OSDN Git Service
Chih-Wei Huang [Tue, 8 Jan 2019 08:16:56 +0000 (16:16 +0800)]
Merge tag 'android-8.1.0_r60' into oreo-x86
Android 8.1.0 Release 60 (OPM8.190105.002)
Chih-Wei Huang [Fri, 21 Dec 2018 09:19:56 +0000 (17:19 +0800)]
Merge tag 'android-8.1.0_r53' into oreo-x86
Android 8.1.0 release 53
android-build-team Robot [Mon, 26 Nov 2018 17:21:00 +0000 (17:21 +0000)]
Merge cherrypicks of [
5610460,
5610582,
5610249,
5610250,
5610113,
5610163,
5610980,
5610981,
5610982,
5610983,
5610984,
5610461,
5610462,
5610463,
5610464,
5610114,
5610076,
5610985,
5610986,
5610251,
5610583] into oc-m8-release
Change-Id: I1404e0a821b4c44bd5a924a6e10dc3928672437f
Chienyuan [Thu, 11 Oct 2018 01:47:46 +0000 (09:47 +0800)]
DO NOT MERGE HFP: Check AT command buffer boundary during parsing
* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac
Bug:
112860487
Test: manual
Change-Id: I6bbbc2ba29ad025c7d3ba023d8191af6a11c4aa9
(cherry picked from commit
749063afebb8324276a47bdfbf320aa70f94a8ba)
(cherry picked from commit
9cb959d00d33737b399377cfc0f4070081d48f5e)
Myles Watson [Thu, 25 Oct 2018 21:33:33 +0000 (14:33 -0700)]
DO NOT MERGE: HH: Check parameter length in bta_hh_ctrl_dat_act
Bug:
116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit
ff8a52d8fefed1ba38f424b1db48a81d46cb7226)
Myles Watson [Thu, 25 Oct 2018 00:05:12 +0000 (17:05 -0700)]
DO NOT MERGE: SDP: Check p_end in save_attr_seq and add_attr
Bug:
115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit
2aad270709f01481e91f7fdaafbebee49130cd28)
Myles Watson [Thu, 25 Oct 2018 22:27:03 +0000 (15:27 -0700)]
DO NOT MERGE: MCAP: Check response length in mca_ccb_hdl_rsp
Bug:
116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit
f34d740521ec583b0089fdeca283748a809a9c1a)
Ugo Yu [Mon, 29 Oct 2018 16:47:04 +0000 (00:47 +0800)]
DO NOT MERGE: Fix possible OOB when AVDT data channel recive ACL data
Bug:
111450156
Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit
b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit
f349ff0c65523437b3f20ef54a7b0e5fd56364dc)
android-build-team Robot [Fri, 19 Oct 2018 16:33:43 +0000 (16:33 +0000)]
Merge cherrypicks of [
5313290,
5313323,
5313343,
5313415,
5313291,
5313441,
5313557,
5313344,
5313383,
5313384,
5313324,
5313325,
5313326,
5313294,
5313295,
5313296,
5313498] into oc-m8-release
Change-Id: If387e42363401bc4f4c362de2b66e910b38d7239
Jakub Pawlowski [Wed, 10 Oct 2018 17:35:37 +0000 (19:35 +0200)]
Fix possible OOB read
Bug:
74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit
6e6c347e798bf8195a9a02457edf871a97b1cfad)
Ugo Yu [Mon, 17 Sep 2018 07:59:30 +0000 (15:59 +0800)]
DO NOT MERGE - Check SDU lower bound before allocate p_data
Bug:
112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit
6fc96f847be808a4f38eae45b5e9bbc3f18b9a2d)
Chih-Wei Huang [Tue, 9 Oct 2018 10:01:42 +0000 (18:01 +0800)]
Merge tag 'android-8.1.0_r48' into oreo-x86
Android 8.1.0 release 48
android-build-team Robot [Tue, 11 Sep 2018 23:09:09 +0000 (23:09 +0000)]
Merge cherrypicks of [
4995494,
4995495,
4995496,
4995497,
4997652,
4997881,
4997052,
4997883,
4995518,
4997653,
4997654] into oc-m8-release
Change-Id: I85beb831bb99d381e91572820887d034e9e4c942
Pavlin Radoslavov [Thu, 6 Sep 2018 01:21:31 +0000 (18:21 -0700)]
Check data length when parsing AVRCP vendor specific command responses
Bug:
111450531
Bug:
111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit
7439ea940354f65a147c4ecfce3bada49c688047)
Pavlin Radoslavov [Thu, 6 Sep 2018 22:41:27 +0000 (15:41 -0700)]
DO NOT MERGE - Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()
Bug:
111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit
2692408d05bf16738284b61833649cee5d2a2233)
Chih-Wei Huang [Mon, 10 Sep 2018 16:20:37 +0000 (00:20 +0800)]
