OSDN Git Service
Hansong Zhang [Thu, 7 Jun 2018 23:11:27 +0000 (16:11 -0700)]
Add bound check for rfc_parse_data
Bug:
78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
Merged-In: I44349cd22c141483d01bce0f5a2131b727d0feb0
Jakub Pawlowski [Fri, 22 Jun 2018 09:57:19 +0000 (02:57 -0700)]
Fix out of bounds read in l2c_rcv_acl_data
Test: none
Bug:
80432895
Change-Id: I7807d00c02a84c545476e84bc1b71e0718df1f24
Merged-In: I7807d00c02a84c545476e84bc1b71e0718df1f24
Nitin Shivpure [Tue, 6 Feb 2018 12:48:37 +0000 (18:18 +0530)]
BLE: Don't access freed buffer in log message
When GATT fail to write data on L2CAP, buffer is freed by L2CAP.
Accessing the buffer leads to fatal failure while printing the message info.
Test: BLE discover services and BT off test cases
Fixes:
73018520
Change-Id: I661398fd1321f6e68026b3720db4965fd6584d70
Merged-In: I661398fd1321f6e68026b3720db4965fd6584d70
Jakub Pawlowski [Fri, 22 Jun 2018 05:56:11 +0000 (22:56 -0700)]
Add packet length checks in l2cble_process_sig_cmd
Bug:
80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
Merged-In: Icf55747dc948bcce140a12658237554938e2d717
TreeHugger Robot [Thu, 12 Jul 2018 22:17:26 +0000 (22:17 +0000)]
Merge "DO NOT MERGE HID Host: Check L2CAP packet data length" into mnc-dev
Jakub Pawlowski [Fri, 22 Jun 2018 11:46:39 +0000 (04:46 -0700)]
SDP: return error on offset bigger than atribute length
Test: none
Bug:
79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
Merged-In: I8b594882dd07644b1a747c53d6166db466b7e998
Hansong Zhang [Thu, 7 Jun 2018 21:02:30 +0000 (14:02 -0700)]
DO NOT MERGE HID Host: Check L2CAP packet data length
Bug:
80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
Ajay Panicker [Wed, 6 Jun 2018 21:29:59 +0000 (14:29 -0700)]
DO NOT MERGE: Don't reuse buffer when building response
Bug:
79541338
Test: Compile and connect to remote headset
Change-Id: I2c00660bb551bbac58df88d2df07c98a30871e58
Pavlin Radoslavov [Thu, 31 May 2018 17:23:02 +0000 (10:23 -0700)]
Add checks whether the AVDTP element data length is valid
Bug:
78288378
Test: Manual: Python script and extra logging
Change-Id: I576d798d8b566946a3f2d973cb9d4e8dbd22d09e
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
Jack He [Fri, 1 Jun 2018 21:00:42 +0000 (14:00 -0700)]
BNEP: Fix OOB access in bnep_data_ind
* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
is most likely triggered
Bug:
78286118
Bug:
79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
BNEP_EXTENSION_CONTROL packet
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit
3c799a6e25abdf6bacb660ff7a06338836cc7356)
akirilov [Fri, 27 Apr 2018 22:05:14 +0000 (15:05 -0700)]
Fixes two bluetooth bugs causing remote overreads (2/2)
Bug:
74075873
Test: manual
Change-Id: I28a78084a1ab451b407ee6e7a5495c1e43ed757b
Merged-In: I76058b11c90dc40b78f26fb64b74d609f3473f5d
Jakub Pawlowski [Tue, 29 May 2018 23:25:56 +0000 (16:25 -0700)]
Decrease length after reading from array in process_service_attr_req
Test: compilation
Bug:
78136677
Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0
Merged-In: I4807a350e2b4764a93f104ce88f23a957a7e85c0
Atanas Kirilov [Thu, 31 May 2018 22:04:35 +0000 (22:04 +0000)]
Merge "RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)" into mnc-dev
TreeHugger Robot [Thu, 31 May 2018 21:17:08 +0000 (21:17 +0000)]
Merge "DO NOT MERGE: SDP: Recalculate param_len after max_list_len" into mnc-dev
TreeHugger Robot [Thu, 31 May 2018 17:41:13 +0000 (17:41 +0000)]
Merge "DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_event" into mnc-dev
Myles Watson [Tue, 29 May 2018 23:55:58 +0000 (16:55 -0700)]
DO NOT MERGE: SDP: Recalculate param_len after max_list_len
Bug:
78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit
ef7dddabbd70222fa0fafc97e8562d977f550d26)
Hansong Zhang [Wed, 30 May 2018 00:35:01 +0000 (17:35 -0700)]
DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_event
Bug:
80145946
Test: manual
Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53
Jakub Pawlowski [Wed, 23 May 2018 17:30:19 +0000 (10:30 -0700)]
GATT: Handle too short Error Response PDU
Since the spec is not clear what to do in this case, use one of
reserved error codes as a failure reason, and pass it to upper layers.
