aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--hci/src/packet_fragmenter.cc10
-rw-r--r--stack/avrc/avrc_pars_tg.cc7
2 files changed, 17 insertions, 0 deletions
diff --git a/hci/src/packet_fragmenter.cc b/hci/src/packet_fragmenter.cc
index ebd9c3ada..4c235aee0 100644
--- a/hci/src/packet_fragmenter.cc
+++ b/hci/src/packet_fragmenter.cc
@@ -35,10 +35,12 @@
#define APPLY_START_FLAG(handle) (((handle)&0xCFFF) | 0x2000)
#define SUB_EVENT(event) ((event)&MSG_SUB_EVT_MASK)
#define GET_BOUNDARY_FLAG(handle) (((handle) >> 12) & 0x0003)
+#define GET_BROADCAST_FLAG(handle) (((handle) >> 14) & 0x0003)
#define HANDLE_MASK 0x0FFF
#define START_PACKET_BOUNDARY 2
#define CONTINUATION_PACKET_BOUNDARY 1
+#define POINT_TO_POINT 0
#define L2CAP_HEADER_PDU_LEN_SIZE 2
#define L2CAP_HEADER_CID_SIZE 2
#define L2CAP_HEADER_SIZE (L2CAP_HEADER_PDU_LEN_SIZE + L2CAP_HEADER_CID_SIZE)
@@ -131,8 +133,16 @@ static void reassemble_and_dispatch(BT_HDR* packet) {
CHECK(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);
uint8_t boundary_flag = GET_BOUNDARY_FLAG(handle);
+ uint8_t broadcast_flag = GET_BROADCAST_FLAG(handle);
handle = handle & HANDLE_MASK;
+ if (broadcast_flag != POINT_TO_POINT) {
+ LOG_WARN(LOG_TAG, "dropping broadcast packet");
+ android_errorWriteLog(0x534e4554, "169327567");
+ buffer_allocator->free(packet);
+ return;
+ }
+
if (boundary_flag == START_PACKET_BOUNDARY) {
if (acl_length < 2) {
LOG_WARN(LOG_TAG, "%s invalid acl_length %d", __func__, acl_length);
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index f2396b45e..5a81d0d8a 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -306,6 +306,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg,
return AVRC_STS_INTERNAL_ERR;
else {
BE_STREAM_TO_UINT8(p_result->reg_notif.event_id, p);
+ if (!AVRC_IS_VALID_EVENT_ID(p_result->reg_notif.event_id)) {
+ android_errorWriteLog(0x534e4554, "168802990");
+ AVRC_TRACE_ERROR("%s: Invalid event id: %d", __func__,
+ p_result->reg_notif.event_id);
+ return AVRC_STS_BAD_PARAM;
+ }
+
BE_STREAM_TO_UINT32(p_result->reg_notif.param, p);
}
break;
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-11 08:55:27 +0000