Merge tag 'android-8.1.0_r46' into oreo-x86
Android 8.1.0 Release 46 (OPM6.171019.030.K1)
android-build-team Robot [Thu, 30 Aug 2018 04:26:40 +0000 (04:26 +0000)]
Merge cherrypicks of [
4897833,
4897834,
4897835] into oc-m8-release
Change-Id: I67a29ac6b41042b98bf78c34151436502cc23c43
Hansong Zhang [Fri, 13 Jul 2018 20:45:46 +0000 (13:45 -0700)]
Fix a wrong check in rfc_parse_data
Bug:
78288018
Bug:
111436796
Test: manual
Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a
(cherry picked from commit
d1ced302cd1066087588c891027b1756be31db46)
Hansong Zhang [Thu, 7 Jun 2018 23:18:52 +0000 (16:18 -0700)]
Add bound check for rfc_parse_data
Bug:
78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit
6039cb7225733195192b396ad19c528800feb735)
android-build-team Robot [Thu, 16 Aug 2018 16:58:55 +0000 (16:58 +0000)]
Merge cherrypicks of [
4793902] into oc-m8-release
Change-Id: I91773bc663618ed079887b7501b81bfb21e7abfb
Hansong Zhang [Thu, 16 Aug 2018 16:46:45 +0000 (09:46 -0700)]
Fix build failure in stack/rfcomm/rfc_ts_frames.c
Test: compile
Bug:
112673718
Change-Id: I93cd39f943dd2f0fb65b785c15dc91649c7ee384
(cherry picked from commit
eb3e2528714bd6ea59ad369798f522d75a2e55c7)
android-build-team Robot [Thu, 16 Aug 2018 01:24:41 +0000 (01:24 +0000)]
Merge cherrypicks of [
4787660,
4787680,
4787071,
4787700,
4787592,
4787701,
4787720,
4787721,
4787072,
4787073,
4787074,
4787075,
4787076,
4787077,
4787740,
4787760,
4787722,
4787723,
4787724,
4787725,
4787726,
4787727,
4787728,
4787729,
4787730,
4787731] into oc-m8-release
Change-Id: Ic84dec3c93161420dd4c72ee698154e8188d1ac7
Cheney Ni [Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)]
Add packet length checks in mca_ccb_hdl_req
Bug:
110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
(cherry picked from commit
4de7ccdd914b7a178df9180d15f675b257ea6e02)
Cheney Ni [Wed, 8 Aug 2018 14:40:27 +0000 (22:40 +0800)]
Checks the SMP length to fix OOB read
Bug:
111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit
4978acce4af0c3975ffde9386b7da38f88bb1711)
Ugo Yu [Wed, 8 Aug 2018 08:09:58 +0000 (16:09 +0800)]
Add packet length check in smp_proc_master_id
Bug:
111937027
Test: manual
Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075
(cherry picked from commit
c8294662d07a98e9b8b1cab1ab681ec0805ce4e8)
Pavlin Radoslavov [Thu, 9 Aug 2018 20:07:48 +0000 (13:07 -0700)]
Add missing AVRCP message length checks inside avrc_msg_cback
Explicitly check the length of the received message before
accessing the data.
Bug:
111803925
Bug:
79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit
282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit
007868d05f4b761842c7345161aeda6fd40dd245)
Ugo Yu [Wed, 8 Aug 2018 06:46:42 +0000 (14:46 +0800)]
DO NOT MERGE Fix OOB read before buffer length check
Bug:
111936834
Test: manual
Change-Id: Ib98528fb62db0d724ebd9112d071e367f78e369d
(cherry picked from commit
4548f34c90803c6544f6bed03399f2eabeab2a8e)
Chienyuan [Wed, 8 Aug 2018 03:21:28 +0000 (11:21 +0800)]
Check packet length in bta_av_proc_meta_cmd
Bug:
111893951
Test: manual - connect A2DP
Change-Id: Ibbf347863dfd29ea3385312e9dde1082bc90d2f3
(cherry picked from commit
ed51887f921263219bcd2fbf6650ead5ec8d334e)
Hansong Zhang [Mon, 6 Aug 2018 21:40:37 +0000 (14:40 -0700)]
Fix OOB read in avrc_ctrl_pars_vendor_rsp
Bug:
78526423
Test: manual
Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91
(cherry picked from commit
d945ada503ed9c9ea24e092df51faba57f5d589a)
Hansong Zhang [Wed, 8 Aug 2018 18:31:28 +0000 (11:31 -0700)]
Check remaining frame length in rfc_process_mx_message
Bug:
111936792
Bug:
80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
(cherry picked from commit