Bug:
79591688
Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
Jakub Pawlowski [Thu, 24 May 2018 15:59:34 +0000 (08:59 -0700)]
Add PDU size checks in process_service_search_attr_rsp
Bug:
79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
akirilov [Fri, 27 Apr 2018 20:08:05 +0000 (13:08 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
Bug:
74075873
Test: manual test (poc in bug)
Change-Id: I4f8d2de2fef3f95f99bc2015f1118d6e70d3135b
Hansong Zhang [Thu, 26 Apr 2018 22:45:28 +0000 (15:45 -0700)]
DO NOT MERGE Prevent stack overflow in btif_storage
Bug:
73963551
Test: manual
Change-Id: I5f7a583aad150ebf9e3d492181d80ca935c8aa3f
Andre Eisenbach [Wed, 4 Apr 2018 20:38:38 +0000 (13:38 -0700)]
DO NOT MERGE SMP: Validate remote elliptic curve points
Fixes:
72377774
Test: net_test_stack_smp (where applicable)
Change-Id: Iefcf97364493467075fadefd77d12716f71cd4f6
(cherry picked from commit
9181ec28da94705a763edbe60bd2a87e5f882beb)
TreeHugger Robot [Fri, 13 Apr 2018 18:13:11 +0000 (18:13 +0000)]
Merge "DO NOT MERGE Fix OOB read in process_l2cap_cmd" into mnc-dev
Hansong Zhang [Thu, 12 Apr 2018 23:01:19 +0000 (16:01 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Bug:
74202041
Bug:
74196706
Bug:
74201143
Test: manual
Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d
Hansong Zhang [Thu, 12 Apr 2018 19:23:36 +0000 (12:23 -0700)]
DO NOT MERGE Add bounds check for BNEP_Write
Bug:
74947856
Test: manual
Change-Id: I19d9dee53b9cac800c66becef4861e4ad9602bdf
TreeHugger Robot [Wed, 11 Apr 2018 20:13:31 +0000 (20:13 +0000)]
Merge "DO NOT MERGE: PAN: Always allocate in bta_pan_data_buf_ind_cback" into mnc-dev
TreeHugger Robot [Wed, 11 Apr 2018 15:22:23 +0000 (15:22 +0000)]
Merge "DO NOT MERGE Handle bad packet length in gatts_process_read_req" into mnc-dev
TreeHugger Robot [Mon, 9 Apr 2018 20:41:56 +0000 (20:41 +0000)]
Merge "DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result" into mnc-dev
Stanley Tng [Thu, 5 Apr 2018 16:54:13 +0000 (09:54 -0700)]
DO NOT MERGE Handle bad packet length in gatts_process_read_req
Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.
Bug:
73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit
cc9c7330d1c3507d745170ae7b2e0546197b7acb)
Myles Watson [Wed, 21 Mar 2018 23:45:32 +0000 (16:45 -0700)]
DO NOT MERGE: PAN: Always allocate in bta_pan_data_buf_ind_cback
Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free. Move the free call to pan_data_buf_ind_cb().
Free the buffer before every return in pan_data_buf_ind_cb.
