diff --git a/components/bt/bluedroid/bta/gatt/bta_gatts_act.c b/components/bt/bluedroid/bta/gatt/bta_gatts_act.c index a7d2ff128d..283e923e19 100644 --- a/components/bt/bluedroid/bta/gatt/bta_gatts_act.c +++ b/components/bt/bluedroid/bta/gatt/bta_gatts_act.c @@ -691,16 +691,25 @@ void bta_gatts_indicate_handle (tBTA_GATTS_CB *p_cb, tBTA_GATTS_DATA *p_msg) p_rcb && p_cb->rcb[p_srvc_cb->rcb_idx].p_cback) { cb_data.req_data.status = status; cb_data.req_data.conn_id = p_msg->api_indicate.hdr.layer_specific; + cb_data.req_data.value = NULL; + cb_data.req_data.data_len = 0; cb_data.req_data.handle = p_msg->api_indicate.attr_id; - cb_data.req_data.value = (uint8_t *)osi_malloc(p_msg->api_indicate.len); - if (cb_data.req_data.value != NULL){ - memset(cb_data.req_data.value, 0, p_msg->api_indicate.len); - cb_data.req_data.data_len = p_msg->api_indicate.len; - memcpy(cb_data.req_data.value, p_msg->api_indicate.value, p_msg->api_indicate.len); - }else{ - cb_data.req_data.data_len = 0; - APPL_TRACE_ERROR("%s, malloc failed", __func__); + if (p_msg->api_indicate.value && (p_msg->api_indicate.len > 0)) { + cb_data.req_data.value = (uint8_t *) osi_malloc(p_msg->api_indicate.len); + if (cb_data.req_data.value != NULL) { + memset(cb_data.req_data.value, 0, p_msg->api_indicate.len); + cb_data.req_data.data_len = p_msg->api_indicate.len; + memcpy(cb_data.req_data.value, p_msg->api_indicate.value, p_msg->api_indicate.len); + } else { + APPL_TRACE_ERROR("%s, malloc failed", __func__); + } + } else { + if (p_msg->api_indicate.value) { + APPL_TRACE_ERROR("%s, incorrect length", __func__); + } else { + APPL_TRACE_WARNING("%s, NULL value", __func__); + } } (*p_rcb->p_cback)(BTA_GATTS_CONF_EVT, &cb_data); if (cb_data.req_data.value != NULL) { diff --git a/components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c b/components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c index 69a7c90599..110935f8f3 100644 --- a/components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c +++ b/components/bt/bluedroid/btc/profile/std/gatt/btc_gatts.c @@ -81,72 +81,105 @@ void btc_gatts_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) switch (msg->act) { case BTC_GATTS_ACT_SEND_INDICATE: { - dst->send_ind.value = (uint8_t *)osi_malloc(src->send_ind.value_len); - if (dst->send_ind.value) { - memcpy(dst->send_ind.value, src->send_ind.value, src->send_ind.value_len); + if (src->send_ind.value && (src->send_ind.value_len > 0)) { + dst->send_ind.value = (uint8_t *) osi_malloc(src->send_ind.value_len); + if (dst->send_ind.value) { + memcpy(dst->send_ind.value, src->send_ind.value, src->send_ind.value_len); + } else { + BTC_TRACE_ERROR("%s %d no mem\n", __func__, msg->act); + } } else { - BTC_TRACE_ERROR("%s %d no mem\n", __func__, msg->act); + dst->send_ind.value = NULL; + if (src->send_ind.value) { + BTC_TRACE_ERROR("%s %d, invalid length", __func__, msg->act); + } else { + BTC_TRACE_WARNING("%s %d, NULL value", __func__, msg->act); + } } break; } case BTC_GATTS_ACT_SEND_RESPONSE: { if (src->send_rsp.rsp) { - dst->send_rsp.rsp = (esp_gatt_rsp_t *)osi_malloc(sizeof(esp_gatt_rsp_t)); + dst->send_rsp.rsp = (esp_gatt_rsp_t *) osi_malloc(sizeof(esp_gatt_rsp_t)); if (dst->send_rsp.rsp) { memcpy(dst->send_rsp.rsp, src->send_rsp.rsp, sizeof(esp_gatt_rsp_t)); } else { BTC_TRACE_ERROR("%s %d no mem\n", __func__, msg->act); } + } else { + BTC_TRACE_WARNING("%s %d, NULL response", __func__, msg->act); } break; } - case BTC_GATTS_ACT_ADD_CHAR:{ - if (src->add_char.char_val.attr_value != NULL){ - dst->add_char.char_val.attr_value = (uint8_t *)osi_malloc(src->add_char.char_val.attr_len); - if(dst->add_char.char_val.attr_value != NULL){ + case BTC_GATTS_ACT_ADD_CHAR: { + if (src->add_char.char_val.attr_value && (src->add_char.char_val.attr_len > 0)) { + dst->add_char.char_val.attr_value = (uint8_t *) osi_malloc(src->add_char.char_val.attr_len); + if (dst->add_char.char_val.attr_value) { memcpy(dst->add_char.char_val.attr_value, src->add_char.char_val.attr_value, src->add_char.char_val.attr_len); - }else{ + } else { BTC_TRACE_ERROR("%s %d no mem\n", __func__, msg->act); } + } else { + dst->add_char.char_val.attr_value = NULL; + if (src->add_char.char_val.attr_value) { + BTC_TRACE_ERROR("%s %d, invalid length", __func__, msg->act); + } else { + BTC_TRACE_WARNING("%s %d, NULL value", __func__, msg->act); + } } break; } - case BTC_GATTS_ACT_ADD_CHAR_DESCR:{ - if(src->add_descr.descr_val.attr_value != NULL){ - dst->add_descr.descr_val.attr_value = (uint8_t *)osi_malloc(src->add_descr.descr_val.attr_len); - if(dst->add_descr.descr_val.attr_value != NULL){ + case BTC_GATTS_ACT_ADD_CHAR_DESCR: { + if (src->add_descr.descr_val.attr_value && (src->add_descr.descr_val.attr_len > 0)) { + dst->add_descr.descr_val.attr_value = (uint8_t *) osi_malloc(src->add_descr.descr_val.attr_len); + if (dst->add_descr.descr_val.attr_value) { memcpy(dst->add_descr.descr_val.attr_value, src->add_descr.descr_val.attr_value, src->add_descr.descr_val.attr_len); - }else{ + } else { BTC_TRACE_ERROR("%s %d no mem\n", __func__, msg->act); } - } - break; - } - case BTC_GATTS_ACT_CREATE_ATTR_TAB:{ - uint8_t num_attr = src->create_attr_tab.max_nb_attr; - if(src->create_attr_tab.gatts_attr_db != NULL){ - dst->create_attr_tab.gatts_attr_db = (esp_gatts_attr_db_t *)osi_malloc(sizeof(esp_gatts_attr_db_t)*num_attr); - if(dst->create_attr_tab.gatts_attr_db != NULL){ - memcpy(dst->create_attr_tab.gatts_attr_db, src->create_attr_tab.gatts_attr_db, - sizeof(esp_gatts_attr_db_t)*num_attr); - }else{ - BTC_TRACE_ERROR("%s %d no mem\n",__func__, msg->act); + } else { + dst->add_descr.descr_val.attr_value = NULL; + if (src->add_descr.descr_val.attr_value) { + BTC_TRACE_ERROR("%s %d, invalid length", __func__, msg->act); + } else { + BTC_TRACE_WARNING("%s %d, NULL value", __func__, msg->act); } } break; } - case BTC_GATTS_ACT_SET_ATTR_VALUE:{ - uint16_t len = src->set_attr_val.length; - if(src->set_attr_val.value){ - dst->set_attr_val.value = (uint8_t *)osi_malloc(len); - if(dst->set_attr_val.value != NULL){ - memcpy(dst->set_attr_val.value, src->set_attr_val.value, len); - }else{ + case BTC_GATTS_ACT_CREATE_ATTR_TAB: { + uint8_t num_attr = src->create_attr_tab.max_nb_attr; + if (src->create_attr_tab.gatts_attr_db && (num_attr > 0)) { + dst->create_attr_tab.gatts_attr_db = (esp_gatts_attr_db_t *) osi_malloc(sizeof(esp_gatts_attr_db_t) * num_attr); + if (dst->create_attr_tab.gatts_attr_db) { + memcpy(dst->create_attr_tab.gatts_attr_db, src->create_attr_tab.gatts_attr_db, + sizeof(esp_gatts_attr_db_t) * num_attr); + } else { BTC_TRACE_ERROR("%s %d no mem\n",__func__, msg->act); } + } else { + BTC_TRACE_ERROR("%s %d, NULL data", __func__, msg->act); + } + break; + } + case BTC_GATTS_ACT_SET_ATTR_VALUE: { + if (src->set_attr_val.value && (src->set_attr_val.length > 0)) { + dst->set_attr_val.value = (uint8_t *) osi_malloc(src->set_attr_val.length); + if (dst->set_attr_val.value) { + memcpy(dst->set_attr_val.value, src->set_attr_val.value, src->set_attr_val.length); + } else { + BTC_TRACE_ERROR("%s %d no mem\n",__func__, msg->act); + } + } else { + dst->set_attr_val.value = NULL; + if (src->set_attr_val.value) { + BTC_TRACE_ERROR("%s %d, invalid length", __func__, msg->act); + } else { + BTC_TRACE_WARNING("%s %d, NULL value", __func__, msg->act); + } } break; }