0471355c8b035aaa2ce07a33eecad60ad49c5ad0)
Jakub Pawlowski [Mon, 16 Jul 2018 13:40:35 +0000 (06:40 -0700)]
Fix copy length calculation in sdp_copy_raw_data
Test: compilation
Bug:
110216176
Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
(cherry picked from commit
23aa15743397b345f3d948289fe90efa2a2e2b3e)
Hansong Zhang [Thu, 14 Jun 2018 00:33:23 +0000 (17:33 -0700)]
DO NOT MERGE AVRC: Copy browse.p_browse_data in btif_av_event_deep_copy
p_msg_src->browse.p_browse_data is not copied, but used after the
original pointer is freed
Bug:
109699112
Test: manual
Change-Id: I1d014eb9a8911da6913173a9b11218bf1c89e16e
(cherry picked from commit
1d9a58768e6573899c7e80c2b3f52e22f2d8f58b)
android-build-team Robot [Fri, 10 Aug 2018 20:32:57 +0000 (20:32 +0000)]
Merge cherrypicks of [
4741663,
4741664,
4741665,
4741666,
4743080,
4743081,
4743082,
4743083,
4741262,
4741263,
4741264,
4741265,
4741266,
4741667,
4743084,
4741242,
4741243,
4741741,
4741742,
4741743,
4741744,
4741822,
4743085,
4741668,
4741338,
4743055,
4743056,
4743070,
4743073,
4743075,
4743076,
4743078,
4743079,
4743161,
4743162,
4743164,
4743165,
4743167,
4743168,
4743169,
4743170,
4741681,
4741682,
4741683,
4741684,
4741685,
4741686,
4741687,
4741688,
4741689,
4741690,
4741691,
4741692,
4741693,
4741694,
4741695,
4741696,
4741697,
4741698,
4741699,
4743240,
4743241,
4743242,
4743243,
4741745,
4741823,
4741824,
4741825,
4741267,
4741268,
4743244,
4743280,
4743281,
4743224,
4743203,
4743204,
4743205,
4741746,
4741747,
4743245,
4741826,
4741827,
4741828,
4741829,
4741748,
4741749,
4741750,
4743233,
4743282,
4741244,
4741245,
4741246,
4741247,
4743206,
4743207,
4743208,
4743209,
4743210,
4743211,
4743212,
4743213,
4743214,
4743215,
4743216,
4743217,
4743218,
4743219,
4743360,
4743361,
4743362,
4743363,
4743364,
4743365,
4743366,
4743367,
4743368,
4743369,
4743370,
4743371,
4743372,
4743373,
4743374,
4743375,
4743376,
4743377,
4743283,
4743284,
4741830,
4742501,
4743246,
4743086,
4743087,
4743378,
4743379,
4741751] into sparse-
4749909-L04200000199131547
Change-Id: I00e16e086aeb1e49834b5a7c98174418f934cc81
Hansong Zhang [Thu, 7 Jun 2018 21:25:09 +0000 (14:25 -0700)]
HID Host: Check L2CAP packet data length
Bug:
80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit
ca47a05acb66218ff2123f8d4642961f7f2eb5e2)
Hansong Zhang [Thu, 12 Jul 2018 17:51:30 +0000 (10:51 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Test: manual
Bug:
79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
(cherry picked from commit
54c6a9dfd52ac6711d6f2101d233b276b2e3bb53)
Jakub Pawlowski [Fri, 22 Jun 2018 05:56:11 +0000 (22:56 -0700)]
Add packet length checks in l2cble_process_sig_cmd
Bug:
80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit
02f47a752c818277b31852e3ff940764d5c7f9c7)
Jakub Pawlowski [Wed, 11 Jul 2018 09:57:07 +0000 (02:57 -0700)]
Don't use Address after it was deleted
Bug:
110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
(cherry picked from commit
9930f6f4e14e64966869b119994126283d645fd0)
Hansong Zhang [Wed, 27 Jun 2018 21:26:40 +0000 (14:26 -0700)]
HFP: Fix out of bound access in phone number processing
* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
PhoneStateChange method
Bug:
79431031
Bug:
79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df
(cherry picked from commit
820b4327b1359fb1b389e07fc0f8c5e1304a7bfa)
Jakub Pawlowski [Fri, 22 Jun 2018 11:46:39 +0000 (04:46 -0700)]
SDP: return error on offset bigger than atribute length
Test: none
Bug:
79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit
0a74ffa44cbe48f674387cc951e6011c28ca003c)
Hansong Zhang [Thu, 21 Jun 2018 23:53:41 +0000 (16:53 -0700)]
HIDD: Prevent integer underflow in bta_hd_act
Bug:
109757435
Bug:
109757168
Bug:
110846194
Bug:
109757986
Test: manual
Change-Id: I80a6f3f931ac7512f1ba801cc5d8de6ac04f3422
(cherry picked from commit
74a6392875166698b64b624d12b6d2e404b75d72)
Ajay Panicker [Tue, 5 Jun 2018 23:08:06 +0000 (16:08 -0700)]
DO NOT MERGE: Don't reuse buffer when building response
Bug:
79541338
Test: Compile and connect to remote headset
Change-Id: I2d808f941d3c71fcb6306c733717624be10478e0
(cherry picked from commit
9bbce8603846159dec0d506ba867b7616557a303)
Pavlin Radoslavov [Thu, 31 May 2018 18:04:54 +0000 (11:04 -0700)]
Add BT_HDR length check for received AVCTP packets
Bug:
79944113
Test: Code compilation
Change-Id: I02c76ab8fad61669394062bf34656ea32f465b6a
Merged-In: I02c76ab8fad61669394062bf34656ea32f465b6a
(cherry picked from commit
4262b932e487b19d578d79e0120cf03291f44efc)
(cherry picked from commit
fa538540a7f147b8440ac49735a8dc596ce8dfc7)
Pavlin Radoslavov [Thu, 31 May 2018 02:26:16 +0000 (19:26 -0700)]
Add packet length check for received AVCTP packets
Bug:
79944113
Test: Manual: Custom test program and extra logging
Change-Id: Icde465fed723bf876ce3885d11099fddcb92de81
Merged-In: Icde465fed723bf876ce3885d11099fddcb92de81
(cherry picked from commit
2a934acf498a6b715cc7c634123aa403a70fe9e6)
(cherry picked from commit
d6fb21d8d8ae20addfc51246d840151fc86d8572)
Pavlin Radoslavov [Thu, 31 May 2018 00:56:14 +0000 (17:56 -0700)]
Add checks whether the AVDTP element data length is valid
Bug:
78288378
Test: Manual: Python script and extra logging
Change-Id: I715b5977c833d33ff798f008fbf244effa13ea1f
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit
9b3f96f50287d8789aff6d6895d7ae02ca6ac619)
(cherry picked from commit
ee30c88a8d49b30860d35b34a57c3037a4045678)
Jack He [Fri, 1 Jun 2018 21:00:42 +0000 (14:00 -0700)]
BNEP: Fix OOB access in bnep_data_ind
* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
is most likely triggered
Bug:
78286118
Bug:
79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
BNEP_EXTENSION_CONTROL packet
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit
3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit
0416340ffa61337dbaa2f6602ef85a1c32563ec2)
akirilov [Mon, 21 May 2018 18:45:55 +0000 (11:45 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)
Bug:
74075873
Test: manual
Change-Id: I9a7035a74aca3256c5712ea67a7435627b139c37
(cherry picked from commit
9d647b201b64949e04eade9b594af76c764dbb96)
akirilov [Mon, 21 May 2018 19:56:17 +0000 (12:56 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
Bug:
74075873
Test: manual test (poc in bug)
Change-Id: I56e87cfdf8731acca00cefac98abb2ba06f6e7ed
(cherry picked from commit
3575ba8ca36dccf7dcdb2dbf16ed170d549911d3)
Myles Watson [Tue, 29 May 2018 23:55:58 +0000 (16:55 -0700)]
DO NOT MERGE: SDP: Recalculate param_len after max_list_len
Bug:
78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit
9cc9eea21c7868034242b7ab8be750c565e46bfd)
Jakub Pawlowski [Tue, 29 May 2018 23:17:32 +0000 (16:17 -0700)]
Decrease length after reading from array in process_service_attr_req
Test: compilation
Bug:
78136677
Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0
(cherry picked from commit
6cd2e8bf6e5707e8e77e7aca6519c58200ee58db)
Hansong Zhang [Wed, 30 May 2018 00:38:39 +0000 (17:38 -0700)]
DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_event
Bug:
80145946
Test: manual
Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53
(cherry picked from commit
519b61392a96fbd45bdcc0bfddc881167c20cc23)
Jakub Pawlowski [Wed, 23 May 2018 17:19:53 +0000 (10:19 -0700)]
GATT: Handle too short Error Response PDU
Since the spec is not clear what to do in this case, use one of
reserved error codes as a failure reason, and pass it to upper layers.