Bug:
74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit
2e0deb1d135805b37697f0e02a55269c6cc500fe)
Hansong Zhang [Mon, 2 Apr 2018 16:55:58 +0000 (09:55 -0700)]
DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result
Check the number of UUIDs from remote device
Bug:
74016921
Test: manual
Change-Id: I5d3a90bad63af5b22dd155f1d60869b8149d350c
Hansong Zhang [Fri, 30 Mar 2018 23:55:49 +0000 (16:55 -0700)]
DO NOT MERGE Fix unexpected behavior in smp_sm_event
Bug:
74121126
Test: manual
Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53
Hansong Zhang [Fri, 9 Feb 2018 22:21:09 +0000 (14:21 -0800)]
DO NOT MERGE Truncate new line characters when adding string to config
Bug:
70808273
Test: test with a device with newline character in name
Change-Id: Ie7e0b5d93047bc12a9cb84cc15f7f68f38f36441
Myles Watson [Fri, 12 Jan 2018 01:43:40 +0000 (17:43 -0800)]
DO NOT MERGE: SDP: Check p_req_end before reading from p_req
Bug:
69384124
Test: Connect a headset
Change-Id: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
TreeHugger Robot [Tue, 16 Jan 2018 17:46:17 +0000 (17:46 +0000)]
Merge "SDP: Pass the bounds to process_service_*_rsp" into mnc-dev
Ajay Panicker [Sat, 13 Jan 2018 01:29:51 +0000 (01:29 +0000)]
Merge "DO NOT MERGE: AVRCP: Check the number of text attributes requested" into mnc-dev
TreeHugger Robot [Sat, 13 Jan 2018 01:05:43 +0000 (01:05 +0000)]
Merge "DO NOT MERGE: AVRCP: Check the number of text value attributes requested" into mnc-dev
Myles Watson [Thu, 11 Jan 2018 22:20:26 +0000 (14:20 -0800)]
BNEP: Check received frame type
Bug:
68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
Merged-In: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
TreeHugger Robot [Sat, 13 Jan 2018 00:38:16 +0000 (00:38 +0000)]
Merge "PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback" into mnc-dev
TreeHugger Robot [Fri, 12 Jan 2018 21:51:02 +0000 (21:51 +0000)]
Merge "DO NOT MERGE Remove memory reference to invalid mem in error log" into mnc-dev
Myles Watson [Thu, 11 Jan 2018 00:32:59 +0000 (16:32 -0800)]
SDP: Pass the bounds to process_service_*_rsp
Test: build
Bug:
68161546
Change-Id: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
Merged-In: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
Hansong Zhang [Fri, 12 Jan 2018 18:59:31 +0000 (18:59 +0000)]
Merge "DO NOT MERGE Fix unexpected behavior in reading BNEP packets" into mnc-dev
Hansong Zhang [Thu, 11 Jan 2018 00:59:48 +0000 (16:59 -0800)]
DO NOT MERGE Fix unexpected behavior in reading BNEP packets
Bug:
67863755
Bug:
69177251
Bug:
69177292
Bug:
69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
Stanley Tng [Wed, 10 Jan 2018 21:13:15 +0000 (13:13 -0800)]
DO NOT MERGE Remove memory reference to invalid mem in error log
Remove the memory reference to an invalid memory inside an error log
message.
Test: Edit code to force the error condition and make sure the new error
log does not crashed.
Bug:
67058064
Merged-In: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
Change-Id: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
(cherry picked from commit
11cd7277a1d0da9013a8381cddbfc096e9adaed6)
Myles Watson [Wed, 10 Jan 2018 17:51:28 +0000 (09:51 -0800)]
PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
Patch from b/
67078939
Test: build
Bug:
67110692
Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a
Merged-In: I63b857d031c55d3a0754e4101e330843eb422b2a
Ajay Panicker [Thu, 11 Jan 2018 04:50:20 +0000 (20:50 -0800)]
DO NOT MERGE: AVRCP: Check the number of text value attributes requested
Test: Builds
Bug:
69479009
Change-Id: Ibd6a448eda65f857ddfacc1ee7ad1ead3b46fb8d
Ajay Panicker [Thu, 11 Jan 2018 00:34:50 +0000 (16:34 -0800)]
DO NOT MERGE: AVRCP: Check the number of text attributes requested
Test: Build
