OSDN Git Service
TreeHugger Robot [Tue, 4 Jun 2019 16:39:19 +0000 (16:39 +0000)]
Merge "DO NOT MERGE Separate SDP procedure from bonding state (1/2)" into nyc-dev
Martin Brabham [Wed, 29 May 2019 19:16:59 +0000 (12:16 -0700)]
DO NOT MERGE: btif: require pairing dialog for JustWorks SSP
Bug:
110433804
Test: Manual; atest net_test_bluetooth
Change-Id: I84d50604dee67a01855228c72bb7e8d484de951c
Ugo Yu [Thu, 23 May 2019 13:05:49 +0000 (21:05 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)
- Do not stay in bonding state if the device is paried but still
discovering service.
- Report BOND_BONDED to Java after authentication for a classic
Bluetooth device is completed.
- Send BONDING event to Java when static identity address is
first obtained during crosskey pairing
- Send BONDING event to Java for the initial random address
before send BONDED event
- Do not send bond event for static identity address when SDP is done.
- Make sure pairing control block always get cleaned up when both SDP
and pairing are done
- Send empty UUIDs to Java layer to unblock bonding intent broadcast
when SDP fails
Bug:
79703832
Test: runtest bluetooth, regression test
Change-Id: Ia50c42bbd7614ea13c7dd90dcfc7224f4681f479
Jakub Pawlowski [Fri, 24 May 2019 20:01:09 +0000 (22:01 +0200)]
DO NOT MERGE Send HCI Read Encryption Key properly
This patch fixes bad HCI command being send instead of Read Encryption
Key Size.
Bug:
124301137
Test: pair and connect with Bluetooth headset
Change-Id: If325ef2771ca1546ae58df7c684f66ae537b8573
TreeHugger Robot [Thu, 9 May 2019 18:49:48 +0000 (18:49 +0000)]
Merge "Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"" into nyc-dev
Ted Wang [Mon, 29 Apr 2019 02:11:04 +0000 (10:11 +0800)]
DO NOT MERGE Fix potential OOB read in sdpu_get_len_from_type
Add boundary check in sdpu_get_len_from_type to prevent potential OOB read.
Bug:
117105007
Test: Manul
Merged-In: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
Change-Id: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
Myles Watson [Wed, 1 May 2019 18:28:13 +0000 (18:28 +0000)]
Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"
This reverts commit
edd7e731edad067fe08b0623be6b2745bf81a445.
Bug:
79703832
Bug:
130553855
Reason for revert: Regression with cross-key pairing
Change-Id: I78f523b930d1433e39fc900d703f2317518a8b39
Jakub Pawlowski [Mon, 11 Mar 2019 18:22:01 +0000 (19:22 +0100)]
DO NOT MERGE Don't persist bonds using sample LTK
Test: compilation, manual testing
Bug:
128843052
Change-Id: I52fd484d42bf87e96dbc9e6456090f231ed48111
Jakub Pawlowski [Thu, 14 Feb 2019 11:44:06 +0000 (12:44 +0100)]
DO NOT MERGE Drop Bluetooth connection with weak encryption key
This patch requires Bluetooth chip to support HCI Read Encryption Key Size
command and will cause Bluetooth to crash if this command is not supported
on a device. Such device should not take this patch and should look for
alternative solution to drop Bluetooth connection with weak encryption key.
Bug:
124301137
Change-Id: Id4b6b4e765628397a79e6806f45c2cd27acebd5b
TreeHugger Robot [Thu, 7 Mar 2019 23:04:58 +0000 (23:04 +0000)]
Merge "DO NOT MERGE Fix length for L2CAP config type EXT FLOW" into nyc-dev
Hansong Zhang [Thu, 7 Mar 2019 18:50:04 +0000 (10:50 -0800)]
DO NOT MERGE Fix length for L2CAP config type EXT FLOW
Bug:
119870451
Test: POC
Change-Id: I11041dd03caad5569e930ff36b50fc9c2719c57f
TreeHugger Robot [Fri, 8 Feb 2019 07:54:10 +0000 (07:54 +0000)]
Merge "DO NOT MERGE Separate SDP procedure from bonding state (1/2)" into nyc-dev
TreeHugger Robot [Thu, 7 Feb 2019 21:07:56 +0000 (21:07 +0000)]
Merge "DO NOT MERGE btm_proc_smp_cback: Don't access p_dev_rec if freed" into nyc-dev
TreeHugger Robot [Sat, 2 Feb 2019 07:52:13 +0000 (07:52 +0000)]
Merge "DO NOT MERGE process_l2cap_cmd: Fix OOB" into nyc-dev
Hansong Zhang [Tue, 22 Jan 2019 21:46:47 +0000 (13:46 -0800)]
DO NOT MERGE btm_proc_smp_cback: Don't access p_dev_rec if freed
In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free
Bug:
120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: I09aa1cf1d1c835146b62d0f4989aeedfb885d95b
Hansong Zhang [Fri, 18 Jan 2019 19:51:00 +0000 (11:51 -0800)]
DO NOT MERGE process_l2cap_cmd: Fix OOB
Bug:
119870451
Test: POC
Change-Id: Ieef322a3ad4cebcaf40e5388584d3a04a4761d2e
Stanley Tng [Tue, 11 Dec 2018 22:45:13 +0000 (14:45 -0800)]
DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu
Add check to make sure that data buffer is big enough to read the 2
bytes for length.
Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.
Bug:
120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit
fcb1994de1f6ee34b8dc6804a2b32e20bf138073)
(cherry picked from commit
1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit
6b2739f309f7719086eb8201b3e1a35ba60035f4)
Jakub Pawlowski [Tue, 27 Nov 2018 16:59:57 +0000 (17:59 +0100)]
Fix buffer overflow in btif_dm_data_copy
When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.
Bug:
110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Jakub Pawlowski [Tue, 20 Nov 2018 21:31:31 +0000 (22:31 +0100)]
Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
Bug:
116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
Merged-In: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
Ugo Yu [Tue, 30 Oct 2018 07:10:35 +0000 (15:10 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)
- Do not stay in bonding state if the device is paried but still
discovering service.
- Report BOND_BONDED to Java after authentication is completed.
- Report empty UUID to Java if a classic Bluetooth device SDP
failed while pairing.
- Hold BOND_BONDED intent util SDP is findished.
- Only accept profile connection for the device is at bonded
state. Any attempt to connect while bonding would potentially
lead to an unauthorized connection.
Bug:
79703832
Test: runtest bluetooth, regression test.
Change-Id: I023713e07308bfc0e5bb8d67f386bcc50f6a0f85
(cherry picked from commit
122e115b87fe98ca5e5e65b9765c146f9e52b65e)
Hansong Zhang [Mon, 5 Nov 2018 18:03:36 +0000 (18:03 +0000)]
Merge "DO NOT MERGE HFP: Check AT command buffer boundary during parsing" into nyc-dev
TreeHugger Robot [Mon, 5 Nov 2018 17:16:34 +0000 (17:16 +0000)]
Merge "DO NOT MERGE: HH: Check parameter length in bta_hh_ctrl_dat_act" into nyc-dev
TreeHugger Robot [Fri, 2 Nov 2018 22:47:59 +0000 (22:47 +0000)]
Merge "DO NOT MERGE: SDP: Check p_end in save_attr_seq and add_attr" into nyc-dev
TreeHugger Robot [Fri, 2 Nov 2018 22:43:43 +0000 (22:43 +0000)]
Merge "DO NOT MERGE: MCAP: Check response length in mca_ccb_hdl_rsp" into nyc-dev
Chienyuan [Thu, 11 Oct 2018 02:36:57 +0000 (10:36 +0800)]
DO NOT MERGE HFP: Check AT command buffer boundary during parsing
* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac
Bug:
112860487
Test: manual
Change-Id: Idbfa2b8bd4c1a0aeeacfe34349851b3bc8de7c69
Merged-In: Idbfa2b8bd4c1a0aeeacfe34349851b3bc8de7c69
(cherry picked from commit
5b1ef1038e3f4e4371c3d6718bf0f684be65eb2b)
Myles Watson [Thu, 25 Oct 2018 00:05:12 +0000 (17:05 -0700)]
DO NOT MERGE: SDP: Check p_end in save_attr_seq and add_attr
Bug:
115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
Myles Watson [Thu, 25 Oct 2018 22:27:03 +0000 (15:27 -0700)]
DO NOT MERGE: MCAP: Check response length in mca_ccb_hdl_rsp
Bug:
116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
Myles Watson [Thu, 25 Oct 2018 21:33:33 +0000 (14:33 -0700)]
DO NOT MERGE: HH: Check parameter length in bta_hh_ctrl_dat_act
Bug:
116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
Ugo Yu [Mon, 29 Oct 2018 17:57:06 +0000 (01:57 +0800)]
DO NOT MERGE: Fix possible OOB when AVDT data channel recive ACL data
Bug:
111450156
Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit
b0125caafec2183d73fc899ce5a8aee43a6e54af)
Jakub Pawlowski [Wed, 10 Oct 2018 18:07:12 +0000 (20:07 +0200)]
Fix possible OOB read in process_service_search_rsp
Bug:
74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
Merged-In: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
Ugo Yu [Tue, 18 Sep 2018 12:49:22 +0000 (20:49 +0800)]
DO NOT MERGE - Check SDU lower bound before allocate p_data
Bug:
112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
TreeHugger Robot [Fri, 7 Sep 2018 16:16:19 +0000 (16:16 +0000)]
Merge "DO NOT MERGE - Check data length when parsing AVRCP vendor specific command responses" into nyc-dev
Pavlin Radoslavov [Thu, 6 Sep 2018 22:41:27 +0000 (15:41 -0700)]
DO NOT MERGE - Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()
Bug:
111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit
2692408d05bf16738284b61833649cee5d2a2233)
Pavlin Radoslavov [Thu, 6 Sep 2018 01:21:31 +0000 (18:21 -0700)]
DO NOT MERGE - Check data length when parsing AVRCP vendor specific command responses
Bug:
111450531
Bug:
111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit
7439ea940354f65a147c4ecfce3bada49c688047)
TreeHugger Robot [Fri, 10 Aug 2018 23:13:53 +0000 (23:13 +0000)]
Merge "Checks the SMP length to fix OOB read" into nyc-dev
TreeHugger Robot [Fri, 10 Aug 2018 20:55:20 +0000 (20:55 +0000)]
Merge "DO NOT MERGE Add packet length check in smp_proc_master_id" into nyc-dev
TreeHugger Robot [Fri, 10 Aug 2018 20:06:42 +0000 (20:06 +0000)]
Merge "DO NOT MERGE: Add missing AVRCP message length checks inside avrc_msg_cback" into nyc-dev
TreeHugger Robot [Fri, 10 Aug 2018 19:52:34 +0000 (19:52 +0000)]
Merge "DO NOT MERGE Check packet length in bta_av_proc_meta_cmd" into nyc-dev
TreeHugger Robot [Fri, 10 Aug 2018 19:43:29 +0000 (19:43 +0000)]
Merge "DO NOT MERGE Fix OOB read before buffer length check" into nyc-dev
Ugo Yu [Wed, 8 Aug 2018 08:18:08 +0000 (16:18 +0800)]
DO NOT MERGE Add packet length check in smp_proc_master_id
Bug:
111937027
Test: manual
Change-Id: I2009b6be38f9733931e625379b035e84371fdcaf
Cheney Ni [Wed, 8 Aug 2018 14:40:27 +0000 (22:40 +0800)]
Checks the SMP length to fix OOB read
Bug:
111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
Jakub Pawlowski [Mon, 16 Jul 2018 13:40:35 +0000 (06:40 -0700)]
Fix copy length calculation in sdp_copy_raw_data
Test: compilation
Bug:
110216176
Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
Merged-In: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
TreeHugger Robot [Fri, 10 Aug 2018 00:39:29 +0000 (00:39 +0000)]
Merge "DO NOT MERGE Fix OOB read in avrc_ctrl_pars_vendor_rsp" into nyc-dev
Hansong Zhang [Thu, 9 Aug 2018 23:43:44 +0000 (23:43 +0000)]
Merge "DO NOT MERGE Check remaining frame length in rfc_process_mx_message" into nyc-dev
Hansong Zhang [Wed, 8 Aug 2018 18:38:30 +0000 (11:38 -0700)]
DO NOT MERGE Check remaining frame length in rfc_process_mx_message
Bug:
111936792
Bug:
80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
Pavlin Radoslavov [Thu, 9 Aug 2018 20:40:54 +0000 (13:40 -0700)]
DO NOT MERGE: Add missing AVRCP message length checks inside avrc_msg_cback
Explicitly check the length of the received message before
accessing the data.
