From 520b3340f60b487e114a0331f5771e9260d81da9 Mon Sep 17 00:00:00 2001 From: zhiweijian Date: Fri, 13 Oct 2017 15:06:08 +0800 Subject: [PATCH] Component/bt: fix crash when set attr value 0 --- components/bt/bluedroid/bta/gatt/bta_gatts_api.c | 2 ++ components/bt/bluedroid/stack/gatt/gatt_api.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/components/bt/bluedroid/bta/gatt/bta_gatts_api.c b/components/bt/bluedroid/bta/gatt/bta_gatts_api.c index 9228fa5fd..67bc847e0 100644 --- a/components/bt/bluedroid/bta/gatt/bta_gatts_api.c +++ b/components/bt/bluedroid/bta/gatt/bta_gatts_api.c @@ -474,8 +474,10 @@ void BTA_GATTS_SendRsp (UINT16 conn_id, UINT32 trans_id, void BTA_SetAttributeValue(UINT16 attr_handle, UINT16 length, UINT8 *value) { tBTA_GATTS_API_SET_ATTR_VAL *p_buf; + UINT16 len = sizeof(tBTA_GATTS_API_SET_ATTR_VAL); if((p_buf = (tBTA_GATTS_API_SET_ATTR_VAL *)osi_malloc( sizeof(tBTA_GATTS_API_SET_ATTR_VAL))) != NULL){ + memset(p_buf, 0, len); p_buf->hdr.event = BTA_GATTS_API_SET_ATTR_VAL_EVT; p_buf->hdr.layer_specific = attr_handle; p_buf->length = length; diff --git a/components/bt/bluedroid/stack/gatt/gatt_api.c b/components/bt/bluedroid/stack/gatt/gatt_api.c index 1c9c6df02..6737183fd 100644 --- a/components/bt/bluedroid/stack/gatt/gatt_api.c +++ b/components/bt/bluedroid/stack/gatt/gatt_api.c @@ -723,7 +723,9 @@ tGATT_STATUS GATTS_SetAttributeValue(UINT16 attr_handle, UINT16 length, UINT8 *v GATT_TRACE_DEBUG("GATTS_SetAttributeValue: attr_handle: %u length: %u \n", attr_handle, length); - + if (length <= 0){ + return GATT_INVALID_ATTR_LEN; + } if ((p_decl = gatt_find_hdl_buffer_by_attr_handle(attr_handle)) == NULL) { GATT_TRACE_DEBUG("Service not created\n"); return GATT_INVALID_HANDLE;