Bug:
69478941
Change-Id: Ic7e2632e5dab9031703b2bf8747e27f90f92f0e4
Hansong Zhang [Wed, 10 Jan 2018 03:36:46 +0000 (19:36 -0800)]
DO NOT MERGE Fix unexpected behavior in SDP
Bug:
68776054
Bug:
68817966
Test: Bluetooth SDP still works
Change-Id: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
Merged-In: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
Andre Eisenbach [Tue, 8 Aug 2017 23:51:12 +0000 (16:51 -0700)]
SDP: Bounds check 'id' parameter for free_sdp_slot()
Merged-In: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7
Test: manual
Fixes:
37502513
Change-Id: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7
(cherry picked from commit
b413f1b1365af4273647727e497848f95312d0ec)
TreeHugger Robot [Tue, 18 Jul 2017 18:46:45 +0000 (18:46 +0000)]
Merge "Add missing extension length check while parsing BNEP control packets" into mnc-dev
Pavlin Radoslavov [Tue, 18 Jul 2017 01:12:10 +0000 (18:12 -0700)]
Add missing extension length check while parsing BNEP control packets
Bug:
63146237
Test: External script
Change-Id: I4e519cec1c7dffb8bd42add00bd891e0969a3d9f
(cherry picked from commit
9ab89b7dbe5735b796799f65144efa48595d0230)
(cherry picked from commit
dc7700a43189d2a8607b69ae19a6d646f11ddf51)
(cherry picked from commit
c7874f25a0557ca4413d8db80bab8da842fc389a)
(cherry picked from commit
187bd8aec0aae63c6328981041e5ec7764ece6a9)
Pavlin Radoslavov [Tue, 18 Jul 2017 00:21:16 +0000 (17:21 -0700)]
Free p_pending_data from tBNEP_CONN to avoid potential memory leaks
Bug:
63146105
Test: External script
Change-Id: I1281779ccf38d1d2dfb1a6dc0e45c0e533cabbca
Merged-In: I1281779ccf38d1d2dfb1a6dc0e45c0e533cabbca
(cherry picked from commit
4982eb5df30cbcbee5c8b8807be95fdc6dfa63c5)
(cherry picked from commit
a654681c5558904a8abfa1bbab8eafb651c13231)
(cherry picked from commit
64a12d3b6e71d9161837f28ce18c34d924c2bafc)
TreeHugger Robot [Thu, 13 Jul 2017 19:09:02 +0000 (19:09 +0000)]
Merge "Add a missing check for PAN buffer size before copying data" into mnc-dev
TreeHugger Robot [Thu, 13 Jul 2017 18:05:30 +0000 (18:05 +0000)]
Merge "Add missing packet length checks while parsing BNEP control packets" into mnc-dev
TreeHugger Robot [Thu, 13 Jul 2017 18:05:09 +0000 (18:05 +0000)]
Merge "Add missing continuation offset check for SDP continuation requests" into mnc-dev
TreeHugger Robot [Thu, 13 Jul 2017 18:04:48 +0000 (18:04 +0000)]
Merge "Allocate buffers of the right size when BT_HDR is included" into mnc-dev
Pavlin Radoslavov [Thu, 13 Jul 2017 02:10:12 +0000 (19:10 -0700)]
Add missing packet length checks while parsing BNEP control packets
Bug:
63146237
Test: External script
Change-Id: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
Merged-In: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
(cherry picked from commit
7feaeb006941a1494d7cdc0a2ffc4bb1004b38b4)
(cherry picked from commit
6d415839da570b94b0763f6ab444f0dd1321fc33)
(cherry picked from commit
c68554feb3ddfd31cdec6d81a4b73a959c1b2a09)
(cherry picked from commit
3775b3c49e5d62349fd1f3dfb743fabadb43ea75)
Pavlin Radoslavov [Thu, 13 Jul 2017 01:56:03 +0000 (18:56 -0700)]
Add missing continuation offset check for SDP continuation requests
Bug:
63146698
Test: External script
Change-Id: Iea52f1689dc12bfe0d4b57996f17db4bc3bd5983
Merged-In: Iea52f1689dc12bfe0d4b57996f17db4bc3bd5983
(cherry picked from commit
e776c834768bedd043ace7e5714390b61c96a248)
(cherry picked from commit
10ce685cb025f6854be4ecc5329f2f684fd9ea5d)
Pavlin Radoslavov [Thu, 13 Jul 2017 01:39:31 +0000 (18:39 -0700)]
Disable PAN Reverse Tethering when connection originated by the Remote
* Check for valid interactions between the three PAN profile roles per
Table 1 in PAN Profile v1.0 spec.
* Explicitly disable connections to the local PANU if the remote is
not PANU.