Bug:
111803925
Bug:
79883824
Test: POC scripts
Change-Id: I50d1d1f7dd7038ffcd5f0d5975ab1db43178067f
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Cheney Ni [Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)]
DO NOT MERGE: Add packet length checks in mca_ccb_hdl_req
Bug:
110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
Chienyuan [Wed, 8 Aug 2018 08:15:21 +0000 (16:15 +0800)]
DO NOT MERGE Check packet length in bta_av_proc_meta_cmd
Bug:
111893951
Test: manual
Change-Id: Ie562c393e949c275203617972d43bb005190b32b
Ugo Yu [Wed, 8 Aug 2018 06:57:25 +0000 (14:57 +0800)]
DO NOT MERGE Fix OOB read before buffer length check
Bug:
111936834
Test: manual
Change-Id: I60c500651f130876934a7b80889f4e021055fe73
Hansong Zhang [Mon, 6 Aug 2018 21:36:41 +0000 (14:36 -0700)]
DO NOT MERGE Fix OOB read in avrc_ctrl_pars_vendor_rsp
Bug:
78526423
Test: manual
Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91
TreeHugger Robot [Fri, 20 Jul 2018 18:25:33 +0000 (18:25 +0000)]
Merge "DO NOT MERGE SDP: Fix the param_len recalculation" into nyc-dev
Hansong Zhang [Fri, 20 Jul 2018 17:16:14 +0000 (10:16 -0700)]
DO NOT MERGE SDP: Fix the param_len recalculation
Bug:
78136869
Test: manual connection to an A2DP device
Change-Id: If32b848696180ab2fd33f514de89cb8c3d202e39
Android Build Merger (Role) [Fri, 20 Jul 2018 17:17:18 +0000 (17:17 +0000)]
[automerger] DO NOT MERGE SDP: Fix the param_len recalculation am:
7b2d711d9e am:
43d4bf00eb am:
7d92fdbb23 skipped:
58417f9233
Change-Id: I5429442640a203df07ba448e8b9837fb8017eb6d
Android Build Merger (Role) [Fri, 20 Jul 2018 17:17:17 +0000 (17:17 +0000)]
[automerger] DO NOT MERGE SDP: Fix the param_len recalculation am:
7b2d711d9e am:
43d4bf00eb am:
7d92fdbb23
Change-Id: Ie9d7f0209ad248035cb65c9e6d04236ba61a9264
Android Build Merger (Role) [Fri, 20 Jul 2018 17:17:15 +0000 (17:17 +0000)]
[automerger] DO NOT MERGE SDP: Fix the param_len recalculation am:
7b2d711d9e am:
43d4bf00eb
Change-Id: Iea2346e652fe6bb086e894615bb409491d60457d
Android Build Merger (Role) [Fri, 20 Jul 2018 17:17:14 +0000 (17:17 +0000)]
[automerger] DO NOT MERGE SDP: Fix the param_len recalculation am:
7b2d711d9e
Change-Id: I1adfd8dd7cd684e5d9af4a1967f0630e53fe035f
Hansong Zhang [Fri, 20 Jul 2018 17:16:14 +0000 (10:16 -0700)]
DO NOT MERGE SDP: Fix the param_len recalculation
Bug:
78136869
Test: manual connection to an A2DP device
Change-Id: If32b848696180ab2fd33f514de89cb8c3d202e39
Hansong Zhang [Fri, 13 Jul 2018 20:43:27 +0000 (13:43 -0700)]
DO NOT MERGE Fix a wrong check in rfc_parse_data
Bug:
78288018
Bug:
111436796
Test: manual
Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a
Hansong Zhang [Thu, 7 Jun 2018 23:11:27 +0000 (16:11 -0700)]
DO NOT MERGE Add bound check for rfc_parse_data
Bug:
78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
Merged-In: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit
1b9a465eea85e86984bb1e53be69880159e59c69)
Android Build Merger (Role) [Fri, 13 Jul 2018 16:16:15 +0000 (16:16 +0000)]
[automerger skipped] Add bound check for rfc_parse_data skipped:
1b9a465eea skipped:
5741c6951e skipped:
aa697e3f87 skipped:
b1f262ed40
Change-Id: I7b848bbdf257721c4f653daeb531ec2f6be4a6ad
