pioduino/esp-idf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(bt/bluedroid): added length check when copy AVDTP packet

Browse Source
This commit is contained in:
Jin Cheng
2025-10-11 17:49:59 +08:00
parent 6a497ad921
commit 4df287c536
2 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/bt/host/bluedroid/stack/avct/avct_lcb_act.c
+5
View File
@@ -86,6 +86,11 @@ static BT_HDR *avct_lcb_msg_asmbl(tAVCT_LCB *p_lcb, BT_HDR *p_buf)
AVCT_TRACE_WARNING("Got start during reassembly");
}
osi_free(p_lcb->p_rx_msg);
p_lcb->p_rx_msg = NULL;
if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
osi_free(p_buf);
return NULL;
}
/* Allocate bigger buffer for reassembly. As lower layers are
* not aware of possible packet size after reassembly they
* would have allocated smaller buffer.
components/bt/host/bluedroid/stack/avdt/avdt_msg.c
+4
View File
@@ -1314,6 +1314,10 @@ BT_HDR *avdt_msg_asmbl(tAVDT_CCB *p_ccb, BT_HDR *p_buf)
* not aware of possible packet size after reassembly, they
* would have allocated smaller buffer.
*/
if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
osi_free(p_buf);
return NULL;
}
p_ccb->p_rx_msg = (BT_HDR *)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
memcpy(p_ccb->p_rx_msg, p_buf,
sizeof(BT_HDR) + p_buf->offset + p_buf->len);