diff --git a/components/bt/bluedroid/bta/gatt/bta_gattc_act.c b/components/bt/bluedroid/bta/gatt/bta_gattc_act.c index 5d30185b53..0c33b9f5f4 100644 --- a/components/bt/bluedroid/bta/gatt/bta_gattc_act.c +++ b/components/bt/bluedroid/bta/gatt/bta_gattc_act.c @@ -1149,12 +1149,16 @@ void bta_gattc_read_multi(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data) memset(&read_param, 0, sizeof(tGATT_READ_PARAM)); if (status == BTA_GATT_OK) { - read_param.read_multiple.num_handles = p_data->api_read_multi.num_attr; - read_param.read_multiple.auth_req = p_data->api_read_multi.auth_req; - memcpy(&read_param.read_multiple.handles, p_data->api_read_multi.handles, - sizeof(UINT16) * p_data->api_read_multi.num_attr); + if(p_data->api_read_multi.num_attr < GATT_MAX_READ_MULTI_HANDLES) { + read_param.read_multiple.num_handles = p_data->api_read_multi.num_attr; + read_param.read_multiple.auth_req = p_data->api_read_multi.auth_req; + memcpy(&read_param.read_multiple.handles, p_data->api_read_multi.handles, + sizeof(UINT16) * p_data->api_read_multi.num_attr); - status = GATTC_Read(p_clcb->bta_conn_id, GATT_READ_MULTIPLE, &read_param); + status = GATTC_Read(p_clcb->bta_conn_id, GATT_READ_MULTIPLE, &read_param); + } else { + status = GATT_ILLEGAL_PARAMETER; + } } /* read fail */ diff --git a/components/bt/bluedroid/stack/gatt/gatt_sr.c b/components/bt/bluedroid/stack/gatt/gatt_sr.c index 215c95e77d..4f29ddf9eb 100644 --- a/components/bt/bluedroid/stack/gatt/gatt_sr.c +++ b/components/bt/bluedroid/stack/gatt/gatt_sr.c @@ -527,6 +527,7 @@ void gatt_process_read_multi_req (tGATT_TCB *p_tcb, UINT8 op_code, UINT16 len, U if (ll != 0) { GATT_TRACE_ERROR("max attribute handle reached in ReadMultiple Request."); + err = GATT_INVALID_HANDLE; } if (p_tcb->sr_cmd.multi_req.num_handles == 0) {