Bug:
63145701
Test: External script
Change-Id: I29a7e404ba7e4453b6a7c59148a2b3eb7395303a
Merged-In: I29a7e404ba7e4453b6a7c59148a2b3eb7395303a
(cherry picked from commit
9aea2c2f92dd5245f6b35d564ce8e471fec2b4ec)
(cherry picked from commit
3f2ee5b546b65b5b021779588316249276ed3827)
(cherry picked from commit
40c7cefb12ac1a70bf7b1c770c1ab21a5b3f229e)
Pavlin Radoslavov [Thu, 13 Jul 2017 00:33:42 +0000 (17:33 -0700)]
Add a missing check for PAN buffer size before copying data
Bug:
63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
(cherry picked from commit
1d909399cb4259243dac2e531e3ce6ca1afa77e7)
(cherry picked from commit
aa486ad8b5ad6eaef732e5fa7f151495c8c3faf2)
(cherry picked from commit
a8a6a17fdfc8d930ba4ad18f92cf4453cc1a219e)
Pavlin Radoslavov [Thu, 6 Jul 2017 20:39:02 +0000 (13:39 -0700)]
Allocate buffers of the right size when BT_HDR is included
Bug:
63146105
Test: External script
Change-Id: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
Merged-In: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
(cherry picked from commit
d88838a7237cd672d87b6b9cc8d56fff625fd1d5)
(cherry picked from commit
b648c7dfe45c57842d58576f558fdf8edff10bec)
Jack He [Thu, 6 Apr 2017 00:59:58 +0000 (17:59 -0700)]
Check LE advertising data length before caching advertising records
Bug:
33899337
Test: make, receive LE advertising
Change-Id: I06b249ac5cabdef64528deda07b8bae749e1d2fd
(cherry picked from commit
d57adbc350fdee4f27b82c9e39a14bd745d92320)
Pavlin Radoslavov [Wed, 8 Mar 2017 02:48:21 +0000 (18:48 -0800)]
Check the HCI length before extracting the L2CAP length and CID
Bug:
34946955
Test: A2DP streaming to a headset
Change-Id: I0b6f50dee05a58db8c043b4d01fb58c9acbeede9
(cherry picked from commit
ecc0835114cbae3033d8b0e25bd8b443880d5077)
Sharvil Nanavati [Tue, 21 Jun 2016 02:16:12 +0000 (19:16 -0700)]
DO NOT MERGE Fix potential DoS caused by delivering signal to BT process
Bug:
28885210
Change-Id: I63866d894bfca47464d6e42e3fb0357c4f94d360
Ajay Panicker [Tue, 24 May 2016 21:53:32 +0000 (21:53 +0000)]
Merge "Add guest mode functionality (2/3)" into mnc-dev
Marie Janssen [Thu, 12 May 2016 22:30:16 +0000 (15:30 -0700)]
DO NOT MERGE btif: check overflow on create_pbuf size
Bug:
27930580
Change-Id: Ieb1f23f9a8a937b21f7c5eca92da3b0b821400e6
Ajay Panicker [Fri, 18 Mar 2016 00:09:24 +0000 (17:09 -0700)]
Add guest mode functionality (2/3)
Add a flag to enable() to start Bluetooth in restricted
mode. In restricted mode, all devices that are paired during
restricted mode are deleted upon leaving restricted mode.
Right now restricted mode is only entered while a guest
user is active.
Bug:
27410683
Change-Id: I8f23d28ef0aa3a8df13d469c73005c8e1b894d19
Marie Janssen [Fri, 25 Mar 2016 20:37:13 +0000 (13:37 -0700)]
btif: Don't persist remote devices to the config
We don't need to persist the unpaired devices to NVRAM
so skip saving them.
This fixes a regression in a previous patch where the most recent
instead of the least recent devices would be removed, making some
devices unpairable in extremely busy environments.
This is a backport of http://r.android.com/210955 and
http://r.android.com/212838 together.
Bug:
26071376
Change-Id: If7ee9d960f70c836bf08b78da5f3fc852ba60a85
Marie Janssen [Wed, 9 Mar 2016 23:31:48 +0000 (15:31 -0800)]
DO NOT MERGE Check size of pin before replying
If a malicious client set a pin that was too long it would overflow
the pin code memory.
Bug:
27411268
Change-Id: I9197ac6fdaa92a4799dacb6364e04671a39450cc
Andre Eisenbach [Thu, 4 Feb 2016 21:19:32 +0000 (13:19 -0800)]
DO NOT MERGE Remove Porsche car-kit pairing workaround
Bug:
26551752
Change-Id: I14c5e3fcda0849874c8a94e48aeb7d09585617e1
Marie Janssen [Wed, 9 Dec 2015 18:08:25 +0000 (10:08 -0800)]
Fix crashes with lots of discovered LE devices
When loads of devices are discovered a config file which is too large
can be written out, which causes the BT daemon to crash on startup.
This limits the number of config entries for unpaired devices which
are initialized, and prevents a large number from being saved to the
filesystem.
Bug:
26071376
Change-Id: I4a74094f57a82b17f94e99a819974b8bc8082184
(cherry picked from commit
d77f1999ecece56c1cbb333f4ddc26f0b5bac2c5)
Pavlin Radoslavov [Thu, 24 Sep 2015 20:34:35 +0000 (13:34 -0700)]
Disable opening network debug ports for security reasons
By default, we open up to three TCP ports that are used
for debugging purpose:
* TCP port 8872 - used for forwarding btsnoop logs at real time
Note: the port is open only if "Bluetooth HCI snoop log" is enabled
in the Developer options
* TCP port 8873 - used for HCI debugging
* TCP port 8879 - used for debugging the Bluetooth counters
Those ports are disabled by default.
