From 7c6d447938b5ae0402695783e50e6438008b5f4c Mon Sep 17 00:00:00 2001
From: wangmengyang <wangmengyang@espressif.com>
Date: Tue, 4 Sep 2018 20:09:07 +0800
Subject: [PATCH] component/bt: bugfix for incorrect length of HCI SCO packet
 size in HFP resulted from uninitialized data buffer length

---
 .../bt/bluedroid/bta/hf_client/bta_hf_client_sco.c       | 9 ++++-----
 components/bt/bluedroid/stack/btm/btm_sco.c              | 5 +++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/components/bt/bluedroid/bta/hf_client/bta_hf_client_sco.c b/components/bt/bluedroid/bta/hf_client/bta_hf_client_sco.c
index 20b0cc785..4f1d7ab55 100644
--- a/components/bt/bluedroid/bta/hf_client/bta_hf_client_sco.c
+++ b/components/bt/bluedroid/bta/hf_client/bta_hf_client_sco.c
@@ -429,7 +429,6 @@ static void bta_hf_client_sco_event(UINT8 event)
     if (event == BTA_HF_CLIENT_SCO_CI_DATA_E) {
         uint16_t pkt_offset = 1 + HCI_SCO_PREAMBLE_SIZE;
         uint16_t len_to_send = 0;
-        uint8_t *p;
         while (true)
         {
             p_buf = osi_malloc(sizeof(BT_HDR) + pkt_offset + BTM_SCO_DATA_SIZE_MAX);
@@ -439,13 +438,13 @@ static void bta_hf_client_sco_event(UINT8 event)
             }
 
             p_buf->offset = pkt_offset;
+            p_buf->len = BTM_SCO_DATA_SIZE_MAX;
             len_to_send = bta_hf_client_sco_co_out_data(p_buf->data + pkt_offset, BTM_SCO_DATA_SIZE_MAX);
-            if (len_to_send) {
+            if (len_to_send == BTM_SCO_DATA_SIZE_MAX) {
+                // expect to get the exact size of data from upper layer
                 if (bta_hf_client_cb.scb.sco_state == BTA_HF_CLIENT_SCO_OPEN_ST) {
-                    p = (UINT8 *)(p_buf->data + pkt_offset -1);
-                    *p = len_to_send; // set SCO packet length;
                     tBTM_STATUS write_stat = BTM_WriteScoData(p_scb->sco_idx, p_buf);
-                    if (write_stat != BTM_SUCCESS && write_stat != BTM_SCO_BAD_LENGTH) {
+                    if (write_stat != BTM_SUCCESS) {
                         break;
                     }
                 } else {
diff --git a/components/bt/bluedroid/stack/btm/btm_sco.c b/components/bt/bluedroid/stack/btm/btm_sco.c
index 6b8a32bef..661caba63 100644
--- a/components/bt/bluedroid/stack/btm/btm_sco.c
+++ b/components/bt/bluedroid/stack/btm/btm_sco.c
@@ -431,12 +431,13 @@ tBTM_STATUS BTM_WriteScoData (UINT16 sco_inx, BT_HDR *p_buf)
             /* only sent the first BTM_SCO_DATA_SIZE_MAX bytes data if more than max,
                and set warning status */
             if (p_buf->len > BTM_SCO_DATA_SIZE_MAX) {
+                BTM_TRACE_WARNING ("BTM SCO hdl %x, bad len %u", p_ccb->hci_handle, p_buf->len);
                 p_buf->len = BTM_SCO_DATA_SIZE_MAX;
                 status = BTM_SCO_BAD_LENGTH;
             }
 
             UINT8_TO_STREAM (p, (UINT8)p_buf->len);
-            BTM_TRACE_DEBUG ("BTM SCO hdl %x, len %u", p_ccb->hci_handle, p_buf->len);
+
             p_buf->len += HCI_SCO_PREAMBLE_SIZE;
 
             if (fixed_queue_length(p_ccb->xmit_data_q) < BTM_SCO_XMIT_QUEUE_THRS) {
@@ -453,7 +454,7 @@ tBTM_STATUS BTM_WriteScoData (UINT16 sco_inx, BT_HDR *p_buf)
         status = BTM_UNKNOWN_ADDR;
     }
 
-    if (status != BTM_SUCCESS && status != BTM_SCO_BAD_LENGTH) {
+    if (status != BTM_SUCCESS) {
         BTM_TRACE_WARNING ("stat %d", status);
         osi_free(p_buf);
     }