAP_BT_GET_DEV_NAME_CMPL_EVT: { + char *name = ((esp_bt_gap_cb_param_t *)msg->arg)->get_dev_name_cmpl.name; + if (name) { + osi_free(name); + } + break; + } default: BTC_TRACE_ERROR("%s: Unhandled event (%d)!\n", __FUNCTION__, msg->act); break; diff --git a/components/bt/host/bluedroid/btc/profile/std/sdp/btc_sdp.c b/components/bt/host/bluedroid/btc/profile/std/sdp/btc_sdp.c index e343716b08..a124ed66e6 100644 --- a/components/bt/host/bluedroid/btc/profile/std/sdp/btc_sdp.c +++ b/components/bt/host/bluedroid/btc/profile/std/sdp/btc_sdp.c @@ -55,7 +55,7 @@ static sdp_local_param_t *sdp_local_param_ptr; #if SDP_DYNAMIC_MEMORY == FALSE #define is_sdp_init() (sdp_local_param.sdp_slot_mutex != NULL) #else -#define is_sdp_init() (&sdp_local_param != NULL && sdp_local_param.sdp_slot_mutex != NULL) +#define is_sdp_init() (sdp_local_param_ptr != NULL && sdp_local_param.sdp_slot_mutex != NULL) #endif static void btc_sdp_cleanup(void) @@ -1439,7 +1439,7 @@ void btc_sdp_get_protocol_status(esp_sdp_protocol_status_t *param) if (is_sdp_init()) { param->sdp_inited = true; osi_mutex_lock(&sdp_local_param.sdp_slot_mutex, OSI_MUTEX_MAX_TIMEOUT); - for (size_t i = 0; i <= SDP_MAX_RECORDS; i++) { + for (size_t i = 0; i < SDP_MAX_RECORDS; i++) { if (sdp_local_param.sdp_slots[i] != NULL && sdp_local_param.sdp_slots[i]->state == SDP_RECORD_ALLOCED) { param->records_num++; } diff --git a/components/bt/host/bluedroid/stack/btm/btm_sco.c b/components/bt/host/bluedroid/stack/btm/btm_sco.c index a9a2d76f46..6da0786eb3 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_sco.c +++ b/components/bt/host/bluedroid/stack/btm/btm_sco.c @@ -283,6 +283,7 @@ static void hci_sco_data_to_lower(BT_HDR *p_buf) if (p_buf->offset == 0) { BTM_TRACE_ERROR("offset cannot be 0"); osi_free(p_buf); + return; } bte_main_hci_send(p_buf, (UINT16)(BT_EVT_TO_LM_HCI_SCO | LOCAL_BLE_CONTROLLER_ID)); @@ -1166,11 +1167,15 @@ UINT16 btm_find_scb_by_handle (UINT16 handle) tBTM_STATUS BTM_RemoveSco (UINT16 sco_inx) { #if (BTM_MAX_SCO_LINKS>0) + if (sco_inx >= BTM_MAX_SCO_LINKS) { + return (BTM_UNKNOWN_ADDR); + } + tSCO_CONN *p = &btm_cb.sco_cb.sco_db[sco_inx]; UINT16 tempstate; /* Validity check */ - if ((sco_inx >= BTM_MAX_SCO_LINKS) || (p->state == SCO_ST_UNUSED)) { + if (p->state == SCO_ST_UNUSED) { return (BTM_UNKNOWN_ADDR); } diff --git a/components/bt/host/bluedroid/stack/gap/gap_conn.c b/components/bt/host/bluedroid/stack/gap/gap_conn.c index 2fa54fa923..025f2ac134 100644 --- a/components/bt/host/bluedroid/stack/gap/gap_conn.c +++ b/components/bt/host/bluedroid/stack/gap/gap_conn.c @@ -130,7 +130,6 @@ UINT16 GAP_ConnOpen (const char *p_serv_name, UINT8 service_id, BOOLEAN is_serve { tGAP_CCB *p_ccb; UINT16 cid; - //tBT_UUID bt_uuid = {2, {GAP_PROTOCOL_ID}}; GAP_TRACE_EVENT ("GAP_CONN - Open Request"); @@ -149,6 +148,7 @@ UINT16 GAP_ConnOpen (const char *p_serv_name, UINT8 service_id, BOOLEAN is_serve memcpy (&p_ccb->rem_dev_address[0], p_rem_bda, BD_ADDR_LEN); } else if (!is_server) { /* remote addr is not specified and is not a server -> bad */ + gap_release_ccb (p_ccb); return (GAP_INVALID_HANDLE); } @@ -234,7 +234,7 @@ UINT16 GAP_ConnOpen (const char *p_serv_name, UINT8 service_id, BOOLEAN is_serve } /* Check if L2CAP started the connection process */ - if (p_rem_bda && ((cid = L2CA_CONNECT_REQ (p_ccb->psm, p_rem_bda, &p_ccb->ertm_info, &bt_uuid)) != 0)) { + if (p_rem_bda && ((cid = L2CA_CONNECT_REQ (p_ccb->psm, p_rem_bda, &p_ccb->ertm_info, NULL)) != 0)) { p_ccb->connection_id = cid; return (p_ccb->gap_handle); } else { @@ -721,7 +721,6 @@ static void gap_connect_ind (BD_ADDR bd_addr, UINT16 l2cap_cid, UINT16 psm, UIN { UINT16 xx; tGAP_CCB *p_ccb; - //tBT_UUID bt_uuid = {2, {GAP_PROTOCOL_ID}}; /* See if we have a CCB listening for the connection */ for (xx = 0, p_ccb = gap_cb.conn.ccb_pool; xx < GAP_MAX_CONNECTIONS; xx++, p_ccb++) { @@ -751,7 +750,7 @@ static void gap_connect_ind (BD_ADDR bd_addr, UINT16 l2cap_cid, UINT16 psm, UIN p_ccb->connection_id = l2cap_cid; /* Send response to the L2CAP layer. */ - L2CA_CONNECT_RSP (bd_addr, l2cap_id, l2cap_cid, L2CAP_CONN_OK, L2CAP_CONN_OK, &p_ccb->ertm_info, &bt_uuid); + L2CA_CONNECT_RSP (bd_addr, l2cap_id, l2cap_cid, L2CAP_CONN_OK, L2CAP_CONN_OK, &p_ccb->ertm_info, NULL); GAP_TRACE_EVENT("GAP_CONN - Rcvd L2CAP conn ind, CID: 0x%x", p_ccb->connection_id); diff --git a/components/bt/host/bluedroid/stack/l2cap/l2c_ucd.c b/components/bt/host/bluedroid/stack/l2cap/l2c_ucd.c index d2de138b22..e011ee5971 100644 --- a/components/bt/host/bluedroid/stack/l2cap/l2c_ucd.c +++ b/components/bt/host/bluedroid/stack/l2cap/l2c_ucd.c @@ -185,7 +185,7 @@ static void l2c_ucd_config_cfm_cback (UINT16 cid, tL2CAP_CFG_INFO *p_cfg) ** ** Parameters: tL2CAP_UCD_CB_INFO ** -** Return value: TRUE if successs +** Return value: TRUE if success ** *******************************************************************************/ BOOLEAN L2CA_UcdRegister ( UINT16 psm, tL2CAP_UCD_CB_INFO *p_cb_info ) @@ -242,12 +242,12 @@ BOOLEAN L2CA_UcdRegister ( UINT16 psm, tL2CAP_UCD_CB_INFO *p_cb_info ) ** ** Parameters: PSM ** -** Return value: TRUE if successs +** Return value: TRUE if success ** *******************************************************************************/ BOOLEAN L2CA_UcdDeregister_In_CCB_List (void *p_ccb_node, void * context) { - p_ccb = (tL2C_CCB *)p_ccb_node; + tL2C_CCB *p_ccb = (tL2C_CCB *)p_ccb_node; if (( p_ccb->in_use ) && ( p_ccb->local_cid == L2CAP_CONNECTIONLESS_CID )) { l2cu_release_ccb (p_ccb); @@ -301,7 +301,7 @@ BOOLEAN L2CA_UcdDeregister ( UINT16 psm ) ** L2CAP_UCD_INFO_TYPE_MTU ** ** -** Return value: TRUE if successs +** Return value: TRUE if success ** *******************************************************************************/ BOOLEAN L2CA_UcdDiscover ( UINT16 psm, BD_ADDR rem_bda, UINT8 info_type ) @@ -450,7 +450,7 @@ UINT16 L2CA_UcdDataWrite (UINT16 psm, BD_ADDR rem_bda, BT_HDR *p_buf, UINT16 fla ** Parameters: BD Addr ** Timeout in second ** -** Return value: TRUE if successs +** Return value: TRUE if success ** *******************************************************************************/ BOOLEAN L2CA_UcdSetIdleTimeout ( BD_ADDR rem_bda, UINT16 timeout ) @@ -517,7 +517,7 @@ BOOLEAN L2CA_UCDSetTxPriority ( BD_ADDR rem_bda, tL2CAP_CHNL_PRIORITY priority ) ** ** Parameters: BD_ADDR of remote device ** -** Return value: TRUE if successs +** Return value: TRUE if success ** *******************************************************************************/ static BOOLEAN l2c_ucd_connect ( BD_ADDR rem_bda ) @@ -597,7 +597,7 @@ static BOOLEAN l2c_ucd_connect ( BD_ADDR rem_bda ) void l2c_ucd_delete_sec_pending_q(tL2C_LCB *p_lcb) { /* clean up any security pending UCD */ - while (p_lcb->ucd_out_sec_pending_q.p_first) { + while (!fixed_queue_is_empty(p_lcb->ucd_out_sec_pending_q)) { osi_free(fixed_queue_dequeue(p_lcb->ucd_out_sec_pending_q, 0)); } fixed_queue_free(p_lcb->ucd_out_sec_pending_q, NULL); @@ -606,7 +606,7 @@ void l2c_ucd_delete_sec_pending_q(tL2C_LCB *p_lcb) while (! fixed_queue_is_empty(p_lcb->ucd_in_sec_pending_q)) { osi_free(fixed_queue_dequeue(p_lcb->ucd_in_sec_pending_q, 0)); } - fixed_queue_free(p_lcb->ucd_in_sec_pending_q); + fixed_queue_free(p_lcb->ucd_in_sec_pending_q, NULL); p_lcb->ucd_in_sec_pending_q = NULL; } @@ -797,7 +797,7 @@ BOOLEAN l2c_ucd_check_pending_in_sec_q(tL2C_CCB *p_ccb) *******************************************************************************/ void l2c_ucd_send_pending_in_sec_q(tL2C_CCB *p_ccb) { - BT_HDR *p_buf = (BT_HDR*)fixed_queue_dequeue(p_ccb->p_lcb->ucd_in_sec_pending_q, 0) + BT_HDR *p_buf = (BT_HDR*)fixed_queue_dequeue(p_ccb->p_lcb->ucd_in_sec_pending_q, 0); if (p_buf != NULL) { p_ccb->p_rcb->ucd.cb_info.pL2CA_UCD_Data_Cb(p_ccb->p_lcb->remote_bd_addr, (BT_HDR *)p_buf); diff --git a/components/bt/host/bluedroid/stack/l2cap/l2cap_client.c b/components/bt/host/bluedroid/stack/l2cap/l2cap_client.c index c7314b62ff..6528b38ec9 100644 --- a/components/bt/host/bluedroid/stack/l2cap/l2cap_client.c +++ b/components/bt/host/bluedroid/stack/l2cap/l2cap_client.c @@ -107,7 +107,7 @@ l2cap_client_t *l2cap_client_new(const l2cap_client_callbacks_t *callbacks, void ret->remote_mtu = L2CAP_MTU_DEFAULT; ret->outbound_fragments = list_new(NULL); - if (!ret) { + if (!ret->outbound_fragments) { L2CAP_TRACE_ERROR("%s unable to allocate outbound L2CAP fragment list.", __func__); goto error; } @@ -393,7 +393,7 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet) assert(packet != NULL); // TODO(sharvil): eliminate copy into BT_HDR. - BT_HDR *bt_packet = osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET); + BT_HDR *bt_packet = osi_malloc(sizeof(BT_HDR) + buffer_length(packet) + L2CAP_MIN_OFFSET); bt_packet->offset = L2CAP_MIN_OFFSET; bt_packet->len = buffer_length(packet); memcpy(bt_packet->data + bt_packet->offset, buffer_ptr(packet), buffer_length(packet)); @@ -408,7 +408,7 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet) break; } - BT_HDR *fragment = osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET); + BT_HDR *fragment = osi_malloc(sizeof(BT_HDR) + client->remote_mtu + L2CAP_MIN_OFFSET); fragment->offset = L2CAP_MIN_OFFSET; fragment->len = client->remote_mtu; memcpy(fragment->data + fragment->offset, bt_packet->data + bt_packet->offset, client->remote_mtu); diff --git a/components/bt/host/bluedroid/stack/sdp/sdp_db.c b/components/bt/host/bluedroid/stack/sdp/sdp_db.c index 06f934d4a3..827134d3cf 100644 --- a/components/bt/host/bluedroid/stack/sdp/sdp_db.c +++ b/components/bt/host/bluedroid/stack/sdp/sdp_db.c @@ -360,9 +360,7 @@ BOOLEAN SDP_DeleteRecord (UINT32 handle) if (handle == 0 || sdp_cb.server_db.num_records == 0) { /* Delete all records in the database */ sdp_cb.server_db.num_records = 0; - for (p_node = list_begin(sdp_cb.server_db.p_record_list); p_node; p_node = list_next(p_node)) { - list_remove(sdp_cb.server_db.p_record_list, p_node); - } + list_clear(sdp_cb.server_db.p_record_list); /* require new DI record to be created in SDP_SetLocalDiRecord */ sdp_cb.server_db.di_primary_handle = 0; @@ -488,15 +486,13 @@ BOOLEAN SDP_AddAttribute (UINT32 handle, UINT16 attr_id, UINT8 attr_type, p_attr->type = attr_type; p_attr->len = attr_len; - if (p_rec->free_pad_ptr + attr_len >= SDP_MAX_PAD_LEN) { + if (p_rec->free_pad_ptr + attr_len > SDP_MAX_PAD_LEN) { /* do truncate only for text string type descriptor */ if (attr_type == TEXT_STR_DESC_TYPE) { SDP_TRACE_WARNING("SDP_AddAttribute: attr_len:%d too long. truncate to (%d)\n", attr_len, SDP_MAX_PAD_LEN - p_rec->free_pad_ptr ); attr_len = SDP_MAX_PAD_LEN - p_rec->free_pad_ptr; - p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr] = '\0'; - p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr + 1] = '\0'; } else { attr_len = 0; } diff --git a/components/bt/host/bluedroid/stack/sdp/sdp_discovery.c b/components/bt/host/bluedroid/stack/sdp/sdp_discovery.c index 82ef1548da..d2ac7ccb07 100644 --- a/components/bt/host/bluedroid/stack/sdp/sdp_discovery.c +++ b/components/bt/host/bluedroid/stack/sdp/sdp_discovery.c @@ -305,6 +305,9 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply, UINT8 * if (p_ccb->num_handles > sdp_cb.max_recs_per_search) { p_ccb->num_handles = sdp_cb.max_recs_per_search; } + if (p_ccb->num_handles > SDP_MAX_DISC_SERVER_RECS) { + p_ccb->num_handles = SDP_MAX_DISC_SERVER_RECS; + } if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) { sdp_disconnect(p_ccb, SDP_GENERIC_ERROR); @@ -424,8 +427,10 @@ static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply, UINT8 *p_ /* If p_reply is NULL, we were called after the records handles were read */ if (p_reply) { #if (SDP_DEBUG_RAW == TRUE) - SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x\n", - p_reply[0], p_reply[1], p_reply[2], p_reply[3]); + if (p_reply + 4 <= p_reply_end) { + SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x\n", + p_reply[0], p_reply[1], p_reply[2], p_reply[3]); + } #endif /* Skip transaction ID and length */ p_reply += 4; diff --git a/components/bt/host/bluedroid/stack/sdp/sdp_server.c b/components/bt/host/bluedroid/stack/sdp/sdp_server.c index d36b4115c9..9d3d81c184 100644 --- a/components/bt/host/bluedroid/stack/sdp/sdp_server.c +++ b/components/bt/host/bluedroid/stack/sdp/sdp_server.c @@ -226,7 +226,7 @@ static void process_service_search (tCONN_CB *p_ccb, UINT16 trans_num, return; } if (*p_req) { - if (*p_req++ != SDP_CONTINUATION_LEN || (p_req >= p_req_end)) { + if (*p_req++ != SDP_CONTINUATION_LEN || (p_req + 2 > p_req_end)) { sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE, SDP_TEXT_BAD_CONT_LEN); return;