Revert "Fix an OOB bug in bta_hh_co_get_rpt_rsp"

This reverts commit 4e9686af82f586ed6131e1096e1ac751c744643f.

Reason for revert: regression in 266585826

Change-Id: I56c581b81ba7b5e84b54e6d13dcaf2f1efc27b31

1 files changed, 5 insertions, 6 deletions

diff --git a/btif/co/bta_hh_co.cc b/btif/co/bta_hh_co.cc
index ca70e84a7..5a7cad845 100644
--- a/btif/co/bta_hh_co.cc
+++ b/btif/co/bta_hh_co.cc
@@ -571,23 +571,22 @@ void bta_hh_co_get_rpt_rsp(uint8_t dev_handle, uint8_t status, uint8_t* p_rpt,
   }
 
   // Send the HID report to the kernel.
-  if (p_dev->fd >= 0 && p_dev->get_rpt_snt > 0 && p_dev->get_rpt_snt--) {
+  if (p_dev->fd >= 0 && p_dev->get_rpt_snt--) {
     uint32_t* get_rpt_id =
         (uint32_t*)fixed_queue_dequeue(p_dev->get_rpt_id_queue);
     memset(&ev, 0, sizeof(ev));
     ev.type = UHID_FEATURE_ANSWER;
     ev.u.feature_answer.id = *get_rpt_id;
     ev.u.feature_answer.err = status;
-    ev.u.feature_answer.size = len - GET_RPT_RSP_OFFSET;
+    ev.u.feature_answer.size = len;
     osi_free(get_rpt_id);
-    if (len > GET_RPT_RSP_OFFSET) {
-      if (len - GET_RPT_RSP_OFFSET > UHID_DATA_MAX) {
+    if (len > 0) {
+      if (len > UHID_DATA_MAX) {
         APPL_TRACE_WARNING("%s: Report size greater than allowed size",
                            __func__);
         return;
       }
-      memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET,
-             len - GET_RPT_RSP_OFFSET);
+      memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET, len);
       uhid_write(p_dev->fd, &ev);
     }
   }