Fix btmon crash

[Problem] btmon crash happens
[Cause & Measure] When SDP continuation is handled, other variable's
 value is overwritten because invalid array index is used for memcpy's
 src.
[Checking Method] Run btmon -> Connect Android phone to KITT ->
 Terminate btmon. In this procedure, btmon crash happens randomly.

When issue happens, irk_list's value is corrupted by invalid memcpy.
This causes crash when it accesses to irk_list.

1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
499			memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1);
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
0xb6f5f1a8 in memcpy@plt ()
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
Single stepping until exit from function memcpy@plt,
which has no line number information.
memcpy () at ../sysdeps/arm/memcpy.S:63

...

1: irk_list = (struct queue *) 0xb7000002
(gdb)
search_attr_rsp (frame=0xbeadd3f8, tid=0xb6fcd760 <tid_list>) at monitor/sdp.c:669
669		clear_tid(tid);
1: irk_list = (struct queue *) 0xb7000002
(gdb) p cont_list
$5 = {{channel = 0, cont = '\000' <repeats 16 times>, data = 0xb7cda3a0, size = 656}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0,
    cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>,
    data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0,
    cont = '\000' <repeats 16 times>, data = 0x0, size = 0}}

Change-Id: I3608d1b9cf14bbfc87d17fbad6a443bdcbdf87af
Signed-off-by: Seungyoun Ju <sy39.ju@samsung.com>
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>

diff --git a/monitor/sdp.c b/monitor/sdp.c
index 417a21c..e8523a2 100755 (executable)
--- a/monitor/sdp.c
+++ b/monitor/sdp.c
@@ -496,7 +496,11 @@ static void handle_continuation(struct tid_data *tid, bool nested,
                cont_list[n].data = NULL;
                cont_list[n].size = 0;
        } else
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+               memcpy(cont_list[n].cont, data + bytes, data[bytes] + 1);
+#else
                memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1);
+#endif
 }
 
 static uint16_t common_rsp(const struct l2cap_frame *frame,