To enable, the following #define should be added at the top of the
corresponding file(s): btcore/src/counter.c hci/src/btsnoop_net.c
hci/src/hci_inject.c
#define BT_NET_DEBUG TRUE
Bug:
24371736
Change-Id: I5cb43af1a5d29c331eb5ef61a24dccbe95df6f40
Jacob Lee [Wed, 26 Aug 2015 06:43:59 +0000 (14:43 +0800)]
LE Multi-Advertising State Change Sub-event Wrong Variable Type
Wrong connection handle type in multi-adv event parsing,
causing random address (confirm value) mismatch and pairing failure.
Bug id:
23201007
Change-Id: I13ce231360937e711f61eb0777805b07bcde7074
Sunny Kapdi [Thu, 27 Aug 2015 07:37:31 +0000 (00:37 -0700)]
Fix incorrect SetConnScanParam function mapping
BTA_DM_API_BLE_CONN_SCAN_PARAM_EVT is defined before
BTA_DM_API_BLE_SCAN_PARAM_EVT in the enum but the corresponding
entries in bta_dm_action were inverted. This resulted in incorrect
invocation of set_conn_scan_params while trying to set parameters
for scanning. The call was hence failing here and was not
resulting in setting of the new scan parameters in the Controller
irrespective of the scan mode selected from the App. This would
essentially result in the breakage of ScanSettings.SCAN_MODE_<xx>
Android SDK APIs.
Bug:
23602042
Change-Id: I17e1b14a32250e3ccb7631a67690ec2e0a6bc321
Nitin Arora [Fri, 21 Aug 2015 19:34:14 +0000 (12:34 -0700)]
Fix memory corruption of BLE whitelist hashmap
When adding devices to the whitelist for LE background connections, a
local variable is used as the hashmap key, preventing any successful
lookups going forward. Thus the device will repeatedly add the same
device to the whitelist and preventing successful connections going
forward.
Bug:
23423602
Change-Id: I3d2590c0a1dd66c6e1864ea53f875a713660b645
Pavlin Radoslavov [Thu, 20 Aug 2015 23:53:16 +0000 (16:53 -0700)]
Check the return value when reading HCI type byte
Add missing return value check when reading the HCI type byte.
This check is needed as a safeguard. For example, function
event_uart_has_bytes() could be called (indirectly)
within the run_reactor() loop not only when there are bytes to read,
but also if there is an error (e.g., EPOLLHUP | EPOLLRDHUP | EPOLLERR).
Bug:
23105107
Change-Id: Ic3b6e4d656406949e384c8106b0c607f7c221759
Pavlin Radoslavov [Tue, 18 Aug 2015 01:54:22 +0000 (18:54 -0700)]
Disable remote TCP connections
For security reasons, TCP sockets now listen on the loopback
IPv4 address 127.0.0.1 for incoming TCP connections.
Bug:
23272146
Change-Id: I88523f643f305f2281740575d7011b6077bf0843
Iliyan Malchev [Fri, 14 Aug 2015 05:38:26 +0000 (05:38 +0000)]
Merge "[DS] BTM_VSC_CHIP_CAPABILITY_M_VERSION doesn't match" into mnc-dev
Satya Calloji [Fri, 7 Aug 2015 17:56:12 +0000 (10:56 -0700)]
Allocate large enough buffers when copying AVRC packets
AVRC response is created by copying the original received packet.
When allocating a buffer for the response, the buffer length
should be large enough to contain the response.
Bug:
22437809
Change-Id: I862d633e76d3c5221582459f19935a45e53577c7
Jacob Lee [Fri, 7 Aug 2015 03:17:28 +0000 (11:17 +0800)]
[DS] BTM_VSC_CHIP_CAPABILITY_M_VERSION doesn't match
In the document, the supported version is 96.
But, the defined supported version is 95 in the code.
The callback function btm_ble_vendor_capability_vsc_cmpl_cback
can not read number of track entries when it compare with 95
and supported version from firmware.
Bug:
22906552
Change-Id: I64e6f14f34ef3ed0ddc3fee2fad05eb03e5938f1
Signed-off-by: Jacob Lee <jacob.lee@mediatek.com>
Ajay Panicker [Tue, 28 Jul 2015 23:54:53 +0000 (16:54 -0700)]
Implement Bluetooth settings factory reset (3/5)
Implemented the factory reset function to be used to reset all bluetooth
settings on device to factory default
Bug:
16161518
Nitin Arora [Tue, 28 Jul 2015 23:00:55 +0000 (16:00 -0700)]
Add Dialog mouse & KB to blacklist for LE secure connections
This change allows the host to mask the Cross key bit in
the key distribution fields of the pairing request and
response while pairing with the Dialog keyboard and mouse
to prevent the remote from rejecting the DUT's pairing request.