Android Build Merger (Role) [Fri, 13 Jul 2018 16:16:13 +0000 (16:16 +0000)]
[automerger skipped] Add bound check for rfc_parse_data skipped:
1b9a465eea skipped:
5741c6951e skipped:
aa697e3f87
Change-Id: Ibc434fafa8043a4c9b42e26a80d893441a4cef27
Android Build Merger (Role) [Fri, 13 Jul 2018 16:16:11 +0000 (16:16 +0000)]
[automerger skipped] Add bound check for rfc_parse_data skipped:
1b9a465eea skipped:
5741c6951e
Change-Id: I0e691f7030013c84b90a10e20e67274ac2408025
Android Build Merger (Role) [Fri, 13 Jul 2018 16:16:09 +0000 (16:16 +0000)]
[automerger skipped] Add bound check for rfc_parse_data skipped:
1b9a465eea
Change-Id: I4c80ed01bf081bfe6ab6d27fcbb5b685309fb2a2
Hansong Zhang [Thu, 7 Jun 2018 23:11:27 +0000 (16:11 -0700)]
Add bound check for rfc_parse_data
Bug:
78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
Merged-In: I44349cd22c141483d01bce0f5a2131b727d0feb0
Android Build Merger (Role) [Fri, 13 Jul 2018 12:47:07 +0000 (12:47 +0000)]
[automerger] Fix out of bounds read in l2c_rcv_acl_data am:
9bf8cb2683 am:
4a370bbdc5 am:
2e08a14470 skipped:
e4460d953d
Change-Id: I0f7cd1a1d7e309db38eee7ae86ed761710a9bfb0
Android Build Merger (Role) [Fri, 13 Jul 2018 12:43:31 +0000 (12:43 +0000)]
[automerger] Fix out of bounds read in l2c_rcv_acl_data am:
9bf8cb2683 am:
4a370bbdc5 am:
2e08a14470
Change-Id: I6cd95ab6a7bf2509ef888134ff6a4d0aa18f4ac5
Android Build Merger (Role) [Fri, 13 Jul 2018 12:43:29 +0000 (12:43 +0000)]
[automerger] Fix out of bounds read in l2c_rcv_acl_data am:
9bf8cb2683 am:
4a370bbdc5
Change-Id: I289ef3ff584a174372e89b692aee08076e7f97ed
Android Build Merger (Role) [Fri, 13 Jul 2018 12:43:26 +0000 (12:43 +0000)]
[automerger] Fix out of bounds read in l2c_rcv_acl_data am:
9bf8cb2683
Change-Id: Ia857465d9a103a44d6219f90bcf606e23a712166
Jakub Pawlowski [Fri, 22 Jun 2018 09:57:19 +0000 (02:57 -0700)]
Fix out of bounds read in l2c_rcv_acl_data
Test: none
Bug:
80432895
Change-Id: I7807d00c02a84c545476e84bc1b71e0718df1f24
Merged-In: I7807d00c02a84c545476e84bc1b71e0718df1f24
Jakub Pawlowski [Fri, 13 Jul 2018 12:42:53 +0000 (12:42 +0000)]
Merge "Fix out of bounds read in l2c_rcv_acl_data" into nyc-dev
Android Build Merger (Role) [Fri, 13 Jul 2018 10:21:54 +0000 (10:21 +0000)]
[automerger] BLE: Don't access freed buffer in log message am:
6c7c67817d am:
ee283d67bf am:
ba7e4b88ca am:
36f5050f23
Change-Id: If437e47efd744648d5549e23793894de40281b10
Android Build Merger (Role) [Fri, 13 Jul 2018 10:21:51 +0000 (10:21 +0000)]
[automerger] BLE: Don't access freed buffer in log message am:
6c7c67817d am:
ee283d67bf am:
ba7e4b88ca
Change-Id: I4d7c71a8cec14b94039657bd8de3679a776c473e
Android Build Merger (Role) [Fri, 13 Jul 2018 10:21:48 +0000 (10:21 +0000)]
[automerger] BLE: Don't access freed buffer in log message am:
6c7c67817d am:
ee283d67bf
Change-Id: I2dcc552158cfc27c73dec217d7f3e2581adf2426
Android Build Merger (Role) [Fri, 13 Jul 2018 10:21:46 +0000 (10:21 +0000)]
[automerger] BLE: Don't access freed buffer in log message am:
6c7c67817d
Change-Id: I9f5c4155c1def43351058c6cbda5f1258e3888d5
Nitin Shivpure [Tue, 6 Feb 2018 12:48:37 +0000 (18:18 +0530)]
BLE: Don't access freed buffer in log message
When GATT fail to write data on L2CAP, buffer is freed by L2CAP.
