commit fada44256f77be2e7cdf1b6089c15c4b08a76046
author Matadeen Mishra <matade@codeaurora.org> Fri Aug 21 09:47:05 2015 +0530
committer Linux Build Service Account <lnxbuild@localhost> Tue Oct 06 03:22:00 2015 -0600
tree 3a19278722436dd7dfc10c723f1feacb1632754b
parent c50610c030fc7b0bd547750a9851b772d836391a

 BT: Fixed Static Analysis Issues

  - This fix avoids NULL pointer dereferences,
    Array Index Out of Bounds Exceptions
    and Banned funciton in the bluedroid code
    space of Bluetooth.
CRs-Fixed: 890309, 890321

Change-Id: I24ae794ee01b65b5ab15c73cd82677b0481910ad

btif/src/btif_dm.c

diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c
index 0236baf..6bbfbe3 100644
--- a/btif/src/btif_dm.c
+++ b/btif/src/btif_dm.c
@@ -2208,14 +2208,14 @@
     {
         case BTA_DM_INQ_RES_EVT:
         {
-            if (p_data->inq_res.p_eir)
+            if ( p_data && p_data->inq_res.p_eir)
                 param_len += HCI_EXT_INQ_RESPONSE_LEN;
         }
         break;
 
         case BTA_DM_DISC_RES_EVT:
         {
-            if (p_data->disc_res.raw_data_size && p_data->disc_res.p_raw_data)
+            if (p_data && p_data->disc_res.raw_data_size && p_data->disc_res.p_raw_data)
                 param_len += p_data->disc_res.raw_data_size;
         }
         break;
@@ -2223,7 +2223,7 @@
     BTIF_TRACE_DEBUG("%s event=%s param_len=%d", __FUNCTION__, dump_dm_search_event(event), param_len);
 
     /* if remote name is available in EIR, set teh flag so that stack doesnt trigger RNR */
-    if (event == BTA_DM_INQ_RES_EVT)
+    if (p_data && event == BTA_DM_INQ_RES_EVT)
         p_data->inq_res.remt_name_not_required = check_eir_remote_name(p_data, NULL, NULL);
 
     btif_transfer_context (btif_dm_search_devices_evt , (UINT16) event, (void *)p_data, param_len,
@@ -2249,7 +2249,7 @@
    {
          case BTA_DM_DISC_RES_EVT:
          {
-             if ((p_data->disc_res.result == BTA_SUCCESS) && (p_data->disc_res.num_uuids > 0)) {
+             if (( p_data && p_data->disc_res.result == BTA_SUCCESS) && (p_data->disc_res.num_uuids > 0)) {
                   param_len += (p_data->disc_res.num_uuids * MAX_UUID_SIZE);
              }
          } break;

btif/src/btif_sock_thread.c

diff --git a/btif/src/btif_sock_thread.c b/btif/src/btif_sock_thread.c
index 5a0ba45..5dc0e30 100644
--- a/btif/src/btif_sock_thread.c
+++ b/btif/src/btif_sock_thread.c
@@ -591,7 +591,7 @@
                     ps_i, MAX_POLL, count, ts[h].poll_count);
             return;
         }
-        if(ts[h].ps[ps_i].pfd.fd >= 0)
+        if(ts[h].ps[ps_i].pfd.fd >= 0 && pfd_i < MAX_POLL)
         {
             pfds[pfd_i] =  ts[h].ps[ps_i].pfd;
             ts[h].psi[pfd_i] = ps_i;

btif/src/btif_storage.c

diff --git a/btif/src/btif_storage.c b/btif/src/btif_storage.c
index 9603e11..aaab5d6 100644
--- a/btif/src/btif_storage.c
+++ b/btif/src/btif_storage.c
@@ -288,14 +288,15 @@
             uint32_t i;
             char buf[64];
             value[0] = 0;
+            int size = sizeof(value);
             for (i=0; i < (prop->len)/sizeof(bt_uuid_t); i++)
             {
                 bt_uuid_t *p_uuid = (bt_uuid_t*)prop->val + i;
                 memset(buf, 0, sizeof(buf));
                 uuid_to_string_legacy(p_uuid, buf);
-                strcat(value, buf);
+                strlcat(value, buf, size);
                 //strcat(value, ";");
-                strcat(value, " ");
+                strlcat(value, " ", size);
             }
             btif_config_set_str(bdstr, BTIF_STORAGE_PATH_REMOTE_SERVICE, value);
             /* save UUIDs immediately */