Bug:
79591688
Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
(cherry picked from commit
f63c4b652b3231c2b4907bffd13410c6eb2aa760)
Jakub Pawlowski [Thu, 24 May 2018 15:59:34 +0000 (08:59 -0700)]
Add PDU size checks in process_service_search_attr_rsp
Bug:
79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit
980f6427b183e013958acd6b70e91f58177408a6)
Ajay Panicker [Fri, 13 Apr 2018 00:03:09 +0000 (17:03 -0700)]
Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
Bug:
74121659
Test: Compiles
Change-Id: Idf58e7b25b41ae1bd43cdd51de424b18e03cc7e8
(cherry picked from commit
ca4f8a18bce9331360144f1dbc51db1e2525bcc3)
Ajay Panicker [Fri, 11 May 2018 19:03:07 +0000 (12:03 -0700)]
DO NOT MERGE: Check number of attributes before writing to a buffer
Bug:
73824150
Test: Compile
Change-Id: I2a28a503cd74758e707d1e591b55c278d2299f45
(cherry picked from commit
f6db54f071f6974e18b10bb0c2cfcf397cd4c980)
Hansong Zhang [Fri, 11 May 2018 18:36:29 +0000 (11:36 -0700)]
DO NOT MERGE AVRC: Add bound check for AVRC_EVT_APP_SETTING_CHANGE
Test: manual
Bug:
73782082
Change-Id: I4e384a2f8c0d8c4af03bd5865b2e907321419c86
(cherry picked from commit
0061dd6ae30ebcebce695c212c8bc0ceb276710e)
Hansong Zhang [Thu, 26 Apr 2018 22:50:53 +0000 (15:50 -0700)]
DO NOT MERGE Prevent stack overflow in btif_storage
Bug:
73963551
Test: manual
Change-Id: I5f7a583aad150ebf9e3d492181d80ca935c8aa3f
(cherry picked from commit
e8d311224277e9db5dc94cb94929125992f546f3)
Andre Eisenbach [Thu, 1 Mar 2018 21:27:01 +0000 (13:27 -0800)]
DO NOT MERGE SMP: Validate remote elliptic curve points
Fixes:
72377774
Test: net_test_stack_smp (where applicable)
Change-Id: Iefcf97364493467075fadefd77d12716f71cd4f6
(cherry picked from commit
9181ec28da94705a763edbe60bd2a87e5f882beb)
(cherry picked from commit
e11ebfc21963ae905d58c034310efeca0e7cd2ee)
Hansong Zhang [Wed, 11 Apr 2018 23:04:51 +0000 (16:04 -0700)]
DO NOT MERGE Add bounds check for BNEP_Write
Bug:
74947856
Test: manual
Change-Id: If5db8c6b6e509a330ae74808fc3f0ffac137af14
(cherry picked from commit
ae9d06c1dc84db36c0c4a07fc56a1fbf008cd1ce)
Hansong Zhang [Thu, 12 Apr 2018 18:58:49 +0000 (11:58 -0700)]
DO NOT MERGE Initialize local variable in gatts_process_read_by_type_req
Bug:
73125709
Test: manual
Change-Id: I8b3346f605e0820385ea5ed7401bbee664fd15aa
(cherry picked from commit
0e34139d7fa338df6c99aaba13eb839a3dbc2548)
Hansong Zhang [Thu, 12 Apr 2018 22:50:28 +0000 (15:50 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Bug:
74202041
Bug:
74196706
Bug:
74201143
Test: manual
Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d
(cherry picked from commit
ff15adf5150527db1012b9f7777066522835e2db)
Myles Watson [Wed, 21 Mar 2018 23:45:32 +0000 (16:45 -0700)]
PAN: Always allocate in bta_pan_data_buf_ind_cback
Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free. Move the free call to pan_data_buf_ind_cb().
Free the buffer before every return in pan_data_buf_ind_cb.
Bug:
74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit
98232b084c66368234d19fafe3076bc1c0f1b578)
Stanley Tng [Thu, 5 Apr 2018 16:54:13 +0000 (09:54 -0700)]
DO NOT MERGE Handle bad packet length in gatts_process_read_req
Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.
Bug:
73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit
cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit
16f4c21be5bd0ea1968eee8a0f00648b1e326253)
Stanley Tng [Thu, 29 Mar 2018 00:12:28 +0000 (17:12 -0700)]
DO NOT MERGE Drop LE CoC fragments when frame size is too big
Drop the LE CoC data fragments when the received fragment size is too
big.
Test: Runs LE CoC SL4A test, BleCocTest.
