From 834d980e39288d944658c5e6d9e4ac88bbd886ec Mon Sep 17 00:00:00 2001
From: Yulong <huangyulong@espressif.com>
Date: Fri, 28 Apr 2017 05:31:57 -0400
Subject: [PATCH] compoent/bt:Fixed the BT/BLE statck bug from bluedroid7.1.1

---
 components/bt/bluedroid/bta/dm/bta_dm_act.c   |  1 +
 .../bt/bluedroid/bta/gatt/bta_gattc_act.c     |  8 ++++++--
 components/bt/bluedroid/main/bte_main.c       |  4 ----
 components/bt/bluedroid/stack/btm/btm_dev.c   | 20 +++++++++++++++++++
 components/bt/bluedroid/stack/gatt/gatt_sr.c  |  5 +++++
 .../bt/bluedroid/stack/include/btm_api.h      | 11 ++++++++++
 components/bt/bluedroid/stack/smp/smp_act.c   |  7 ++++---
 7 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/components/bt/bluedroid/bta/dm/bta_dm_act.c b/components/bt/bluedroid/bta/dm/bta_dm_act.c
index cd0a7c4cc..a3e5cf3d4 100644
--- a/components/bt/bluedroid/bta/dm/bta_dm_act.c
+++ b/components/bt/bluedroid/bta/dm/bta_dm_act.c
@@ -3414,6 +3414,7 @@ static void bta_dm_remove_sec_dev_entry(BD_ADDR remote_bd_addr)
             BTM_IsAclConnectionUp(remote_bd_addr, BT_TRANSPORT_BR_EDR)) {
         APPL_TRACE_DEBUG("%s ACL is not down. Schedule for  Dev Removal when ACL closes",
                          __FUNCTION__);
+        BTM_SecClearSecurityFlags (remote_bd_addr);
         for (index = 0; index < bta_dm_cb.device_list.count; index ++) {
             if (!bdcmp( bta_dm_cb.device_list.peer_device[index].peer_bdaddr, remote_bd_addr)) {
                 break;
diff --git a/components/bt/bluedroid/bta/gatt/bta_gattc_act.c b/components/bt/bluedroid/bta/gatt/bta_gattc_act.c
index 41008cb2d..dbf490f8c 100644
--- a/components/bt/bluedroid/bta/gatt/bta_gattc_act.c
+++ b/components/bt/bluedroid/bta/gatt/bta_gattc_act.c
@@ -32,6 +32,7 @@
 
 #include "bta_gattc_int.h"
 #include "l2c_api.h"
+#include "l2c_int.h"
 
 #if (defined BTA_HH_LE_INCLUDED && BTA_HH_LE_INCLUDED == TRUE)
 #include "bta_hh_int.h"
@@ -978,8 +979,11 @@ void bta_gattc_disc_cmpl(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data)
     /* get any queued command to proceed */
     else if (p_q_cmd != NULL) {
         p_clcb->p_q_cmd = NULL;
-
-        bta_gattc_sm_execute(p_clcb, p_q_cmd->hdr.event, p_q_cmd);
+         /* execute pending operation of link block still present */
+        if (l2cu_find_lcb_by_bd_addr(p_clcb->p_srcb->server_bda, 
+            BT_TRANSPORT_LE) != NULL) {
+            bta_gattc_sm_execute(p_clcb, p_q_cmd->hdr.event, p_q_cmd);
+        }
         /* if the command executed requeued the cmd, we don't
          * want to free the underlying buffer that's being
          * referenced by p_clcb->p_q_cmd
diff --git a/components/bt/bluedroid/main/bte_main.c b/components/bt/bluedroid/main/bte_main.c
index 1b74d558f..622198368 100644
--- a/components/bt/bluedroid/main/bte_main.c
+++ b/components/bt/bluedroid/main/bte_main.c
@@ -144,10 +144,6 @@ int bte_main_boot_entry(bluedroid_init_done_cb_t cb)
     //data_dispatcher_register_default(hci->event_dispatcher, btu_hci_msg_queue);
     hci->set_data_queue(btu_hci_msg_queue);
 
