sock->id);
BTA_JvL2capClose(sock->handle);
btsock_l2cap_free_l(sock);
+ return;
}
}
}
device_map_[handle]->MessageReceived(label, Packet::Parse(pkt));
}
-void ConnectionHandler::SdpCb(const RawAddress& bdaddr, SdpCallback cb,
+void ConnectionHandler::SdpCb(RawAddress bdaddr, SdpCallback cb,
tSDP_DISCOVERY_DB* disc_db, bool retry,
uint16_t status) {
VLOG(1) << __PRETTY_FUNCTION__ << ": SDP lookup callback received";
using SdpCallback = base::Callback<void(uint16_t status, uint16_t version,
uint16_t features)>;
virtual bool SdpLookup(const RawAddress& bdaddr, SdpCallback cb, bool retry);
- void SdpCb(const RawAddress& bdaddr, SdpCallback cb,
+ void SdpCb(RawAddress bdaddr, SdpCallback cb,
tSDP_DISCOVERY_DB* disc_db, bool retry, uint16_t status);
virtual bool AvrcpConnect(bool initiator, const RawAddress& bdaddr);
static BT_HDR* avrc_copy_packet(BT_HDR* p_pkt, int rsp_pkt_len) {
const int offset = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
const int pkt_len = MAX(rsp_pkt_len, p_pkt->len);
- BT_HDR* p_pkt_copy = (BT_HDR*)osi_malloc(BT_HDR_SIZE + offset + pkt_len);
+ BT_HDR* p_pkt_copy = (BT_HDR*)osi_calloc(BT_HDR_SIZE + offset + pkt_len);
/* Copy the packet header, set the new offset, and copy the payload */
memcpy(p_pkt_copy, p_pkt, BT_HDR_SIZE);
tAVRC_MSG_VENDOR* p_msg = &msg.vendor;
if (cr == AVCT_CMD && (p_pkt->layer_specific & AVCT_DATA_CTRL &&
- AVRC_PACKET_LEN < sizeof(p_pkt->len))) {
- /* Ignore the invalid AV/C command frame */
- p_drop_msg = "dropped - too long AV/C cmd frame size";
+ p_pkt->len > AVRC_PACKET_LEN)) {
+ android_errorWriteLog(0x534e4554, "177611958");
+ AVRC_TRACE_WARNING("%s: Command length %d too long: must be at most %d",
+ __func__, p_pkt->len, AVRC_PACKET_LEN);
osi_free(p_pkt);
return;
}
case AVRC_PDU_GET_ITEM_ATTRIBUTES: {
tAVRC_GET_ATTRS_RSP* get_attr_rsp = &(p_rsp->get_attrs);
get_attr_rsp->pdu = pdu;
+ min_len += 2;
+ if (pkt_len < min_len) {
+ android_errorWriteLog(0x534e4554, "179162665");
+ goto browse_length_error;
+ }
BE_STREAM_TO_UINT8(get_attr_rsp->status, p)
BE_STREAM_TO_UINT8(get_attr_rsp->num_attrs, p);
get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_malloc(
get_attr_rsp->num_attrs * sizeof(tAVRC_ATTR_ENTRY));
for (int i = 0; i < get_attr_rsp->num_attrs; i++) {
tAVRC_ATTR_ENTRY* attr_entry = &(get_attr_rsp->p_attrs[i]);
+ min_len += 8;
+ if (pkt_len < min_len) goto browse_length_error;
BE_STREAM_TO_UINT32(attr_entry->attr_id, p);
BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p);
BE_STREAM_TO_UINT16(attr_entry->name.str_len, p);
BE_STREAM_TO_UINT8(p_result->reg_notif.event_id, p);
BE_STREAM_TO_UINT32(p_result->reg_notif.param, p);
+
+ if (p_result->reg_notif.event_id == 0 ||
+ p_result->reg_notif.event_id > AVRC_NUM_NOTIF_EVENTS) {
+ android_errorWriteLog(0x534e4554, "181860042");
+ status = AVRC_STS_BAD_PARAM;
+ }
break;
default:
status = AVRC_STS_BAD_CMD;
VLOG(2) << __func__ << " BDA: " << p_bda
<< " state: " << btm_pair_state_descr(btm_cb.pairing_state);
+ RawAddress local_bd_addr = *controller_get_interface()->get_address();
+ if (p_bda == local_bd_addr) {
+ android_errorWriteLog(0x534e4554, "174626251");
+ btsnd_hcic_pin_code_neg_reply(p_bda);
+ return;
+ }
+
if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) {
if ((p_bda == btm_cb.pairing_bda) &&
(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE)) {
memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
+ if (!memcmp(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, BT_OCTET32_LEN) &&
+ !memcmp(p_cb->peer_publ_key.y, p_cb->loc_publ_key.y, BT_OCTET32_LEN)) {
+ android_errorWriteLog(0x534e4554, "174886838");
+ SMP_TRACE_WARNING("Remote and local public keys can't match");
+ tSMP_INT_DATA smp;
+ smp.status = SMP_PAIR_AUTH_FAIL;
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
+ return;
+ }
+
if (!ECC_ValidatePoint(pt)) {
android_errorWriteLog(0x534e4554, "72377774");
tSMP_INT_DATA smp;
* limitations under the License.
*/
+#include <arpa/inet.h> // htons
#include <dlfcn.h>
#include <gtest/gtest.h>
EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
AVRC_STS_NO_ERROR);
}
+
+TEST_F(StackAvrcpTest, test_avrcp_pdu_register_notification) {
+ ASSERT_EQ(htons(0x500), 5);
+
+ struct {
+ uint8_t pdu;
+ uint8_t reserved;
+ uint16_t len;
+ struct {
+ uint8_t event_id;
+ uint32_t param;
+ } payload;
+ } data = {
+ AVRC_PDU_REGISTER_NOTIFICATION,
+ 0, // reserved
+ htons(sizeof(data.payload)),
+ .payload =
+ {
+ .event_id = 0,
+ .param = 0x1234,
+ },
+ };
+
+ tAVRC_MSG msg = {
+ .vendor =
+ {
+ .hdr =
+ {
+ .ctype = AVRC_CMD_NOTIF,
+ .opcode = AVRC_OP_VENDOR,
+ },
+ .p_vendor_data = (uint8_t*)&data,
+ .vendor_len = sizeof(data),
+ },
+ };
+ tAVRC_COMMAND result{};
+
+ // Run through all possible event ids
+ uint8_t id = 0;
+ do {
+ data.payload.event_id = id;
+ ASSERT_EQ((id == 0 || id > AVRC_NUM_NOTIF_EVENTS) ? AVRC_STS_BAD_PARAM
+ : AVRC_STS_NO_ERROR,
+ AVRC_Ctrl_ParsCommand(&msg, &result));
+ } while (++id != 0);
+}