From 493e6c610fb90421d551a246f3139768df0b3935 Mon Sep 17 00:00:00 2001 From: Hui Peng Date: Thu, 26 Jan 2023 00:29:00 +0000 Subject: Revert "Fix an OOB bug in bta_hh_co_get_rpt_rsp" This reverts commit 4e9686af82f586ed6131e1096e1ac751c744643f. Reason for revert: regression in 266585826 Change-Id: I56c581b81ba7b5e84b54e6d13dcaf2f1efc27b31 --- btif/co/bta_hh_co.cc | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/btif/co/bta_hh_co.cc b/btif/co/bta_hh_co.cc index ca70e84a7..5a7cad845 100644 --- a/btif/co/bta_hh_co.cc +++ b/btif/co/bta_hh_co.cc @@ -571,23 +571,22 @@ void bta_hh_co_get_rpt_rsp(uint8_t dev_handle, uint8_t status, uint8_t* p_rpt, } // Send the HID report to the kernel. - if (p_dev->fd >= 0 && p_dev->get_rpt_snt > 0 && p_dev->get_rpt_snt--) { + if (p_dev->fd >= 0 && p_dev->get_rpt_snt--) { uint32_t* get_rpt_id = (uint32_t*)fixed_queue_dequeue(p_dev->get_rpt_id_queue); memset(&ev, 0, sizeof(ev)); ev.type = UHID_FEATURE_ANSWER; ev.u.feature_answer.id = *get_rpt_id; ev.u.feature_answer.err = status; - ev.u.feature_answer.size = len - GET_RPT_RSP_OFFSET; + ev.u.feature_answer.size = len; osi_free(get_rpt_id); - if (len > GET_RPT_RSP_OFFSET) { - if (len - GET_RPT_RSP_OFFSET > UHID_DATA_MAX) { + if (len > 0) { + if (len > UHID_DATA_MAX) { APPL_TRACE_WARNING("%s: Report size greater than allowed size", __func__); return; } - memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET, - len - GET_RPT_RSP_OFFSET); + memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET, len); uhid_write(p_dev->fd, &ev); } } -- cgit v1.2.3