alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

component/bt: bugfix for incorrect length of HCI SCO packet size in HFP resulted from uninitialized data buffer length

Browse Source
This commit is contained in:
wangmengyang 2018-09-04 20:09:07 +08:00
parent b91cf5a33f
commit 4e6b3936c0
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
components/bt/bluedroid/bta/hf_client/bta_hf_client_sco.c
View File

@ -429,7 +429,6 @@ static void bta_hf_client_sco_event(UINT8 event)
if (event == BTA_HF_CLIENT_SCO_CI_DATA_E) { if (event == BTA_HF_CLIENT_SCO_CI_DATA_E) {
uint16_t pkt_offset = 1 + HCI_SCO_PREAMBLE_SIZE; uint16_t pkt_offset = 1 + HCI_SCO_PREAMBLE_SIZE;
uint16_t len_to_send = 0; uint16_t len_to_send = 0;
uint8_t *p;
while (true) while (true)
{ {
p_buf = osi_malloc(sizeof(BT_HDR) + pkt_offset + BTM_SCO_DATA_SIZE_MAX); p_buf = osi_malloc(sizeof(BT_HDR) + pkt_offset + BTM_SCO_DATA_SIZE_MAX);
@ -439,13 +438,13 @@ static void bta_hf_client_sco_event(UINT8 event)
} }
p_buf->offset = pkt_offset; p_buf->offset = pkt_offset;
p_buf->len = BTM_SCO_DATA_SIZE_MAX;
len_to_send = bta_hf_client_sco_co_out_data(p_buf->data + pkt_offset, BTM_SCO_DATA_SIZE_MAX); len_to_send = bta_hf_client_sco_co_out_data(p_buf->data + pkt_offset, BTM_SCO_DATA_SIZE_MAX);
if (len_to_send) { if (len_to_send == BTM_SCO_DATA_SIZE_MAX) {
// expect to get the exact size of data from upper layer
if (bta_hf_client_cb.scb.sco_state == BTA_HF_CLIENT_SCO_OPEN_ST) { if (bta_hf_client_cb.scb.sco_state == BTA_HF_CLIENT_SCO_OPEN_ST) {
p = (UINT8 *)(p_buf->data + pkt_offset -1);
*p = len_to_send; // set SCO packet length;
tBTM_STATUS write_stat = BTM_WriteScoData(p_scb->sco_idx, p_buf); tBTM_STATUS write_stat = BTM_WriteScoData(p_scb->sco_idx, p_buf);
if (write_stat != BTM_SUCCESS && write_stat != BTM_SCO_BAD_LENGTH) { if (write_stat != BTM_SUCCESS) {
break; break;
} }
} else { } else {

5
components/bt/bluedroid/stack/btm/btm_sco.c
View File

@ -431,12 +431,13 @@ tBTM_STATUS BTM_WriteScoData (UINT16 sco_inx, BT_HDR *p_buf)
/* only sent the first BTM_SCO_DATA_SIZE_MAX bytes data if more than max, /* only sent the first BTM_SCO_DATA_SIZE_MAX bytes data if more than max,
and set warning status */ and set warning status */
if (p_buf->len > BTM_SCO_DATA_SIZE_MAX) { if (p_buf->len > BTM_SCO_DATA_SIZE_MAX) {
BTM_TRACE_WARNING ("BTM SCO hdl %x, bad len %u", p_ccb->hci_handle, p_buf->len);
p_buf->len = BTM_SCO_DATA_SIZE_MAX; p_buf->len = BTM_SCO_DATA_SIZE_MAX;
status = BTM_SCO_BAD_LENGTH; status = BTM_SCO_BAD_LENGTH;
} }
UINT8_TO_STREAM (p, (UINT8)p_buf->len); UINT8_TO_STREAM (p, (UINT8)p_buf->len);
BTM_TRACE_DEBUG ("BTM SCO hdl %x, len %u", p_ccb->hci_handle, p_buf->len);
p_buf->len += HCI_SCO_PREAMBLE_SIZE; p_buf->len += HCI_SCO_PREAMBLE_SIZE;
if (fixed_queue_length(p_ccb->xmit_data_q) < BTM_SCO_XMIT_QUEUE_THRS) { if (fixed_queue_length(p_ccb->xmit_data_q) < BTM_SCO_XMIT_QUEUE_THRS) {
@ -453,7 +454,7 @@ tBTM_STATUS BTM_WriteScoData (UINT16 sco_inx, BT_HDR *p_buf)
status = BTM_UNKNOWN_ADDR; status = BTM_UNKNOWN_ADDR;
} }
if (status != BTM_SUCCESS && status != BTM_SCO_BAD_LENGTH) { if (status != BTM_SUCCESS) {
BTM_TRACE_WARNING ("stat %d", status); BTM_TRACE_WARNING ("stat %d", status);
osi_free(p_buf); osi_free(p_buf);
} }