Accessing the buffer leads to fatal failure while printing the message info.
Test: BLE discover services and BT off test cases
Fixes:
73018520
Change-Id: I661398fd1321f6e68026b3720db4965fd6584d70
Merged-In: I661398fd1321f6e68026b3720db4965fd6584d70
Jakub Pawlowski [Fri, 22 Jun 2018 09:57:19 +0000 (02:57 -0700)]
Fix out of bounds read in l2c_rcv_acl_data
Test: none
Bug:
80432895
Change-Id: I7807d00c02a84c545476e84bc1b71e0718df1f24
Merged-In: I7807d00c02a84c545476e84bc1b71e0718df1f24
Android Build Merger (Role) [Fri, 13 Jul 2018 09:17:18 +0000 (09:17 +0000)]
[automerger] Add packet length checks in l2cble_process_sig_cmd am:
3a0aab555f am:
497f11b0fd am:
98366e0b06 skipped:
d5ef3c9e76
Change-Id: I88b6879652a667ace51c8e304eeeb0f394493b58
Android Build Merger (Role) [Fri, 13 Jul 2018 09:16:03 +0000 (09:16 +0000)]
[automerger] Add packet length checks in l2cble_process_sig_cmd am:
3a0aab555f am:
497f11b0fd am:
98366e0b06
Change-Id: Iebe8378ad968c488cbc4b88a986566d40c4bae07
Android Build Merger (Role) [Fri, 13 Jul 2018 09:16:01 +0000 (09:16 +0000)]
[automerger] Add packet length checks in l2cble_process_sig_cmd am:
3a0aab555f am:
497f11b0fd
Change-Id: Ia9dfcc76e8a3a464d1d000e59c998d7958119e83
Android Build Merger (Role) [Fri, 13 Jul 2018 09:15:58 +0000 (09:15 +0000)]
[automerger] Add packet length checks in l2cble_process_sig_cmd am:
3a0aab555f
Change-Id: If6a5bdde9eee5540844938956063199c9e640da3
Jakub Pawlowski [Fri, 22 Jun 2018 05:56:11 +0000 (22:56 -0700)]
Add packet length checks in l2cble_process_sig_cmd
Bug:
80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
Merged-In: Icf55747dc948bcce140a12658237554938e2d717
Jakub Pawlowski [Wed, 11 Jul 2018 09:57:07 +0000 (02:57 -0700)]
Don't use Address after it was deleted
Bug:
110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
Merged-In: Id3364cf53153eafed478546d7347ed1673217e91
Jakub Pawlowski [Fri, 22 Jun 2018 05:56:11 +0000 (22:56 -0700)]
Add packet length checks in l2cble_process_sig_cmd
Bug:
80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
Merged-In: Icf55747dc948bcce140a12658237554938e2d717
TreeHugger Robot [Thu, 12 Jul 2018 22:28:54 +0000 (22:28 +0000)]
Merge "DO NOT MERGE HID Host: Check L2CAP packet data length" into nyc-dev
TreeHugger Robot [Thu, 12 Jul 2018 22:17:26 +0000 (22:17 +0000)]
Merge changes from topic "am-
de483eec-fa20-48e1-8e14-
9d6660359644" into mnc-dr1.5-dev
* changes:
[automerger] DO NOT MERGE HID Host: Check L2CAP packet data length am:
2da73209f2 am:
7d941ad3a2 am:
56c5b8f060
[automerger] DO NOT MERGE HID Host: Check L2CAP packet data length am:
2da73209f2 am:
7d941ad3a2
[automerger] DO NOT MERGE HID Host: Check L2CAP packet data length am:
2da73209f2
DO NOT MERGE HID Host: Check L2CAP packet data length
TreeHugger Robot [Thu, 12 Jul 2018 22:17:26 +0000 (22:17 +0000)]
Merge changes from topic "am-
de483eec-fa20-48e1-8e14-
9d6660359644" into cw-e-dev
* changes:
[automerger] DO NOT MERGE HID Host: Check L2CAP packet data length am:
2da73209f2 am:
7d941ad3a2
[automerger] DO NOT MERGE HID Host: Check L2CAP packet data length am:
2da73209f2
DO NOT MERGE HID Host: Check L2CAP packet data length
TreeHugger Robot [Thu, 12 Jul 2018 22:17:26 +0000 (22:17 +0000)]
Merge changes from topic "am-
de483eec-fa20-48e1-8e14-
9d6660359644" into mnc-dr-dev
* changes:
