fix(bt/bluedroid): Fixed not deep copy service_name and user1_ptr in RAW SDP search event

This commit is contained in:
liqigan 2024-09-10 20:13:21 +08:00
parent bfd1ea82bd
commit 5e62d99961
5 changed files with 121 additions and 31 deletions

View File

@ -85,9 +85,11 @@ typedef void (tBTA_SDP_DM_CBACK)(tBTA_SDP_EVT event, tBTA_SDP *p_data, void *use
/* MCE configuration structure */
typedef struct {
UINT16 sdp_db_size; /* The size of p_sdp_db */
UINT16 sdp_raw_size; /* The size of p_sdp_raw_data */
UINT16 sdp_db_size; /* The size of p_sdp_db */
#if (SDP_INCLUDED == TRUE)
tSDP_DISCOVERY_DB *p_sdp_db; /* The data buffer to keep SDP database */
UINT8 *p_sdp_raw_data; /* The data buffer to keep raw data */
tSDP_DISCOVERY_DB *p_sdp_db; /* The data buffer to keep SDP database */
#endif ///SDP_INCLUDED == TRUE
} tBTA_SDP_CFG;

View File

@ -375,7 +375,7 @@ static void bta_create_raw_sdp_record(bluetooth_sdp_record *record, tSDP_DISC_RE
if (SDP_FindProtocolListElemInRec(p_rec, UUID_PROTOCOL_RFCOMM, &pe)) {
record->hdr.rfcomm_channel_number = pe.params[0];
}
record->hdr.user1_ptr_len = p_bta_sdp_cfg->p_sdp_db->raw_size;
record->hdr.user1_ptr_len = p_bta_sdp_cfg->p_sdp_db->raw_used;
record->hdr.user1_ptr = p_bta_sdp_cfg->p_sdp_db->raw_data;
}
@ -526,6 +526,10 @@ void bta_sdp_search(tBTA_SDP_MSG *p_data)
SDP_InitDiscoveryDb (p_bta_sdp_cfg->p_sdp_db, p_bta_sdp_cfg->sdp_db_size, 1,
bta_sdp_search_uuid, 0, NULL);
/* tell SDP to keep the raw data */
p_bta_sdp_cfg->p_sdp_db->raw_size = p_bta_sdp_cfg->sdp_raw_size;
p_bta_sdp_cfg->p_sdp_db->raw_data = p_bta_sdp_cfg->p_sdp_raw_data;
if (!SDP_ServiceSearchAttributeRequest2(p_data->get_search.bd_addr, p_bta_sdp_cfg->p_sdp_db,
bta_sdp_search_cback, (void *)bta_sdp_search_uuid)) {
bta_sdp_cb.sdp_active = BTA_SDP_ACTIVE_NONE;

View File

@ -65,7 +65,9 @@ tBTA_SDP_STATUS BTA_SdpEnable(tBTA_SDP_DM_CBACK *p_cback)
#if BTA_DYNAMIC_MEMORY == TRUE
/* Malloc buffer for SDP configuration structure */
p_bta_sdp_cfg->p_sdp_db = (tSDP_DISCOVERY_DB *)osi_malloc(p_bta_sdp_cfg->sdp_db_size);
if (p_bta_sdp_cfg->p_sdp_db == NULL) {
p_bta_sdp_cfg->p_sdp_raw_data = (UINT8 *)osi_malloc(p_bta_sdp_cfg->sdp_raw_size);
if (p_bta_sdp_cfg->p_sdp_db == NULL || p_bta_sdp_cfg->p_sdp_raw_data == NULL) {
BTA_SdpCleanup();
return BTA_SDP_FAILURE;
}
#endif
@ -118,8 +120,15 @@ tBTA_SDP_STATUS BTA_SdpCleanup(void)
bta_sys_deregister(BTA_ID_SDP);
#if BTA_DYNAMIC_MEMORY == TRUE
/* Free buffer for SDP configuration structure */
osi_free(p_bta_sdp_cfg->p_sdp_db);
p_bta_sdp_cfg->p_sdp_db = NULL;
if (p_bta_sdp_cfg->p_sdp_db) {
osi_free(p_bta_sdp_cfg->p_sdp_db);
p_bta_sdp_cfg->p_sdp_db = NULL;
}
if (p_bta_sdp_cfg->p_sdp_raw_data) {
osi_free(p_bta_sdp_cfg->p_sdp_raw_data);
p_bta_sdp_cfg->p_sdp_raw_data = NULL;
}
#endif
return BTA_SDP_SUCCESS;
}

