component/bt: bugfix for incorrect length of HCI SCO packet size in HFP resulted from uninitialized data buffer length

2018-09-04 20:09:07 +08:00 · 2018-09-04 20:09:07 +08:00 · 4e6b3936c0
parent b91cf5a33f
commit 4e6b3936c0
2 changed files with 7 additions and 7 deletions
--- a/components/bt/bluedroid/bta/hf_client/bta_hf_client_sco.c
+++ b/components/bt/bluedroid/bta/hf_client/bta_hf_client_sco.c
@ -429,7 +429,6 @@ static void bta_hf_client_sco_event(UINT8 event)
    if (event == BTA_HF_CLIENT_SCO_CI_DATA_E) {
        uint16_t pkt_offset = 1 + HCI_SCO_PREAMBLE_SIZE;
        uint16_t len_to_send = 0;
-        uint8_t *p;
        while (true)
        {
            p_buf = osi_malloc(sizeof(BT_HDR) + pkt_offset + BTM_SCO_DATA_SIZE_MAX);
@ -439,13 +438,13 @@ static void bta_hf_client_sco_event(UINT8 event)
            }

            p_buf->offset = pkt_offset;
+            p_buf->len = BTM_SCO_DATA_SIZE_MAX;
            len_to_send = bta_hf_client_sco_co_out_data(p_buf->data + pkt_offset, BTM_SCO_DATA_SIZE_MAX);
-            if (len_to_send) {
+            if (len_to_send == BTM_SCO_DATA_SIZE_MAX) {
+                // expect to get the exact size of data from upper layer
                if (bta_hf_client_cb.scb.sco_state == BTA_HF_CLIENT_SCO_OPEN_ST) {
-                    p = (UINT8 *)(p_buf->data + pkt_offset -1);
-                    *p = len_to_send; // set SCO packet length;
                    tBTM_STATUS write_stat = BTM_WriteScoData(p_scb->sco_idx, p_buf);
-                    if (write_stat != BTM_SUCCESS && write_stat != BTM_SCO_BAD_LENGTH) {
+                    if (write_stat != BTM_SUCCESS) {
                        break;
                    }
                } else {
--- a/components/bt/bluedroid/stack/btm/btm_sco.c
+++ b/components/bt/bluedroid/stack/btm/btm_sco.c
@ -431,12 +431,13 @@ tBTM_STATUS BTM_WriteScoData (UINT16 sco_inx, BT_HDR *p_buf)
            /* only sent the first BTM_SCO_DATA_SIZE_MAX bytes data if more than max,
               and set warning status */
            if (p_buf->len > BTM_SCO_DATA_SIZE_MAX) {
+                BTM_TRACE_WARNING ("BTM SCO hdl %x, bad len %u", p_ccb->hci_handle, p_buf->len);
                p_buf->len = BTM_SCO_DATA_SIZE_MAX;
                status = BTM_SCO_BAD_LENGTH;
            }

            UINT8_TO_STREAM (p, (UINT8)p_buf->len);
-            BTM_TRACE_DEBUG ("BTM SCO hdl %x, len %u", p_ccb->hci_handle, p_buf->len);
+
            p_buf->len += HCI_SCO_PREAMBLE_SIZE;

            if (fixed_queue_length(p_ccb->xmit_data_q) < BTM_SCO_XMIT_QUEUE_THRS) {
@ -453,7 +454,7 @@ tBTM_STATUS BTM_WriteScoData (UINT16 sco_inx, BT_HDR *p_buf)
        status = BTM_UNKNOWN_ADDR;
    }

-    if (status != BTM_SUCCESS && status != BTM_SCO_BAD_LENGTH) {
+    if (status != BTM_SUCCESS) {
        BTM_TRACE_WARNING ("stat %d", status);
        osi_free(p_buf);
    }