diff --git a/android/hal-gatt.c b/android/hal-gatt.c
index b4512d4..b928d64 100644
--- a/android/hal-gatt.c
+++ b/android/hal-gatt.c
#include <stdbool.h>
#include <string.h>
+#include <stdlib.h>
#include "hal-log.h"
#include "hal.h"
{
struct hal_ev_gatt_client_scan_result *ev = buf;
+ if (len != sizeof(*ev) + ev->len ) {
+ error("gatt: invalid scan result event, aborting");
+ exit(EXIT_FAILURE);
+ }
+
if (cbs->client->scan_result_cb)
cbs->client->scan_result_cb((bt_bdaddr_t *) ev->bda, ev->rssi,
ev->adv_data);
struct hal_ev_gatt_client_notify *ev = buf;
btgatt_notify_params_t params;
+ if (len != sizeof(*ev) + ev->len ) {
+ error("gatt: invalid notify event, aborting");
+ exit(EXIT_FAILURE);
+ }
+
memset(¶ms, 0, sizeof(params));
memcpy(params.value, ev->value, ev->len);
memcpy(¶ms.bda, ev->bda, sizeof(params.bda));
struct hal_ev_gatt_client_read_characteristic *ev = buf;
btgatt_read_params_t params;
+ if (len != sizeof(*ev) + ev->data.len ) {
+ error("gatt: invalid read characteristic event, aborting");
+ exit(EXIT_FAILURE);
+ }
+
memset(¶ms, 0, sizeof(params));
srvc_id_from_hal(¶ms.srvc_id, &ev->data.srvc_id);
struct hal_ev_gatt_client_read_descriptor *ev = buf;
btgatt_read_params_t params;
+ if (len != sizeof(*ev) + ev->data.len ) {
+ error("gatt: invalid read descriptor event, aborting");
+ exit(EXIT_FAILURE);
+ }
+
memset(¶ms, 0, sizeof(params));
srvc_id_from_hal(¶ms.srvc_id, &ev->data.srvc_id);
{
struct hal_ev_gatt_server_request_write *ev = buf;
+ if (len != sizeof(*ev) + ev->length ) {
+ error("gatt: invalid request write event, aborting");
+ exit(EXIT_FAILURE);
+ }
+
if (cbs->server->request_write_cb)
cbs->server->request_write_cb(ev->conn_id, ev->trans_id,
(bt_bdaddr_t *) ev->bdaddr,