-#if (defined(BLE_INCLUDED) && (BLE_INCLUDED == TRUE))
-    //bte_load_ble_conf(BTE_BLE_STACK_CONF_FILE);
-#endif
-
     //Enbale HCI
     bte_main_enable();
 
diff --git a/components/bt/bluedroid/stack/btm/btm_dev.c b/components/bt/bluedroid/stack/btm/btm_dev.c
index cf445d123..b86f861a4 100644
--- a/components/bt/bluedroid/stack/btm/btm_dev.c
+++ b/components/bt/bluedroid/stack/btm/btm_dev.c
@@ -196,6 +196,26 @@ BOOLEAN BTM_SecDeleteDevice (BD_ADDR bd_addr)
     return TRUE;
 }
 
+/*******************************************************************************
+**
+** Function         BTM_SecClearSecurityFlags
+**
+** Description      Reset the security flags (mark as not-paired) for a given
+**                  remove device.
+**
+*******************************************************************************/
+extern void BTM_SecClearSecurityFlags (BD_ADDR bd_addr)
+{
+    tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(bd_addr);
+    if (p_dev_rec == NULL)
+        return;
+
+    p_dev_rec->sec_flags = 0;
+    p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
+    p_dev_rec->sm4 = BTM_SM4_UNKNOWN;
+}
+
+
 /*******************************************************************************
 **
 ** Function         BTM_SecReadDevName
diff --git a/components/bt/bluedroid/stack/gatt/gatt_sr.c b/components/bt/bluedroid/stack/gatt/gatt_sr.c
index a35c3717c..c22f60071 100644
--- a/components/bt/bluedroid/stack/gatt/gatt_sr.c
+++ b/components/bt/bluedroid/stack/gatt/gatt_sr.c
@@ -1183,6 +1183,11 @@ void gatt_attr_process_prepare_write (tGATT_TCB *p_tcb, UINT8 i_rcb, UINT16 hand
     tGATT_PREPARE_WRITE_RECORD *prepare_record = NULL;
     memset(&sr_data, 0, sizeof(tGATTS_DATA));
 
+    if (len < 2) {
+        GATT_TRACE_ERROR("%s: Prepare write request was invalid - missing offset, sending error response", __func__);
+        gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, op_code, handle, FALSE);
+        return;
+    }
     //get offset from p_data
     STREAM_TO_UINT16(offset, p);
     len -= 2;
diff --git a/components/bt/bluedroid/stack/include/btm_api.h b/components/bt/bluedroid/stack/include/btm_api.h
index 5f3d5e422..5a0d6fa46 100644
--- a/components/bt/bluedroid/stack/include/btm_api.h
+++ b/components/bt/bluedroid/stack/include/btm_api.h
@@ -3691,6 +3691,17 @@ UINT8 *BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len);
 //extern
 char *BTM_SecReadDevName (BD_ADDR bd_addr);
 
+/*******************************************************************************
+**
+** Function         BTM_SecClearSecurityFlags
+**
+** Description      Reset the security flags (mark as not-paired) for a given
+**                  remove device.
+**
+*******************************************************************************/
+extern void BTM_SecClearSecurityFlags (BD_ADDR bd_addr);
+
+
 
 /*****************************************************************************
 **  POWER MANAGEMENT FUNCTIONS
diff --git a/components/bt/bluedroid/stack/smp/smp_act.c b/components/bt/bluedroid/stack/smp/smp_act.c
index a3f0f9f0b..7dc09faeb 100644
--- a/components/bt/bluedroid/stack/smp/smp_act.c
+++ b/components/bt/bluedroid/stack/smp/smp_act.c
@@ -1362,8 +1362,6 @@ void smp_br_send_pair_response(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
 void smp_pairing_cmpl(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
 {
     if (p_cb->total_tx_unacked == 0) {
-        /* update connection parameter to remote preferred */
-        L2CA_EnableUpdateBleConnParams(p_cb->pairing_bda, TRUE);
         /* process the pairing complete */
         smp_proc_pairing_cmpl(p_cb);
     }
@@ -1401,7 +1399,10 @@ void smp_idle_terminate(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
 *******************************************************************************/
 void smp_fast_conn_param(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
 {
-    /* disable connection parameter update */
+    /* Disable L2CAP connection parameter updates while bonding since
+       some peripherals are not able to revert to fast connection parameters
+       during the start of service discovery. Connection paramter updates
+       get enabled again once service discovery completes. */
     L2CA_EnableUpdateBleConnParams(p_cb->pairing_bda, FALSE);
 }