View File

@ -30,16 +30,24 @@
#define BTA_SDP_DB_SIZE 1500
#endif
#ifndef BTA_SDP_RAW_DATA_SIZE
#define BTA_SDP_RAW_DATA_SIZE 1024
#endif
#if BTA_DYNAMIC_MEMORY == FALSE
static UINT8 bta_sdp_raw_data[BTA_SDP_RAW_DATA_SIZE];
static UINT8 __attribute__ ((aligned(4))) bta_sdp_db_data[BTA_SDP_DB_SIZE];
#endif
/* SDP configuration structure */
tBTA_SDP_CFG bta_sdp_cfg = {
BTA_SDP_RAW_DATA_SIZE,
BTA_SDP_DB_SIZE,
#if BTA_DYNAMIC_MEMORY == FALSE
bta_sdp_raw_data,
(tSDP_DISCOVERY_DB *)bta_sdp_db_data /* The data buffer to keep SDP database */
#else
NULL,
NULL
#endif
};

View File

@ -939,6 +939,83 @@ static bool btc_sdp_remove_record_event(int id, int *p_sdp_handle)
return result;
}
static void btc_sdp_cb_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src)
{
switch (msg->act) {
case BTA_SDP_SEARCH_COMP_EVT: {
tBTA_SDP_SEARCH_COMP *src_search_comp = (tBTA_SDP_SEARCH_COMP *)p_src;
tBTA_SDP_SEARCH_COMP *dest_search_comp = (tBTA_SDP_SEARCH_COMP *)p_dest;
int record_count = src_search_comp->record_count;
for (int i = 0; i < record_count; i++) {
bluetooth_sdp_record *src_record = &src_search_comp->records[i];
bluetooth_sdp_record *dest_record = &dest_search_comp->records[i];
// deep copy service name
uint32_t src_service_name_length = src_record->hdr.service_name_length;
char *src_service_name = src_record->hdr.service_name;
dest_record->hdr.service_name_length = 0;
dest_record->hdr.service_name = NULL;
if (src_service_name && src_service_name_length) {
char *service_name = (char *)osi_malloc(src_service_name_length + 1);
if (service_name) {
memcpy(service_name, src_service_name, src_service_name_length);
service_name[src_service_name_length] = '\0';
dest_record->hdr.service_name_length = src_service_name_length;
dest_record->hdr.service_name = service_name;
} else {
BTC_TRACE_ERROR("%s malloc service name failed, orig service name:%s", __func__, src_service_name);
}
}
// deep copy user1_ptr fow RAW type
int src_user1_ptr_len = src_record->hdr.user1_ptr_len;
uint8_t *src_user1_ptr = src_record->hdr.user1_ptr;
dest_record->hdr.user1_ptr_len = 0;
dest_record->hdr.user1_ptr = NULL;
if (src_record->hdr.type == SDP_TYPE_RAW && src_user1_ptr && src_user1_ptr_len) {
uint8_t *user1_ptr = (uint8_t *)osi_malloc(src_user1_ptr_len);
if (user1_ptr) {
memcpy(user1_ptr, src_user1_ptr, src_user1_ptr_len);
dest_record->hdr.user1_ptr_len = src_user1_ptr_len;
dest_record->hdr.user1_ptr = user1_ptr;
} else {
BTC_TRACE_ERROR("%s malloc user1_ptr failed", __func__);
}
}
}
break;
}
default:
break;
}
}
static void btc_sdp_cb_arg_deep_free(btc_msg_t *msg)
{
switch (msg->act) {
case BTA_SDP_SEARCH_COMP_EVT: {
tBTA_SDP_SEARCH_COMP *search_comp = (tBTA_SDP_SEARCH_COMP *)msg->arg;
for (size_t i = 0; i < search_comp->record_count; i++) {
bluetooth_sdp_record *record = &search_comp->records[i];
if (record->hdr.service_name) {
osi_free(record->hdr.service_name);
}
if (record->hdr.user1_ptr) {
osi_free(record->hdr.user1_ptr);
}
}
break;
}
default:
break;
}
}
static void btc_sdp_dm_cback(tBTA_SDP_EVT event, tBTA_SDP* p_data, void* user_data)
{
btc_msg_t msg;
@ -970,7 +1047,7 @@ static void btc_sdp_dm_cback(tBTA_SDP_EVT event, tBTA_SDP* p_data, void* user_da
msg.pid = BTC_PID_SDP;
msg.act = event;