Bug:
75298652
Merged-In: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
Change-Id: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
(cherry picked from commit
8365a2ace5e89d8b81bab468f0f9bc1137d773b4)
(cherry picked from commit
17db92e4fc3c7127c0ace625ff9735a9972eee70)
Hansong Zhang [Mon, 2 Apr 2018 17:05:56 +0000 (10:05 -0700)]
DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result
Check the number of UUIDs from remote device
Bug:
74016921
Test: manual
Change-Id: I1ca1f66bfc935f5fd219e8147511bdac7d2789ef
(cherry picked from commit
67ec216daa43f71adf103de6c4156c5a892c1460)
Hansong Zhang [Fri, 30 Mar 2018 23:27:37 +0000 (16:27 -0700)]
DO NOT MERGE Fix unexpected behavior in smp_sm_event
Bug:
74121126
Test: manual
Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53
(cherry picked from commit
652798b2f2d6c90e0fc95c00ccfb91e2870b03d4)
android-build-team Robot [Fri, 3 Aug 2018 19:21:15 +0000 (19:21 +0000)]
Merge cherrypicks of [
4691111,
4689862,
4690575,
4690576,
4690577,
4690578,
4689866,
4689868,
4689869,
4689870,
4691132,
4689456,
4689963,
4691133,
4691134,
4691156,
4691157,
4691159,
4691161,
4690581,
4689964,
4689460,
4691112,
4690582,
4690583,
4691165,
4691166,
4691167,
4691168,
4691169,
4691170,
4691211,
4691212,
4691213,
4691214,
4691215,
4691216,
4691217,
4691218,
4691219,
4691232,
4691233,
4691234,
4691235,
4691236,
4691237,
4691238,
4691239,
4691240,
4691241,
4691243,
4691245,
4691247,
4691249,
4691250,
4691291,
4691292,
4691293,
4691294,
4691295,
4691296,
4691255,
4689476,
4689477,
4689478,
4691223,
4691224,
4691136,
4689479,
4689480,
4691137,
4691225,
4691226,
4691227,
4691371,
4691228,
4691328,
4689967,
4691138,
4691139,
4691140,
4691433,
4689968,
4689969,
4691395,
4691230,
4691297,
4691298,
4691299,
4691300,
4691396,
4691397,
4691398,
4691399,
4691400,
4691401,
4691402,
4691403,
4691404,
4691405,
4691406,
4691407,
4691408,
4691409,
4691410,
4691471,
4691472,
4691473,
4691474,
4691475,
4691476,
4691477,
4691478,
4691479,
4691480,
4691481,
4691482,
4691483,
4691484,
4691485,
4691486,
4691487,
4691488,
4691143,
4691144,
4691511,
4691113,
4689482,
4691533,
4691145,
4691146,
4691147,
4691148,
4691536] into sparse-
4732991-L01200000196794104
Change-Id: I5204d6196d849176ea6dd24498f8f2a4b8f8d7c8
Hansong Zhang [Thu, 7 Jun 2018 21:25:09 +0000 (14:25 -0700)]
HID Host: Check L2CAP packet data length
Bug:
80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit
ca47a05acb66218ff2123f8d4642961f7f2eb5e2)
Hansong Zhang [Thu, 12 Jul 2018 17:51:30 +0000 (10:51 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Test: manual
Bug:
79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
(cherry picked from commit
54c6a9dfd52ac6711d6f2101d233b276b2e3bb53)
Jakub Pawlowski [Fri, 22 Jun 2018 05:56:11 +0000 (22:56 -0700)]
Add packet length checks in l2cble_process_sig_cmd
Bug:
80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit
02f47a752c818277b31852e3ff940764d5c7f9c7)
Jakub Pawlowski [Wed, 11 Jul 2018 09:57:07 +0000 (02:57 -0700)]
Don't use Address after it was deleted
Bug:
110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
(cherry picked from commit
9930f6f4e14e64966869b119994126283d645fd0)
Hansong Zhang [Wed, 27 Jun 2018 21:26:40 +0000 (14:26 -0700)]
HFP: Fix out of bound access in phone number processing
* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
PhoneStateChange method
Bug:
79431031
Bug:
79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df
(cherry picked from commit
820b4327b1359fb1b389e07fc0f8c5e1304a7bfa)
Jakub Pawlowski [Fri, 22 Jun 2018 11:46:39 +0000 (04:46 -0700)]
SDP: return error on offset bigger than atribute length
Test: none
Bug:
79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit
0a74ffa44cbe48f674387cc951e6011c28ca003c)
Hansong Zhang [Thu, 21 Jun 2018 23:53:41 +0000 (16:53 -0700)]
HIDD: Prevent integer underflow in bta_hd_act
Bug:
109757435
Bug:
109757168
Bug:
110846194
Bug:
109757986
Test: manual
Change-Id: I80a6f3f931ac7512f1ba801cc5d8de6ac04f3422
(cherry picked from commit
74a6392875166698b64b624d12b6d2e404b75d72)
Ajay Panicker [Tue, 5 Jun 2018 23:08:06 +0000 (16:08 -0700)]
DO NOT MERGE: Don't reuse buffer when building response
Bug:
79541338
Test: Compile and connect to remote headset
Change-Id: I2d808f941d3c71fcb6306c733717624be10478e0
(cherry picked from commit
9bbce8603846159dec0d506ba867b7616557a303)
Pavlin Radoslavov [Thu, 31 May 2018 18:04:54 +0000 (11:04 -0700)]
Add BT_HDR length check for received AVCTP packets
Bug:
79944113
Test: Code compilation
Change-Id: I02c76ab8fad61669394062bf34656ea32f465b6a
