Backtrace:
4 0xb62d7a4e in g_malloc0 (n_bytes=n_bytes@entry=
4294967295) at ../glib/gmem.c:134 --> libglib (rpm)
5 0x00472432 in __bt_set_multi_adv_param (adv_setup=adv_setup@entry=0xbe0db954, adv_data=adv_data@entry=0xbe0dba5c, length=length@entry=2) at /usr/src/debug/bluetooth-frwk-0.6.0/bt-service/services/adapter/bt-service-core-adapter-le.c:1467 --> bluetooth-frwk-service (rpm)
6 0x004729b4 in _bt_set_scan_response_data (sender=0x518228 ":1.108", adv_handle=
5764800, response=response@entry=0xbe0dba5c, length=2, use_reserved_slot=use_reserved_slot@entry=0) at /usr/src/debug/bluetooth-frwk-0.6.0/bt-service/services/adapter/bt-service-core-adapter-le.c:1768 --> bluetooth-frwk-service (rpm)
The crash was occuring due to incorrect manufacturer
length.
This patch fixes the same.
Change-Id: I16cfd653e46615ed5fa386a6e8281591526ff689
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>
BT_DBG("len: %d, type: 0x%x", len, type);
+ retv_if(len < 1, BLUETOOTH_ERROR_INVALID_PARAM);
+
switch (type) {
case 0xFF: /* Manufacturer Data */
+ if (len > (BLUETOOTH_MANUFACTURER_DATA_LENGTH_MAX + 1)) {
+ BT_ERR("Manufacturer data length is invalid");
+ return BLUETOOTH_ERROR_INVALID_PARAM;
+ }
adv_setup->manufacturer_data = g_malloc0(sizeof(char) * (len - 1));
memcpy(adv_setup->manufacturer_data, (ptr + 2), (len - 1));
adv_setup->manufacturer_data_len = len - 1;
projects / platform / core / connectivity / bluetooth-frwk.git / commitdiff