Merge "Drop LE CoC fragments when frame size is too big" into pi-dev

c7ab80f8 · TreeHugger Robot · Android (Google) Code Review · cdca621c · c33be991 · c7ab80f8
Commit c7ab80f8 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/system/stack/l2cap/l2c_fcr.cc
+++ b/system/stack/l2cap/l2c_fcr.cc
@@ -24,6 +24,7 @@
 ******************************************************************************/

 #include <base/logging.h>
+#include <log/log.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -854,8 +855,24 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) {
    p_buf->offset += sizeof(sdu_length);
    p_data->offset = 0;

-  } else
+  } else {
    p_data = p_ccb->ble_sdu;
+    if (p_buf->len > (p_ccb->ble_sdu_length - p_data->len)) {
+      L2CAP_TRACE_ERROR("%s: buffer length=%d too big. max=%d. Dropped",
+                        __func__, p_data->len,
+                        (p_ccb->ble_sdu_length - p_data->len));
+      android_errorWriteWithInfoLog(0x534e4554, "75298652", -1, NULL, 0);
+      osi_free(p_buf);
+
+      /* Throw away all pending fragments and disconnects */
+      p_ccb->is_first_seg = true;
+      osi_free(p_ccb->ble_sdu);
+      p_ccb->ble_sdu = NULL;
+      p_ccb->ble_sdu_length = 0;
+      l2cu_disconnect_chnl(p_ccb);
+      return;
+    }
+  }

  memcpy((uint8_t*)(p_data + 1) + p_data->offset + p_data->len,
         (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
@@ -868,9 +885,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) {
    p_ccb->ble_sdu_length = 0;
  } else if (p_data->len < p_ccb->ble_sdu_length) {
    p_ccb->is_first_seg = false;
-  } else {
-    L2CAP_TRACE_ERROR("%s Length in the SDU messed up", __func__);
-    // TODO: reset every thing may be???
  }

  osi_free(p_buf);