Merged-In: I02c76ab8fad61669394062bf34656ea32f465b6a
(cherry picked from commit
4262b932e487b19d578d79e0120cf03291f44efc)
(cherry picked from commit
fa538540a7f147b8440ac49735a8dc596ce8dfc7)
Pavlin Radoslavov [Thu, 31 May 2018 02:26:16 +0000 (19:26 -0700)]
Add packet length check for received AVCTP packets
Bug:
79944113
Test: Manual: Custom test program and extra logging
Change-Id: Icde465fed723bf876ce3885d11099fddcb92de81
Merged-In: Icde465fed723bf876ce3885d11099fddcb92de81
(cherry picked from commit
2a934acf498a6b715cc7c634123aa403a70fe9e6)
(cherry picked from commit
d6fb21d8d8ae20addfc51246d840151fc86d8572)
Pavlin Radoslavov [Thu, 31 May 2018 00:56:14 +0000 (17:56 -0700)]
Add checks whether the AVDTP element data length is valid
Bug:
78288378
Test: Manual: Python script and extra logging
Change-Id: I715b5977c833d33ff798f008fbf244effa13ea1f
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit
9b3f96f50287d8789aff6d6895d7ae02ca6ac619)
(cherry picked from commit
ee30c88a8d49b30860d35b34a57c3037a4045678)
Jack He [Fri, 1 Jun 2018 21:00:42 +0000 (14:00 -0700)]
BNEP: Fix OOB access in bnep_data_ind
* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
is most likely triggered
Bug:
78286118
Bug:
79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
BNEP_EXTENSION_CONTROL packet
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit
3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit
0416340ffa61337dbaa2f6602ef85a1c32563ec2)
akirilov [Mon, 21 May 2018 18:45:55 +0000 (11:45 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)
Bug:
74075873
Test: manual
Change-Id: I9a7035a74aca3256c5712ea67a7435627b139c37
(cherry picked from commit
9d647b201b64949e04eade9b594af76c764dbb96)
akirilov [Mon, 21 May 2018 19:56:17 +0000 (12:56 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
Bug:
74075873
Test: manual test (poc in bug)
Change-Id: I56e87cfdf8731acca00cefac98abb2ba06f6e7ed
(cherry picked from commit
3575ba8ca36dccf7dcdb2dbf16ed170d549911d3)
Myles Watson [Tue, 29 May 2018 23:55:58 +0000 (16:55 -0700)]
DO NOT MERGE: SDP: Recalculate param_len after max_list_len
Bug:
78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit
9cc9eea21c7868034242b7ab8be750c565e46bfd)
Jakub Pawlowski [Tue, 29 May 2018 23:17:32 +0000 (16:17 -0700)]
Decrease length after reading from array in process_service_attr_req
Test: compilation
Bug:
78136677
Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0
(cherry picked from commit
6cd2e8bf6e5707e8e77e7aca6519c58200ee58db)
Hansong Zhang [Wed, 30 May 2018 00:38:39 +0000 (17:38 -0700)]
DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_event
Bug:
80145946
Test: manual
Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53
(cherry picked from commit
519b61392a96fbd45bdcc0bfddc881167c20cc23)
Jakub Pawlowski [Wed, 23 May 2018 17:19:53 +0000 (10:19 -0700)]
GATT: Handle too short Error Response PDU
Since the spec is not clear what to do in this case, use one of
reserved error codes as a failure reason, and pass it to upper layers.
Bug:
79591688
Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
(cherry picked from commit
f63c4b652b3231c2b4907bffd13410c6eb2aa760)
Jakub Pawlowski [Thu, 24 May 2018 15:59:34 +0000 (08:59 -0700)]
Add PDU size checks in process_service_search_attr_rsp
Bug:
79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit
980f6427b183e013958acd6b70e91f58177408a6)
Ajay Panicker [Fri, 13 Apr 2018 00:03:09 +0000 (17:03 -0700)]
Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
Bug:
74121659
Test: Compiles
Change-Id: Idf58e7b25b41ae1bd43cdd51de424b18e03cc7e8
(cherry picked from commit
ca4f8a18bce9331360144f1dbc51db1e2525bcc3)
Ajay Panicker [Fri, 11 May 2018 19:03:07 +0000 (12:03 -0700)]
DO NOT MERGE: Check number of attributes before writing to a buffer
Bug:
73824150
Test: Compile
Change-Id: I2a28a503cd74758e707d1e591b55c278d2299f45
(cherry picked from commit
f6db54f071f6974e18b10bb0c2cfcf397cd4c980)
Hansong Zhang [Fri, 11 May 2018 18:36:29 +0000 (11:36 -0700)]
DO NOT MERGE AVRC: Add bound check for AVRC_EVT_APP_SETTING_CHANGE
Test: manual
Bug:
73782082
Change-Id: I4e384a2f8c0d8c4af03bd5865b2e907321419c86
(cherry picked from commit
0061dd6ae30ebcebce695c212c8bc0ceb276710e)
Hansong Zhang [Thu, 26 Apr 2018 22:50:53 +0000 (15:50 -0700)]
DO NOT MERGE Prevent stack overflow in btif_storage
Bug:
73963551
Test: manual
Change-Id: I5f7a583aad150ebf9e3d492181d80ca935c8aa3f
(cherry picked from commit
e8d311224277e9db5dc94cb94929125992f546f3)
Jakub Pawlowski [Fri, 9 Mar 2018 04:11:41 +0000 (20:11 -0800)]
Get rid of BTM_IS_PUBLIC_BDA
One can't really guess address type based on last bits.
