diff --git a/components/bt/host/bluedroid/api/esp_spp_api.c b/components/bt/host/bluedroid/api/esp_spp_api.c index 18ef661c16..c739bb0cd2 100644 --- a/components/bt/host/bluedroid/api/esp_spp_api.c +++ b/components/bt/host/bluedroid/api/esp_spp_api.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -70,14 +70,13 @@ esp_err_t esp_spp_enhanced_init(const esp_spp_cfg_t *cfg) esp_err_t esp_spp_deinit(void) { btc_msg_t msg; - btc_spp_args_t arg; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_SPP; msg.act = BTC_SPP_ACT_UNINIT; - return (btc_transfer_context(&msg, &arg, sizeof(btc_spp_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); + return (btc_transfer_context(&msg, NULL, 0, NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -242,27 +241,25 @@ esp_err_t esp_spp_write(uint32_t handle, int len, uint8_t *p_data) esp_err_t esp_spp_vfs_register(void) { btc_msg_t msg; - btc_spp_args_t arg; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_SPP; msg.act = BTC_SPP_ACT_VFS_REGISTER; - return (btc_transfer_context(&msg, &arg, sizeof(btc_spp_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); + return (btc_transfer_context(&msg, NULL, 0, NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } esp_err_t esp_spp_vfs_unregister(void) { btc_msg_t msg; - btc_spp_args_t arg; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_SPP; msg.act = BTC_SPP_ACT_VFS_UNREGISTER; - return (btc_transfer_context(&msg, &arg, sizeof(btc_spp_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); + return (btc_transfer_context(&msg, NULL, 0, NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } esp_err_t esp_spp_get_profile_status(esp_spp_profile_status_t *profile_status) diff --git a/components/bt/host/bluedroid/bta/hd/bta_hd_act.c b/components/bt/host/bluedroid/bta/hd/bta_hd_act.c index 220b86cf2f..97da001d79 100644 --- a/components/bt/host/bluedroid/bta/hd/bta_hd_act.c +++ b/components/bt/host/bluedroid/bta/hd/bta_hd_act.c @@ -27,6 +27,7 @@ #include "bta/bta_sys.h" #include "bta_hd_int.h" +#include "bta/utl.h" #include "osi/allocator.h" #include "osi/osi.h" #include "stack/btm_api.h" @@ -42,7 +43,7 @@ static bool check_descriptor(uint8_t *data, uint16_t length, bool *has_report_id uint8_t item = *ptr++; switch (item) { case 0xfe: // long item indicator - if (ptr < data + length) { + if ((ptr < data + length) && ((*ptr) + 2 <= (data + length - ptr))) { ptr += ((*ptr) + 2); } else { return false; @@ -522,6 +523,10 @@ extern void bta_hd_close_act(tBTA_HD_DATA *p_data) extern void bta_hd_intr_data_act(tBTA_HD_DATA *p_data) { tBTA_HD_CBACK_DATA *p_cback = (tBTA_HD_CBACK_DATA *)p_data; + if (!p_cback || !p_cback->p_data) { + return; + } + BT_HDR *p_msg = p_cback->p_data; uint16_t len = p_msg->len; uint8_t *p_buf = (uint8_t *)(p_msg + 1) + p_msg->offset; @@ -530,6 +535,9 @@ extern void bta_hd_intr_data_act(tBTA_HD_DATA *p_data) APPL_TRACE_API("%s", __func__); if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) { + if (len < 1) { + goto _exit; + } ret.report_id = *p_buf; len--; p_buf++; @@ -540,6 +548,8 @@ extern void bta_hd_intr_data_act(tBTA_HD_DATA *p_data) ret.len = len; ret.p_data = p_buf; (*bta_hd_cb.p_cback)(BTA_HD_INTR_DATA_EVT, (tBTA_HD *)&ret); + +_exit: if (p_msg) { osi_free(p_msg); } @@ -557,6 +567,10 @@ extern void bta_hd_intr_data_act(tBTA_HD_DATA *p_data) extern void bta_hd_get_report_act(tBTA_HD_DATA *p_data) { tBTA_HD_CBACK_DATA *p_cback = (tBTA_HD_CBACK_DATA *)p_data; + if (!p_cback || !p_cback->p_data) { + return; + } + bool rep_size_follows = p_cback->data; BT_HDR *p_msg = p_cback->p_data; uint8_t *p_buf = (uint8_t *)(p_msg + 1) + p_msg->offset; @@ -566,7 +580,7 @@ extern void bta_hd_get_report_act(tBTA_HD_DATA *p_data) APPL_TRACE_API("%s", __func__); if (remaining_len < 1) { APPL_TRACE_ERROR("%s invalid data, remaining_len:%d", __func__, remaining_len); - return; + goto _exit; } ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK; @@ -576,7 +590,7 @@ extern void bta_hd_get_report_act(tBTA_HD_DATA *p_data) if (bta_hd_cb.use_report_id) { if (remaining_len < 1) { APPL_TRACE_ERROR("%s invalid data, remaining_len:%d", __func__, remaining_len); - return; + goto _exit; } ret.report_id = *p_buf; p_buf++; @@ -586,12 +600,14 @@ extern void bta_hd_get_report_act(tBTA_HD_DATA *p_data) if (rep_size_follows) { if (remaining_len < 2) { APPL_TRACE_ERROR("%s invalid data, remaining_len:%d", __func__, remaining_len); - return; + goto _exit; } ret.buffer_size = *p_buf | (*(p_buf + 1) << 8); } (*bta_hd_cb.p_cback)(BTA_HD_GET_REPORT_EVT, (tBTA_HD *)&ret); + +_exit: if (p_msg) { osi_free(p_msg); } @@ -609,6 +625,10 @@ extern void bta_hd_get_report_act(tBTA_HD_DATA *p_data) extern void bta_hd_set_report_act(tBTA_HD_DATA *p_data) { tBTA_HD_CBACK_DATA *p_cback = (tBTA_HD_CBACK_DATA *)p_data; + if (!p_cback || !p_cback->p_data) { + return; + } + BT_HDR *p_msg = p_cback->p_data; uint16_t len = p_msg->len; uint8_t *p_buf = (uint8_t *)(p_msg + 1) + p_msg->offset; @@ -616,11 +636,18 @@ extern void bta_hd_set_report_act(tBTA_HD_DATA *p_data) APPL_TRACE_API("%s", __func__); + if (len < 1) { + goto _exit; + } + ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK; p_buf++; len--; if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) { + if (len < 1) { + goto _exit; + } ret.report_id = *p_buf; len--; p_buf++; @@ -631,6 +658,8 @@ extern void bta_hd_set_report_act(tBTA_HD_DATA *p_data) ret.len = len; ret.p_data = p_buf; (*bta_hd_cb.p_cback)(BTA_HD_SET_REPORT_EVT, (tBTA_HD *)&ret); + +_exit: if (p_msg) { osi_free(p_msg); } @@ -804,6 +833,8 @@ static void bta_hd_cback(BD_ADDR bd_addr, uint8_t event, uint32_t data, BT_HDR * p_buf->p_data = pdata; bta_sys_sendmsg(p_buf); + } else { + utl_freebuf((void **)&pdata); } } #endif /* BTA_HD_INCLUDED */ diff --git a/components/bt/host/bluedroid/bta/hh/bta_hh_act.c b/components/bt/host/bluedroid/bta/hh/bta_hh_act.c index 6d933ee870..032025f413 100644 --- a/components/bt/host/bluedroid/bta/hh/bta_hh_act.c +++ b/components/bt/host/bluedroid/bta/hh/bta_hh_act.c @@ -104,7 +104,9 @@ void bta_hh_api_enable(tBTA_HH_DATA *p_data) #endif { /* signal BTA call back event */ - (* bta_hh_cb.p_cback)(BTA_HH_ENABLE_EVT, (tBTA_HH *)&status); + if (bta_hh_cb.p_cback) { + (* bta_hh_cb.p_cback)(BTA_HH_ENABLE_EVT, (tBTA_HH *)&status); + } } } /******************************************************************************* @@ -1192,6 +1194,8 @@ static void bta_hh_cback (UINT8 dev_handle, BD_ADDR addr, UINT8 event, p_buf->p_data = pdata; bta_sys_sendmsg(p_buf); + } else { + utl_freebuf((void **)&pdata); } } diff --git a/components/bt/host/bluedroid/bta/hh/bta_hh_api.c b/components/bt/host/bluedroid/bta/hh/bta_hh_api.c index 157e4b6ac6..18206c73e7 100644 --- a/components/bt/host/bluedroid/bta/hh/bta_hh_api.c +++ b/components/bt/host/bluedroid/bta/hh/bta_hh_api.c @@ -177,6 +177,8 @@ static void bta_hh_snd_write_dev(UINT8 dev_handle, UINT8 t_type, UINT8 param, p_buf->rpt_id = rpt_id; bta_sys_sendmsg(p_buf); + } else { + utl_freebuf((void **)&p_data); } } /******************************************************************************* @@ -336,7 +338,7 @@ void BTA_HhGetDscpInfo(UINT8 dev_handle) ** ** Description Add a virtually cabled device into HID-Host device list ** to manage and assign a device handle for future API call, -** host applciation call this API at start-up to initialize its +** host application call this API at start-up to initialize its ** virtually cabled devices. ** ** Returns void @@ -452,7 +454,7 @@ void BTA_HhParseBootRpt(tBTA_HH_BOOT_RPT *p_data, UINT8 *p_report, { p_data->dev_type = BTA_HH_DEVT_UNKNOWN; - if (p_report) { + if (p_report && (report_len > 0)) { /* first byte is report ID */ switch (p_report[0]) { case BTA_HH_KEYBD_RPT_ID: /* key board report ID */ diff --git a/components/bt/host/bluedroid/bta/hh/bta_hh_utils.c b/components/bt/host/bluedroid/bta/hh/bta_hh_utils.c index 7c89ed004d..c12847c09b 100644 --- a/components/bt/host/bluedroid/bta/hh/bta_hh_utils.c +++ b/components/bt/host/bluedroid/bta/hh/bta_hh_utils.c @@ -332,7 +332,7 @@ void bta_hh_parse_keybd_rpt(tBTA_HH_BOOT_RPT *p_kb_data, UINT8 *p_report, p_kb->caps_lock = p_kb->caps_lock ? FALSE : TRUE; } else if (this_report[xx] == BTA_HH_KB_NUM_LOCK) { p_kb->num_lock = p_kb->num_lock ? FALSE : TRUE; - } else { + } else if (key_idx < BTA_HH_KB_VKEY_LEN) { p_data->this_char[key_idx ++] = this_char; } diff --git a/components/bt/host/bluedroid/bta/include/bta/bta_hh_api.h b/components/bt/host/bluedroid/bta/include/bta/bta_hh_api.h index 88cd192627..9c985703ad 100644 --- a/components/bt/host/bluedroid/bta/include/bta/bta_hh_api.h +++ b/components/bt/host/bluedroid/bta/include/bta/bta_hh_api.h @@ -58,7 +58,7 @@ #define BTA_HH_VC_UNPLUG_EVT 13 /* virtually unplugged */ #define BTA_HH_DATA_EVT 15 #define BTA_HH_API_ERR_EVT 16 /* API error is caught */ -#define BTA_HH_UPDATE_SCPP_EVT 17 /* update scan paramter complete */ +#define BTA_HH_UPDATE_SCPP_EVT 17 /* update scan parameter complete */ #define BTA_HH_DATA_IND_EVT 18 /* Data on interrupt channel */ typedef UINT16 tBTA_HH_EVT; @@ -120,7 +120,7 @@ enum { BTA_HH_HS_HID_NOT_READY, /* handshake error : device not ready */ BTA_HH_HS_INVALID_RPT_ID, /* handshake error : invalid report ID */ BTA_HH_HS_TRANS_NOT_SPT, /* handshake error : transaction not spt */ - BTA_HH_HS_INVALID_PARAM, /* handshake error : invalid paremter */ + BTA_HH_HS_INVALID_PARAM, /* handshake error : invalid parameter */ BTA_HH_HS_ERROR, /* handshake error : unspecified HS error */ BTA_HH_ERR, /* general BTA HH error */ BTA_HH_ERR_SDP, /* SDP error */ @@ -237,7 +237,8 @@ enum { /* parsed boot mode keyboard report */ typedef struct { - UINT8 this_char[6]; /* virtual key code */ +#define BTA_HH_KB_VKEY_LEN (6) + UINT8 this_char[BTA_HH_KB_VKEY_LEN]; /* virtual key code */ BOOLEAN mod_key[BTA_HH_MOD_MAX_KEY]; /* ctrl, shift, Alt, GUI */ /* modifier key: is Shift key pressed */ @@ -500,7 +501,7 @@ extern void BTA_HhGetDscpInfo(UINT8 dev_handle); ** ** Description Add a virtually cabled device into HID-Host device list ** to manage and assign a device handle for future API call, -** host applciation call this API at start-up to initialize its +** host application call this API at start-up to initialize its ** virtually cabled devices. ** ** Returns void diff --git a/components/bt/host/bluedroid/bta/jv/bta_jv_act.c b/components/bt/host/bluedroid/bta/jv/bta_jv_act.c index 45777b3873..c67a650078 100644 --- a/components/bt/host/bluedroid/bta/jv/bta_jv_act.c +++ b/components/bt/host/bluedroid/bta/jv/bta_jv_act.c @@ -288,8 +288,7 @@ tBTA_JV_RFC_CB *bta_jv_rfc_port_to_cb(UINT16 port_handle) p_cb = &bta_jv_cb.rfc_cb[handle - 1]; } } else { - APPL_TRACE_WARNING("bta_jv_rfc_port_to_cb(port_handle:0x%x):jv handle:0x%x not" - " FOUND", port_handle, bta_jv_cb.port_cb[port_handle - 1].handle); + APPL_TRACE_WARNING("bta_jv_rfc_port_to_cb(port_handle:0x%x)", port_handle); } return p_cb; } @@ -980,8 +979,11 @@ static void bta_jv_start_discovery_cback(UINT16 result, void *user_data) } else { dcomp.service_name[dcomp.scn_num] = NULL; } - dcomp.scn_num++; status = BTA_JV_SUCCESS; + dcomp.scn_num++; + if (dcomp.scn_num == BTA_JV_MAX_SCN) { + break; + } } } while (p_sdp_rec); } @@ -2847,6 +2849,7 @@ static void fcchan_conn_chng_cbk(UINT16 chan, BD_ADDR bd_addr, BOOLEAN connected open_evt.l2c_open.status = BTA_JV_SUCCESS; } else { fcclient_free(t); + t = NULL; open_evt.l2c_open.status = BTA_JV_FAILURE; } } @@ -2858,7 +2861,7 @@ static void fcchan_conn_chng_cbk(UINT16 chan, BD_ADDR bd_addr, BOOLEAN connected //call this with lock taken so socket does not disappear from under us */ if (p_cback) { p_cback(BTA_JV_L2CAP_OPEN_EVT, &open_evt, user_data); - if (!t->p_cback) { /* no callback set, means they do not want this one... */ + if (t && !t->p_cback) { /* no callback set, means they do not want this one... */ fcclient_free(t); } } diff --git a/components/bt/host/bluedroid/bta/jv/bta_jv_api.c b/components/bt/host/bluedroid/bta/jv/bta_jv_api.c index cfa0ff9091..9524dbe16b 100644 --- a/components/bt/host/bluedroid/bta/jv/bta_jv_api.c +++ b/components/bt/host/bluedroid/bta/jv/bta_jv_api.c @@ -74,6 +74,14 @@ tBTA_JV_STATUS BTA_JvEnable(tBTA_JV_DM_CBACK *p_cback) p_bta_jv_cfg->p_sdp_raw_data = (UINT8 *)osi_malloc(p_bta_jv_cfg->sdp_raw_size); p_bta_jv_cfg->p_sdp_db = (tSDP_DISCOVERY_DB *)osi_malloc(p_bta_jv_cfg->sdp_db_size); if (p_bta_jv_cfg->p_sdp_raw_data == NULL || p_bta_jv_cfg->p_sdp_db == NULL) { + if (p_bta_jv_cfg->p_sdp_raw_data) { + osi_free(p_bta_jv_cfg->p_sdp_raw_data); + p_bta_jv_cfg->p_sdp_raw_data = NULL; + } + if (p_bta_jv_cfg->p_sdp_db) { + osi_free( p_bta_jv_cfg->p_sdp_db); + p_bta_jv_cfg->p_sdp_db = NULL; + } return BTA_JV_NO_DATA; } #endif @@ -292,7 +300,9 @@ tBTA_JV_STATUS BTA_JvStartDiscovery(BD_ADDR bd_addr, UINT16 num_uuid, p_msg->hdr.event = BTA_JV_API_START_DISCOVERY_EVT; bdcpy(p_msg->bd_addr, bd_addr); p_msg->num_uuid = num_uuid; - memcpy(p_msg->uuid_list, p_uuid_list, num_uuid * sizeof(tSDP_UUID)); + if (p_uuid_list && (num_uuid > 0)) { + memcpy(p_msg->uuid_list, p_uuid_list, num_uuid * sizeof(tSDP_UUID)); + } p_msg->num_attr = 0; p_msg->user_data = user_data; bta_sys_sendmsg(p_msg); @@ -323,7 +333,12 @@ tBTA_JV_STATUS BTA_JvCreateRecordByUser(const char *name, UINT32 channel, void * if ((p_msg = (tBTA_JV_API_CREATE_RECORD *)osi_malloc(sizeof(tBTA_JV_API_CREATE_RECORD))) != NULL) { p_msg->hdr.event = BTA_JV_API_CREATE_RECORD_EVT; p_msg->user_data = user_data; - strcpy(p_msg->name, name); + if (name) { + strncpy(p_msg->name, name, ESP_SDP_SERVER_NAME_MAX); + p_msg->name[ESP_SDP_SERVER_NAME_MAX] = '\0'; + } else { + p_msg->name[0] = '\0'; + } p_msg->channel = channel; bta_sys_sendmsg(p_msg); status = BTA_JV_SUCCESS; diff --git a/components/bt/host/bluedroid/btc/profile/std/hid/btc_hd.c b/components/bt/host/bluedroid/btc/profile/std/hid/btc_hd.c index 31e140fa88..37c5b6a2a0 100644 --- a/components/bt/host/bluedroid/btc/profile/std/hid/btc_hd.c +++ b/components/bt/host/bluedroid/btc/profile/std/hid/btc_hd.c @@ -312,9 +312,19 @@ static void btc_hd_register_app(esp_hidd_app_param_t *p_app_param, esp_hidd_qos_ break; } - if ((btc_hd_cb.app_info.p_name = (char *)osi_malloc(BTC_HD_APP_NAME_LEN)) == NULL || - (btc_hd_cb.app_info.p_description = (char *)osi_malloc(BTC_HD_APP_DESCRIPTION_LEN)) == NULL || - (btc_hd_cb.app_info.p_provider = (char *)osi_malloc(BTC_HD_APP_PROVIDER_LEN)) == NULL || + if (!p_app_param->name || !p_app_param->description || !p_app_param->provider || + !p_app_param->desc_list || (p_app_param->desc_list_len <= 0)) { + ret = ESP_HIDD_ERROR; + break; + } + + size_t name_len = strnlen(p_app_param->name, BTC_HD_APP_NAME_LEN); + size_t description_len = strnlen(p_app_param->description, BTC_HD_APP_DESCRIPTION_LEN); + size_t provider_len = strnlen(p_app_param->provider, BTC_HD_APP_PROVIDER_LEN); + + if ((btc_hd_cb.app_info.p_name = (char *)osi_malloc(name_len + 1)) == NULL || + (btc_hd_cb.app_info.p_description = (char *)osi_malloc(description_len + 1)) == NULL || + (btc_hd_cb.app_info.p_provider = (char *)osi_malloc(provider_len + 1)) == NULL || (btc_hd_cb.app_info.descriptor.dsc_list = (uint8_t *)osi_malloc(p_app_param->desc_list_len)) == NULL) { BTC_TRACE_ERROR( "%s malloc app_info failed! p_name:%p, p_description:%p, p_provider:%p, descriptor.dsc_list:%p", @@ -323,9 +333,12 @@ static void btc_hd_register_app(esp_hidd_app_param_t *p_app_param, esp_hidd_qos_ ret = ESP_HIDD_NO_RES; break; } - memcpy(btc_hd_cb.app_info.p_name, p_app_param->name, BTC_HD_APP_NAME_LEN); - memcpy(btc_hd_cb.app_info.p_description, p_app_param->description, BTC_HD_APP_DESCRIPTION_LEN); - memcpy(btc_hd_cb.app_info.p_provider, p_app_param->provider, BTC_HD_APP_PROVIDER_LEN); + memcpy(btc_hd_cb.app_info.p_name, p_app_param->name, name_len); + btc_hd_cb.app_info.p_name[name_len] = '\0'; + memcpy(btc_hd_cb.app_info.p_description, p_app_param->description, description_len); + btc_hd_cb.app_info.p_description[description_len] = '\0'; + memcpy(btc_hd_cb.app_info.p_provider, p_app_param->provider, provider_len); + btc_hd_cb.app_info.p_provider[provider_len] = '\0'; memcpy(btc_hd_cb.app_info.descriptor.dsc_list, p_app_param->desc_list, p_app_param->desc_list_len); btc_hd_cb.app_info.subclass = p_app_param->subclass; btc_hd_cb.app_info.descriptor.dl_len = p_app_param->desc_list_len; diff --git a/components/bt/host/bluedroid/btc/profile/std/hid/btc_hh.c b/components/bt/host/bluedroid/btc/profile/std/hid/btc_hh.c index 8dbef8d86d..7e235cbe8c 100644 --- a/components/bt/host/bluedroid/btc/profile/std/hid/btc_hh.c +++ b/components/bt/host/bluedroid/btc/profile/std/hid/btc_hh.c @@ -1487,7 +1487,7 @@ void btc_hh_cb_handler(btc_msg_t *msg) BTC_TRACE_DEBUG("status = %d, handle = %d", p_data->dev_status.status, p_data->dev_status.handle); param.set_idle.handle = p_data->dev_status.handle; param.set_idle.status = p_data->dev_status.status; - btc_hh_cb_to_app(BTA_HH_SET_IDLE_EVT, ¶m); + btc_hh_cb_to_app(ESP_HIDH_SET_IDLE_EVT, ¶m); break; case BTA_HH_ADD_DEV_EVT: BTC_TRACE_DEBUG("status = %d, handle = %d", p_data->dev_info.status, p_data->dev_info.handle); @@ -1516,8 +1516,8 @@ void btc_hh_cb_handler(btc_msg_t *msg) break; case BTA_HH_RMV_DEV_EVT: BTC_TRACE_DEBUG("status = %d, handle = %d", p_data->dev_info.status, p_data->dev_info.handle); - param.rmv_dev.handle = p_data->dev_info.status; - param.rmv_dev.status = p_data->dev_info.handle; + param.rmv_dev.handle = p_data->dev_info.handle; + param.rmv_dev.status = p_data->dev_info.status; memcpy(param.rmv_dev.bd_addr, p_data->dev_info.bda, BD_ADDR_LEN); btc_hh_cb_to_app(ESP_HIDH_RMV_DEV_EVT, ¶m); break; diff --git a/components/bt/host/bluedroid/stack/rfcomm/rfc_port_fsm.c b/components/bt/host/bluedroid/stack/rfcomm/rfc_port_fsm.c index 8d8fe3cac6..a47ade5b4a 100644 --- a/components/bt/host/bluedroid/stack/rfcomm/rfc_port_fsm.c +++ b/components/bt/host/bluedroid/stack/rfcomm/rfc_port_fsm.c @@ -62,13 +62,13 @@ static void rfc_set_port_state(tPORT_STATE *port_pars, MX_FRAME *p_frame); *******************************************************************************/ void rfc_port_sm_execute (tPORT *p_port, UINT16 event, void *p_data) { - RFCOMM_TRACE_DEBUG("%s st:%d, evt:%d\n", __func__, p_port->rfc.state, event); - if (!p_port) { RFCOMM_TRACE_WARNING ("NULL port event %d", event); return; } + RFCOMM_TRACE_DEBUG("%s st:%d, evt:%d\n", __func__, p_port->rfc.state, event); + switch (p_port->rfc.state) { case RFC_STATE_CLOSED: rfc_port_sm_state_closed (p_port, event, p_data); @@ -240,7 +240,7 @@ void rfc_port_sm_sabme_wait_ua (tPORT *p_port, UINT16 event, void *p_data) ** ** Description This function handles events for the port in the ** WAIT_SEC_CHECK state. SABME has been received from the -** peer and Security Manager verifes BD_ADDR, before we can +** peer and Security Manager verifies BD_ADDR, before we can ** send ESTABLISH_IND to the Port entity ** ** Returns void diff --git a/components/bt/host/bluedroid/stack/rfcomm/rfc_ts_frames.c b/components/bt/host/bluedroid/stack/rfcomm/rfc_ts_frames.c index 2d06823173..cbd6e7de8c 100644 --- a/components/bt/host/bluedroid/stack/rfcomm/rfc_ts_frames.c +++ b/components/bt/host/bluedroid/stack/rfcomm/rfc_ts_frames.c @@ -179,8 +179,17 @@ void rfc_send_buf_uih (tRFC_MCB *p_mcb, UINT8 dlci, BT_HDR *p_buf) UINT8 cr = RFCOMM_CR(p_mcb->is_initiator, TRUE); UINT8 credits; + if (p_buf->offset < RFCOMM_CTRL_FRAME_LEN) { + osi_free(p_buf); + return; + } + p_buf->offset -= RFCOMM_CTRL_FRAME_LEN; if (p_buf->len > 127) { + if (p_buf->offset < 1) { + osi_free(p_buf); + return; + } p_buf->offset--; } @@ -191,6 +200,10 @@ void rfc_send_buf_uih (tRFC_MCB *p_mcb, UINT8 dlci, BT_HDR *p_buf) } if (credits) { + if (p_buf->offset < 1) { + osi_free(p_buf); + return; + } p_buf->offset--; } @@ -558,8 +571,26 @@ void rfc_send_test (tRFC_MCB *p_mcb, BOOLEAN is_command, BT_HDR *p_buf) UINT16 xx; UINT8 *p_src, *p_dest; + if (p_buf->offset + sizeof(BT_HDR) >= RFCOMM_CMD_BUF_SIZE) { + osi_free(p_buf); + return; + } + + UINT16 max_len = RFCOMM_CMD_BUF_SIZE - sizeof(BT_HDR) - p_buf->offset; + if (p_buf->offset < (L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2)) { + if (max_len < (L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2 - p_buf->offset)) { + osi_free(p_buf); + return; + } + max_len -= (L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2 - p_buf->offset); + } + if (p_buf->len > max_len) { + p_buf->len = max_len; + } + BT_HDR *p_buf_new; if ((p_buf_new = (BT_HDR *)osi_malloc(RFCOMM_CMD_BUF_SIZE)) == NULL) { + osi_free(p_buf); return; } memcpy(p_buf_new, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len); diff --git a/components/bt/host/bluedroid/stack/rfcomm/rfc_utils.c b/components/bt/host/bluedroid/stack/rfcomm/rfc_utils.c index b766918d0e..ee5e1feb56 100644 --- a/components/bt/host/bluedroid/stack/rfcomm/rfc_utils.c +++ b/components/bt/host/bluedroid/stack/rfcomm/rfc_utils.c @@ -491,18 +491,21 @@ void rfc_check_send_cmd(tRFC_MCB *p_mcb, BT_HDR *p_buf) RFCOMM_TRACE_ERROR("%s: empty queue: p_mcb = %p p_mcb->lcid = %u cached p_mcb = %p", __func__, p_mcb, p_mcb->lcid, rfc_find_lcid_mcb(p_mcb->lcid)); + osi_free(p_buf); + } else { + fixed_queue_enqueue(p_mcb->cmd_q, p_buf, FIXED_QUEUE_MAX_TIMEOUT); } - fixed_queue_enqueue(p_mcb->cmd_q, p_buf, FIXED_QUEUE_MAX_TIMEOUT); } /* handle queue if L2CAP not congested */ - while (p_mcb->l2cap_congested == FALSE) { - if ((p = (BT_HDR *)fixed_queue_dequeue(p_mcb->cmd_q, 0)) == NULL) { - break; + if (p_mcb->cmd_q) { + while (p_mcb->l2cap_congested == FALSE) { + if ((p = (BT_HDR *)fixed_queue_dequeue(p_mcb->cmd_q, 0)) == NULL) { + break; + } + + L2CA_DataWrite (p_mcb->lcid, p); } - - - L2CA_DataWrite (p_mcb->lcid, p); } }