From 945e4f71627fe29708a3362f6ba2b141470c40d3 Mon Sep 17 00:00:00 2001
From: gengyuchao <gengyuchao@espressif.com>
Date: Mon, 30 Dec 2019 17:16:38 +0800
Subject: [PATCH 1/2] bugfix:Fix length check for snprintf in osi config

---
 components/bt/common/osi/config.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/components/bt/common/osi/config.c b/components/bt/common/osi/config.c
index 89dbfa8612..bfc29493ab 100644
--- a/components/bt/common/osi/config.c
+++ b/components/bt/common/osi/config.c
@@ -409,6 +409,16 @@ bool config_save(const config_t *config, const char *filename)
     for (const list_node_t *node = list_begin(config->sections); node != list_end(config->sections); node = list_next(node)) {
         const section_t *section = (const section_t *)list_node(node);
         w_cnt = snprintf(line, 1024, "[%s]\n", section->name);
+        if(w_cnt < 0) {
+            OSI_TRACE_ERROR("snprintf error w_cnt %d.",w_cnt);
+            err_code |= 0x10;
+            goto error;
+        }
+        if(w_cnt_total + w_cnt > config_size + 100) {
+            OSI_TRACE_ERROR("%s, memcpy size (w_cnt + w_cnt_total = %d) is larger than buffer size (config_size = %d).", __func__, (w_cnt + w_cnt_total),config_size);
+            err_code |= 0x20;
+            goto error;
+        }
         OSI_TRACE_DEBUG("section name: %s, w_cnt + w_cnt_total = %d\n", section->name, w_cnt + w_cnt_total);
         memcpy(buf + w_cnt_total, line, w_cnt);
         w_cnt_total += w_cnt;
@@ -417,13 +427,18 @@ bool config_save(const config_t *config, const char *filename)
             const entry_t *entry = (const entry_t *)list_node(enode);
             OSI_TRACE_DEBUG("(key, val): (%s, %s)\n", entry->key, entry->value);
             w_cnt = snprintf(line, 1024, "%s = %s\n", entry->key, entry->value);
-            OSI_TRACE_DEBUG("%s, w_cnt + w_cnt_total = %d", __func__, w_cnt + w_cnt_total);
-            if(w_cnt_total + w_cnt < config_size + 100 ) {
-                memcpy(buf + w_cnt_total, line, w_cnt);
-            } else {
-                OSI_TRACE_ERROR("%s, memcpy size (w_cnt + w_cnt_total = %d) is larger than buffer size.", __func__, w_cnt + w_cnt_total);
+            if(w_cnt < 0) {
+                OSI_TRACE_ERROR("snprintf error w_cnt %d.",w_cnt);
+                err_code |= 0x10;
+                goto error;
             }
-            
+            if(w_cnt_total + w_cnt > config_size + 100) {
+                OSI_TRACE_ERROR("%s, memcpy size (w_cnt + w_cnt_total = %d) is larger than buffer size.(config_size = %d)", __func__, w_cnt + w_cnt_total,config_size);
+                err_code |= 0x20;
+                goto error;
+            }
+            OSI_TRACE_DEBUG("%s, w_cnt + w_cnt_total = %d", __func__, w_cnt + w_cnt_total);
+            memcpy(buf + w_cnt_total, line, w_cnt);
             w_cnt_total += w_cnt;
         }
 

From 8a687d46ad99efb727f6e22866128e0135ef30a7 Mon Sep 17 00:00:00 2001
From: gengyuchao <gengyuchao@espressif.com>
Date: Thu, 9 Jan 2020 21:12:25 +0800
Subject: [PATCH 2/2] reduce useless calloc size

---
 components/bt/common/osi/config.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/components/bt/common/osi/config.c b/components/bt/common/osi/config.c
index bfc29493ab..2174fa7dfa 100644
--- a/components/bt/common/osi/config.c
+++ b/components/bt/common/osi/config.c
@@ -389,7 +389,7 @@ bool config_save(const config_t *config, const char *filename)
     const size_t keyname_bufsz = sizeof(CONFIG_KEY) + 5 + 1; // including log10(sizeof(i))
     char *keyname = osi_calloc(keyname_bufsz);
     int config_size = get_config_size(config);
-    char *buf = osi_calloc(config_size + 100);
+    char *buf = osi_calloc(config_size);
     if (!line || !buf || !keyname) {
         err_code |= 0x01;
         goto error;
@@ -414,8 +414,8 @@ bool config_save(const config_t *config, const char *filename)
             err_code |= 0x10;
             goto error;
         }
-        if(w_cnt_total + w_cnt > config_size + 100) {
-            OSI_TRACE_ERROR("%s, memcpy size (w_cnt + w_cnt_total = %d) is larger than buffer size (config_size = %d).", __func__, (w_cnt + w_cnt_total),config_size);
+        if(w_cnt_total + w_cnt > config_size) {
+            OSI_TRACE_ERROR("%s, memcpy size (w_cnt + w_cnt_total = %d) is larger than buffer size (config_size = %d).", __func__, (w_cnt + w_cnt_total), config_size);
             err_code |= 0x20;
             goto error;
         }
@@ -432,8 +432,8 @@ bool config_save(const config_t *config, const char *filename)
                 err_code |= 0x10;
                 goto error;
             }
-            if(w_cnt_total + w_cnt > config_size + 100) {
-                OSI_TRACE_ERROR("%s, memcpy size (w_cnt + w_cnt_total = %d) is larger than buffer size.(config_size = %d)", __func__, w_cnt + w_cnt_total,config_size);
+            if(w_cnt_total + w_cnt > config_size) {
+                OSI_TRACE_ERROR("%s, memcpy size (w_cnt + w_cnt_total = %d) is larger than buffer size.(config_size = %d)", __func__, (w_cnt + w_cnt_total), config_size);
                 err_code |= 0x20;
                 goto error;
             }
@@ -544,7 +544,7 @@ static void config_parse(nvs_handle_t fp, config_t *config)
     const size_t keyname_bufsz = sizeof(CONFIG_KEY) + 5 + 1; // including log10(sizeof(i))
     char *keyname = osi_calloc(keyname_bufsz);
     int buf_size = get_config_size_from_flash(fp);
-    char *buf = osi_calloc(buf_size + 100);
+    char *buf = osi_calloc(buf_size);
     if (!line || !section || !buf || !keyname) {
         err_code |= 0x01;
         goto error;