Instead, for new devices always assume public address.
Test: scan, toggle bluetooth, try connecting to device with public
address
Bug:
74413120
Change-Id: Id558260798e717c214a5a817cea0c204c5f4858e
(cherry-picked from
8c2e78b44727789d641492beeef873b230c7e568)
(cherry picked from commit
14ef59e5a391a6dda7295ebe7d0d7c52875f76b0)
(cherry picked from commit
c03c56afefe62f4e3761bc26c1f8b457dae3af3a)
Andre Eisenbach [Thu, 1 Mar 2018 21:27:01 +0000 (13:27 -0800)]
DO NOT MERGE SMP: Validate remote elliptic curve points
Fixes:
72377774
Test: net_test_stack_smp (where applicable)
Change-Id: Iefcf97364493467075fadefd77d12716f71cd4f6
(cherry picked from commit
9181ec28da94705a763edbe60bd2a87e5f882beb)
(cherry picked from commit
e11ebfc21963ae905d58c034310efeca0e7cd2ee)
Hansong Zhang [Wed, 11 Apr 2018 23:04:51 +0000 (16:04 -0700)]
DO NOT MERGE Add bounds check for BNEP_Write
Bug:
74947856
Test: manual
Change-Id: If5db8c6b6e509a330ae74808fc3f0ffac137af14
(cherry picked from commit
ae9d06c1dc84db36c0c4a07fc56a1fbf008cd1ce)
Hansong Zhang [Thu, 12 Apr 2018 18:58:49 +0000 (11:58 -0700)]
DO NOT MERGE Initialize local variable in gatts_process_read_by_type_req
Bug:
73125709
Test: manual
Change-Id: I8b3346f605e0820385ea5ed7401bbee664fd15aa
(cherry picked from commit
0e34139d7fa338df6c99aaba13eb839a3dbc2548)
Hansong Zhang [Thu, 12 Apr 2018 22:50:28 +0000 (15:50 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Bug:
74202041
Bug:
74196706
Bug:
74201143
Test: manual
Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d
(cherry picked from commit
ff15adf5150527db1012b9f7777066522835e2db)
Myles Watson [Wed, 21 Mar 2018 23:45:32 +0000 (16:45 -0700)]
PAN: Always allocate in bta_pan_data_buf_ind_cback
Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free. Move the free call to pan_data_buf_ind_cb().
Free the buffer before every return in pan_data_buf_ind_cb.
Bug:
74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit
98232b084c66368234d19fafe3076bc1c0f1b578)
Stanley Tng [Thu, 5 Apr 2018 16:54:13 +0000 (09:54 -0700)]
DO NOT MERGE Handle bad packet length in gatts_process_read_req
Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.
Bug:
73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit
cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit
16f4c21be5bd0ea1968eee8a0f00648b1e326253)
Stanley Tng [Thu, 29 Mar 2018 00:12:28 +0000 (17:12 -0700)]
DO NOT MERGE Drop LE CoC fragments when frame size is too big
Drop the LE CoC data fragments when the received fragment size is too
big.
Test: Runs LE CoC SL4A test, BleCocTest.
Bug:
75298652
Merged-In: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
Change-Id: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
(cherry picked from commit
8365a2ace5e89d8b81bab468f0f9bc1137d773b4)
(cherry picked from commit
17db92e4fc3c7127c0ace625ff9735a9972eee70)
Hansong Zhang [Mon, 2 Apr 2018 17:05:56 +0000 (10:05 -0700)]
DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result
Check the number of UUIDs from remote device
Bug:
74016921
Test: manual
Change-Id: I1ca1f66bfc935f5fd219e8147511bdac7d2789ef
(cherry picked from commit
67ec216daa43f71adf103de6c4156c5a892c1460)
Hansong Zhang [Fri, 30 Mar 2018 23:27:37 +0000 (16:27 -0700)]
DO NOT MERGE Fix unexpected behavior in smp_sm_event
Bug:
74121126
Test: manual
Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53
(cherry picked from commit
652798b2f2d6c90e0fc95c00ccfb91e2870b03d4)
Chih-Wei Huang [Fri, 13 Jul 2018 06:33:56 +0000 (14:33 +0800)]
Merge tag 'android-8.1.0_r41' into oreo-x86
Android 8.1.0 Release 41 (OPM6.171019.030.E1)