From 47f6853fa28381b852490823e01305746a49c89d Mon Sep 17 00:00:00 2001 From: Andrei Emeltchenko Date: Fri, 7 Feb 2014 14:11:16 +0200 Subject: [PATCH] android/avdtp: Fix passing NULL pointer to memcpy send_request can be called as send_request(session, FALSE, NULL, AVDTP_DISCOVER, NULL, 0) with NULL pointer which is passed to memcpy(). --- android/avdtp.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/android/avdtp.c b/android/avdtp.c index 2629e6729..ed95ad7e5 100644 --- a/android/avdtp.c +++ b/android/avdtp.c @@ -2340,6 +2340,11 @@ static int send_request(struct avdtp *session, gboolean priority, { struct pending_req *req; + if (size > 0 && !buffer) { + DBG("Invalid buffer %p", buffer); + return -EINVAL; + } + if (stream && stream->abort_int && signal_id != AVDTP_ABORT) { DBG("Unable to send requests while aborting"); return -EINVAL; @@ -2347,11 +2352,14 @@ static int send_request(struct avdtp *session, gboolean priority, req = g_new0(struct pending_req, 1); req->signal_id = signal_id; - req->data = g_malloc(size); - memcpy(req->data, buffer, size); req->data_size = size; req->stream = stream; + if (size > 0) { + req->data = g_malloc(size); + memcpy(req->data, buffer, size); + } + return send_req(session, priority, req); } -- 2.47.3