X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=bt-oal%2Fbluez_hal%2Fsrc%2Fbt-hal-adapter-le.c;h=258963b2199c75f764fa10972f955af2530ef7fb;hb=06a736ca471e1eae900911742efca9f2feb65fb8;hp=74f4c0b7d599c65ca18f99e345aa7ee24bfc1610;hpb=6de5803b62f31d9d4f8d0397b5455b5b66efeec0;p=platform%2Fcore%2Fconnectivity%2Fbluetooth-frwk.git

diff --git a/bt-oal/bluez_hal/src/bt-hal-adapter-le.c b/bt-oal/bluez_hal/src/bt-hal-adapter-le.c
index 74f4c0b..258963b 100644
--- a/bt-oal/bluez_hal/src/bt-hal-adapter-le.c
+++ b/bt-oal/bluez_hal/src/bt-hal-adapter-le.c
@@ -73,7 +73,7 @@ typedef struct {
 	uint8_t event;
 	int server_if;
 	uint8_t status;
-	uint8_t data[31];
+	uint8_t data[BT_HAL_ADVERTISING_DATA_LENGTH_MAX];
 } bt_hal_adv_event_data_t;
 
 /* Macros */
@@ -753,8 +753,8 @@ static int __bt_hal_parse_service_data(int len, char *src, uint8_t *dest)
 /* Takes care of both Scan Response and Advertising data */
 int _bt_hal_set_advertising_data(btgatt_adv_param_setup_t adv_param_setup)
 {
-	uint8_t adv_data[31];
-	char adv_data_str[(31 * 2) + 1];
+	uint8_t adv_data[BT_HAL_ADVERTISING_DATA_LENGTH_MAX];
+	char adv_data_str[(BT_HAL_ADVERTISING_DATA_LENGTH_MAX * 2) + 1];
 	int index = 0;
 	GDBusProxy *proxy;
 	GError *error = NULL;
@@ -779,7 +779,7 @@ int _bt_hal_set_advertising_data(btgatt_adv_param_setup_t adv_param_setup)
 
 	slot_id = bt_hal_gatts_allocate_adv_slot_by_server_if(adv_param_setup.server_if);
 
-	memset(&adv_data, 0, 31);
+	memset(&adv_data, 0, BT_HAL_ADVERTISING_DATA_LENGTH_MAX);
 
 	/* Service UUID */
 	if (adv_param_setup.service_uuid_len > 0) {
@@ -789,6 +789,9 @@ int _bt_hal_set_advertising_data(btgatt_adv_param_setup_t adv_param_setup)
 		DBG("After Service UUID:Index [%d]", index);
 	}
 
+	if (length >= BT_HAL_ADVERTISING_DATA_LENGTH_MAX)
+		return BT_STATUS_FAIL;
+
 	/* Solicit UUID */
 	if (adv_param_setup.solicit_uuid_len > 0) {
 		__bt_hal_parse_uuid(adv_param_setup.solicit_uuid_len,
@@ -797,9 +800,13 @@ int _bt_hal_set_advertising_data(btgatt_adv_param_setup_t adv_param_setup)
 		DBG("After Solicit UUID: Index [%d]", index);
 	}
 
+	if (length >= BT_HAL_ADVERTISING_DATA_LENGTH_MAX)
+		return BT_STATUS_FAIL;
+
 	/* Service Data  UUID*/
 	if (adv_param_setup.service_data_len > 0) {
 		int l = 0;
+
 		l = __bt_hal_parse_service_data(adv_param_setup.service_data_len,
 				adv_param_setup.service_data, &adv_data[index]);
 
@@ -813,6 +820,9 @@ int _bt_hal_set_advertising_data(btgatt_adv_param_setup_t adv_param_setup)
 #else
 	if (adv_param_setup.appearance > 0) {
 #endif
+		if (index + 3 >= BT_HAL_ADVERTISING_DATA_LENGTH_MAX)
+			return BT_STATUS_FAIL;
+
 		adv_data[index] = 0x03;
 		adv_data[index+1] = 0x19;
 		adv_data[index+2] = (uint8_t) (adv_param_setup.appearance & 0xFF);
@@ -824,6 +834,9 @@ int _bt_hal_set_advertising_data(btgatt_adv_param_setup_t adv_param_setup)
 
 	/* TX Power */
 	if (adv_param_setup.include_txpower != 0) {
+		if (index + 1 >= BT_HAL_ADVERTISING_DATA_LENGTH_MAX)
+			return BT_STATUS_FAIL;
+
 		adv_data[index] = 0x01;
 		adv_data[index+1] = 0x0A;
 		index += 2;
@@ -833,6 +846,9 @@ int _bt_hal_set_advertising_data(btgatt_adv_param_setup_t adv_param_setup)
 
 	/* Device Name */
 	if (adv_param_setup.include_name != 0) {
+		if (index + 1 >= BT_HAL_ADVERTISING_DATA_LENGTH_MAX)
+			return BT_STATUS_FAIL;
+
 		adv_data[index] = 0x01;
 		adv_data[index+1] = 0x09;
 		index += 2;
@@ -842,6 +858,9 @@ int _bt_hal_set_advertising_data(btgatt_adv_param_setup_t adv_param_setup)
 
 	/* Manufacturer data */
 	if (adv_param_setup.manufacturer_data_len > 0) {
+		if ((index + 1) +  adv_param_setup.manufacturer_data_len >= BT_HAL_ADVERTISING_DATA_LENGTH_MAX)
+			return BT_STATUS_FAIL;
+
 		adv_data[index] = 1 + adv_param_setup.manufacturer_data_len;
 		adv_data[index+1] = 0xFF;
 		memcpy(&adv_data[index+2], adv_param_setup.manufacturer_data, adv_param_setup.manufacturer_data_len);
@@ -852,6 +871,9 @@ int _bt_hal_set_advertising_data(btgatt_adv_param_setup_t adv_param_setup)
 
 	/* Transport Discovery Data */
 	if (adv_param_setup.tds_data_len > 0) {
+		if ((index + 1) +  adv_param_setup.tds_data_len >= BT_HAL_ADVERTISING_DATA_LENGTH_MAX)
+			return BT_STATUS_FAIL;
+
 		adv_data[index] = 1 + adv_param_setup.tds_data_len;
 		adv_data[index+1] = 0x26;
 		memcpy(&adv_data[index+2], adv_param_setup.tds_data, adv_param_setup.tds_data_len);
@@ -860,6 +882,9 @@ int _bt_hal_set_advertising_data(btgatt_adv_param_setup_t adv_param_setup)
 		DBG("After Transport Discovery Data: Index [%d]", index);
 	}
 
+	if (length >= BT_HAL_ADVERTISING_DATA_LENGTH_MAX)
+		return BT_STATUS_FAIL;
+
 	for (i = 0; i < length; i++)
 		snprintf(&adv_data_str[i * 2], 3, "%02X", adv_data[i]);
 	INFO("Set adv data. Index [%d] length [%d] Data[%s]", index, length, adv_data_str);
@@ -905,7 +930,7 @@ int _bt_hal_set_advertising_data(btgatt_adv_param_setup_t adv_param_setup)
 	event->event  = BT_HAL_MULTI_ADV_DATA_EVT;
 	event->server_if = adv_param_setup.server_if;
 	event->status = BT_STATUS_SUCCESS;
-	memcpy(&event->data, adv_data, 31);
+	memcpy(&event->data, adv_data, BT_HAL_ADVERTISING_DATA_LENGTH_MAX);
 	g_idle_add(__bt_hal_adv_event_cb, (gpointer)event);
 
 	return BT_STATUS_SUCCESS;