Bug:
22799966
Change-Id: I89420e77875957c78e915c508de311d779fd03df
Pavlin Radoslavov [Tue, 4 Aug 2015 16:05:39 +0000 (09:05 -0700)]
Add an explicit check for AVRCP vendor data
Add an explicit check for AVRCP vendor data when parsing received vendor
commands or responses.
Bug:
21768387
Change-Id: I715de6fc7348d063c448971a8dae6dd1b00c7062
Pavlin Radoslavov [Tue, 4 Aug 2015 04:58:45 +0000 (21:58 -0700)]
Fix a crash for a race condition during Bluetooth shutdown
This is same race condition observed in btif_media_task_aa_tx_flush_req()
because btif_media_task_aa_tx_flush_req() and btif_media_task_stop_aa_req()
are called back-to-bach.
This race condition is triggered when A2DP audio is streaming on shutdown:
"btif_a2dp_on_stopped() -> btif_media_task_stop_aa_req()" is called
to stop the particular audio stream, and this happens right after
the "cleanup() -> btif_a2dp_stop_media_task()" processing during
the shutdown of the Bluetooth stack.
Bug:
22700411
Change-Id: Ia0c98d44a108cf0f57731ac8129e4d76c9934542
Sharvil Nanavati [Fri, 31 Jul 2015 21:22:08 +0000 (14:22 -0700)]
Fix CTS Verifier test for insecure RFCOMM connection.
Closing an RFCOMM server socket does not remove the corresponding
service record from the security database. However, the RFCOMM
channel becomes free for reuse. The next RFCOMM server socket will
therefore "inherit" the service record for the closed one if it
happens to reuse the same channel.
Bug:
22880207
Change-Id: Ida3fee49e5f40667d9992dc4c4442f9289adae9e
Pavlin Radoslavov [Wed, 29 Jul 2015 23:52:47 +0000 (16:52 -0700)]
Fix a NULL-pointer crash
It seems that the current implementation of btm_sec_encrypt_change()
does not handle the case when it is called with an invalid handle,
such as inside file btu_hcif.c :
case HCI_SET_CONN_ENCRYPTION:
/* Device refused to start encryption. ... */
btm_sec_encrypt_change(BTM_INVALID_HCI_HANDLE, ...)
Bug:
22791224
Change-Id: Ide9404d0c82819399cf258ae3f90c25b352f1e20
Andre Eisenbach [Wed, 29 Jul 2015 19:36:06 +0000 (12:36 -0700)]
Assign pseudo address for host-based RPA resolution matches
Bug:
21963935
Change-Id: Id72001ce17996ea04c3eba32cebcac4dbbe317bc
Andre Eisenbach [Wed, 29 Jul 2015 18:57:50 +0000 (11:57 -0700)]
Fix memory leak in A2DP event handler
btif_av_event_free_data() was not called in all states (idle state only)
leading to potential memory leaks.
Bug:
22822688
Change-Id: I40520c605c9a806e6cd5ee6e36c101d0aa8d4355
Nitin Arora [Thu, 2 Jul 2015 21:08:39 +0000 (14:08 -0700)]
Reset LE encryption key size at LE disconnection only
This change checks the transport type on receiving the disconnection
and resets the encryption key size only if the LE disconnection
has taken place.
This fixes the issue where read request to characteristics that
require encryption, fails after cross key derivation due to
disconnection of BR/EDR transport.
Bug:
22515016
Change-Id: If6aad91a628eabbb5a4b7f5c22812fe94d4c5db2
Anubhav Gupta [Tue, 28 Jul 2015 06:32:57 +0000 (12:02 +0530)]
Promote AVCTP version to 1.4
Promoting AVCTP version to 1.4 from 1.2 as Bluedroid stack
already has got support for the same.
Below changes are incorporated as part of this:
- AVCTP version in SDP entry is upgraded to 1.4 for both AVRCP
Target and controller role.
- Service class #1 is added in extra for AVRCP Controller SDP
entry to be in sync with AVCTP version change.
- Browsing support is not enabled as that needs corresponding
profile level implementation, which is currently unavailable.