status = btc_transfer_context(&msg, p_data, sizeof(tBTA_SDP), NULL, NULL);
status = btc_transfer_context(&msg, p_data, sizeof(tBTA_SDP), btc_sdp_cb_arg_deep_copy, btc_sdp_cb_arg_deep_free);
if (status != BT_STATUS_SUCCESS) {
BTC_TRACE_ERROR("%s btc_transfer_context failed", __func__);
@ -1142,11 +1219,10 @@ static void btc_sdp_search(btc_sdp_args_t *arg)
void btc_sdp_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src)
{
bluetooth_sdp_record **dst_record = &((btc_sdp_args_t *)p_dest)->create_record.record;
bluetooth_sdp_record *src_record = ((btc_sdp_args_t *)p_src)->create_record.record;
switch (msg->act) {
case BTC_SDP_ACT_CREATE_RECORD:
case BTC_SDP_ACT_CREATE_RECORD: {
bluetooth_sdp_record **dst_record = &((btc_sdp_args_t *)p_dest)->create_record.record;
bluetooth_sdp_record *src_record = ((btc_sdp_args_t *)p_src)->create_record.record;
bluetooth_sdp_record *record = (bluetooth_sdp_record *)osi_calloc(get_sdp_record_size(src_record));
if (record) {
copy_sdp_record(src_record, record);
@ -1157,6 +1233,7 @@ void btc_sdp_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src)
*dst_record = record;
break;
}
default:
break;
}
@ -1164,15 +1241,15 @@ void btc_sdp_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src)
void btc_sdp_arg_deep_free(btc_msg_t *msg)
{
btc_sdp_args_t *arg = (btc_sdp_args_t *)msg->arg;
bluetooth_sdp_record *record = arg->create_record.record;
switch (msg->act) {
case BTC_SDP_ACT_CREATE_RECORD:
case BTC_SDP_ACT_CREATE_RECORD: {
btc_sdp_args_t *arg = (btc_sdp_args_t *)msg->arg;
bluetooth_sdp_record *record = arg->create_record.record;
if (record) {
osi_free(record);
}
break;
}
default:
break;
}
@ -1229,23 +1306,11 @@ void btc_sdp_cb_handler(btc_msg_t *msg)
sdp_local_param.search_allowed = true;
param.search.status = p_data->sdp_search_comp.status;
if (param.search.status == ESP_SDP_SUCCESS) {
memcpy(param.search.remote_addr, p_data->sdp_search_comp.remote_addr, sizeof(BD_ADDR));
memcpy(&param.search.sdp_uuid, &p_data->sdp_search_comp.uuid, sizeof(tSDP_UUID));
param.search.record_count = p_data->sdp_search_comp.record_count;
param.search.records = osi_malloc(sizeof(esp_bluetooth_sdp_record_t)*p_data->sdp_search_comp.record_count);
if (param.search.records != NULL) {
memcpy(param.search.records, p_data->sdp_search_comp.records,
sizeof(esp_bluetooth_sdp_record_t)*p_data->sdp_search_comp.record_count);
} else {
BTC_TRACE_ERROR("%s %d osi_malloc failed\n", __func__, event);
param.search.status = ESP_SDP_NO_RESOURCE;
}
}
memcpy(param.search.remote_addr, p_data->sdp_search_comp.remote_addr, sizeof(BD_ADDR));
memcpy(&param.search.sdp_uuid, &p_data->sdp_search_comp.uuid, sizeof(tSDP_UUID));
param.search.record_count = p_data->sdp_search_comp.record_count;
param.search.records = (esp_bluetooth_sdp_record_t *)p_data->sdp_search_comp.records;
btc_sdp_cb_to_app(ESP_SDP_SEARCH_COMP_EVT, &param);
if (param.search.records != NULL) {
osi_free(param.search.records);
}
break;
case BTA_SDP_CREATE_RECORD_USER_EVT:
param.create_record.status = p_data->sdp_create_record.status;
@ -1270,6 +1335,8 @@ void btc_sdp_cb_handler(btc_msg_t *msg)
BTC_TRACE_DEBUG("%s: Unhandled event (%d)!", __func__, msg->act);
break;
}
btc_sdp_cb_arg_deep_free(msg);
}
#endif ///defined BTC_SDP_INCLUDED && BTC_SDP_INCLUDED == TRUE