[automerger] DO NOT MERGE HID Host: Check L2CAP packet data length am:
2da73209f2
DO NOT MERGE HID Host: Check L2CAP packet data length
TreeHugger Robot [Thu, 12 Jul 2018 22:17:26 +0000 (22:17 +0000)]
Merge "DO NOT MERGE HID Host: Check L2CAP packet data length" into mnc-dev
TreeHugger Robot [Thu, 12 Jul 2018 22:17:26 +0000 (22:17 +0000)]
Merge changes from topic "am-
de483eec-fa20-48e1-8e14-
9d6660359644" into nyc-dev
* changes:
[automerger] DO NOT MERGE HID Host: Check L2CAP packet data length am:
2da73209f2 am:
7d941ad3a2 am:
56c5b8f060 skipped:
a8668154b7
[automerger] DO NOT MERGE HID Host: Check L2CAP packet data length am:
2da73209f2 am:
7d941ad3a2 am:
56c5b8f060
[automerger] DO NOT MERGE HID Host: Check L2CAP packet data length am:
2da73209f2 am:
7d941ad3a2
[automerger] DO NOT MERGE HID Host: Check L2CAP packet data length am:
2da73209f2
DO NOT MERGE HID Host: Check L2CAP packet data length
TreeHugger Robot [Thu, 12 Jul 2018 21:10:42 +0000 (21:10 +0000)]
Merge "DO NOT MERGE Fix OOB read in process_l2cap_cmd" into nyc-dev
Hansong Zhang [Thu, 12 Jul 2018 18:00:53 +0000 (11:00 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Test: manual
Bug:
79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
Android Build Merger (Role) [Thu, 12 Jul 2018 07:41:15 +0000 (07:41 +0000)]
[automerger] SDP: return error on offset bigger than atribute length am:
3565eaf72d am:
67c78b25ca am:
1c4f9c9624 am:
05ba05199c
Change-Id: I95b70f63b81df6f58b516b83853fc0bbef7eccc8
Android Build Merger (Role) [Thu, 12 Jul 2018 07:41:12 +0000 (07:41 +0000)]
[automerger] SDP: return error on offset bigger than atribute length am:
3565eaf72d am:
67c78b25ca am:
1c4f9c9624
Change-Id: Idb5ac3b18ec180a90eca120754d601c1ba68edbf
Android Build Merger (Role) [Thu, 12 Jul 2018 07:41:10 +0000 (07:41 +0000)]
[automerger] SDP: return error on offset bigger than atribute length am:
3565eaf72d am:
67c78b25ca
Change-Id: I3e68fbd29ce151c4829fe6077d76bc3822915c8f
Android Build Merger (Role) [Thu, 12 Jul 2018 07:41:07 +0000 (07:41 +0000)]
[automerger] SDP: return error on offset bigger than atribute length am:
3565eaf72d
Change-Id: Ic7b10e46c591edff7f86c06dee6beb8ca8798121
Jakub Pawlowski [Fri, 22 Jun 2018 11:46:39 +0000 (04:46 -0700)]
SDP: return error on offset bigger than atribute length
Test: none
Bug:
79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
Merged-In: I8b594882dd07644b1a747c53d6166db466b7e998
TreeHugger Robot [Wed, 11 Jul 2018 17:36:21 +0000 (17:36 +0000)]
Merge "DO NOT MERGE HFP: Fix out of bound access in phone number processing" into nyc-dev
Jack He [Wed, 27 Jun 2018 00:53:24 +0000 (17:53 -0700)]
DO NOT MERGE HFP: Fix out of bound access in phone number processing
* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
PhoneStateChange method
Bug:
79431031
Bug:
79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df
Hansong Zhang [Thu, 7 Jun 2018 21:18:22 +0000 (14:18 -0700)]
DO NOT MERGE HID Host: Check L2CAP packet data length
Bug:
80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
Android Build Merger (Role) [Thu, 7 Jun 2018 21:27:51 +0000 (21:27 +0000)]
[automerger] DO NOT MERGE HID Host: Check L2CAP packet data length am:
2da73209f2 am:
7d941ad3a2 am:
56c5b8f060 skipped:
a8668154b7
Change-Id: Ib12a006ee1c5d3ed781e674e2091b7bf8c30036b