Change-Id: I72f7f67eb0a789fd321e9468f2a51bb5e9385a89
Anubhav Gupta [Fri, 24 Jul 2015 17:14:00 +0000 (10:14 -0700)]
Fix a bug allocating buffers for fragmented AVRC packets
Use the correct offset_len when allocating buffers for AVRC
packets that need to be fragmented.
Bug:
22156175
Change-Id: I7db12474c84edacb4f0739d50a43e8cebdcca676
Amirhossein Simjour [Mon, 20 Jul 2015 18:29:19 +0000 (14:29 -0400)]
Fix for uhid_event size check
The uhid_event function used to expect that the return value of each
read function call to match with the size of the struct uhid_event.
Since the header file doesn't match the kernel driver, these two size
don't always match. The exact size check is replaced with expecting
the minimum required size.
Bug:
20108348
Change-Id: Ib61537092b109296f8290d802b68fc2efe78888c
Casper Bonde [Fri, 3 Oct 2014 08:01:36 +0000 (10:01 +0200)]
Unpair HID device cleanup
When unparing HID devices, the attr_mask was not cleared.
By not clearing this data, some HID device will never be able
to connect again. (E.g. the Apple Magic Mouse)
Bug:
15566403
Change-Id: Ic80909dcecdf48d967c1a936b31554653761fa42
Signed-off-by: Casper Bonde <c.bonde@samsung.com>
Pavlin Radoslavov [Sat, 25 Jul 2015 06:41:55 +0000 (23:41 -0700)]
Fix the logic for stopping the Power Management timers.
Previously, the logic for stopping the timers didn't take
into account whether each timer was already running.
Bug:
22666419
Change-Id: Ia99bf8be917e9ea69f478a954085336fc899040a
Andre Eisenbach [Wed, 22 Jul 2015 20:47:28 +0000 (13:47 -0700)]
Fix TX queue overflow detection
- Prevent possible endless loop if |nb_frame| is too high
- Remove off-by-one calculation before sending frames
- Remove log spam and add better debug info
Bug:
22658329
Change-Id: I374ee980aec48763beb49b4f6f8b076124cadf40
Pavlin Radoslavov [Thu, 23 Jul 2015 05:49:26 +0000 (22:49 -0700)]
Customize Bluetooth sniff interval
Fix an earlier commit that prevents from customizing some of
the Bluetooth sniff parameters - those cannot be overwritten
anymore in the bdroid_buildcfg.h file.
Also, fixed the indexing in tables bta_dm_pm_cfg[]
and bta_dm_pm_spec[]
Bug:
22676670
Change-Id: I3a7074b9a9c91d312dc5d4314b7c304baf4ae20d
Pavlin Radoslavov [Wed, 22 Jul 2015 01:09:19 +0000 (18:09 -0700)]
Fix a crash for a race condition during Bluetooth shutdown
This race condition is triggered when A2DP audio is streaming on shutdown:
"btif_a2dp_on_stopped() -> btif_media_task_aa_tx_flush_req()" is called
to stop the particular audio stream, and this happens right after
the "cleanup() -> btif_a2dp_stop_media_task()" processing during
the shutdown of the Bluetooth stack.
Bug:
22602117
Change-Id: I5de6a8f15b6a2771dde2e299a5b60554063696a2
Nitin Arora [Sat, 27 Jun 2015 01:09:37 +0000 (18:09 -0700)]
Update device type correctly in the NVRAM at inquiry result
This patch checks for the NVRAM data when inquiry result
is received from the remote device. In case the device is
marked as LE only or BR/EDR only, and inquiry result is
received from the alternate transport, the device type is
marked as Dual mode in the NVRAM
Bug:
22604450
Change-Id: Id925e8bad152a33c2bd3c371ca42a6f9c694e3b0
Nitin Arora [Sat, 18 Jul 2015 01:38:01 +0000 (18:38 -0700)]
Use pseudo address while re-pairing peripheral
In case of pairing to an already paired device (in an instance
where the central remote has removed the keys), the change
makes sure that the correct address is used when LTK key
request occurs at the peripheral.
Bug:
22605510
Change-Id: I959003f39f70281ff1e6af8d4c4549138bc1682c
Nitin Arora [Fri, 26 Jun 2015 01:30:09 +0000 (18:30 -0700)]
Adding transport type while initiating remote discovery
This change ensures that the completion of SMP pairing for LE
devices specifically requests remote device discovery based on
transport type set to LE to prevent initiation of BR/EDR
connection due to incorrect transport type info
Bug:
22515456
Change-Id: Id1e5603d3cc53ca3dff427b93059a00f8d9150a7