OSDN Git Service
Hansong Zhang [Thu, 7 Jun 2018 21:25:09 +0000 (14:25 -0700)]
HID Host: Check L2CAP packet data length
Bug:
80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit
ca47a05acb66218ff2123f8d4642961f7f2eb5e2)
Jakub Pawlowski [Fri, 22 Jun 2018 05:56:11 +0000 (22:56 -0700)]
Add packet length checks in l2cble_process_sig_cmd
Bug:
80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit
02f47a752c818277b31852e3ff940764d5c7f9c7)
Hansong Zhang [Thu, 12 Jul 2018 17:44:29 +0000 (10:44 -0700)]
Fix OOB read in process_l2cap_cmd
Test: manual
Bug:
79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
(cherry picked from commit
5bb66307b555b17d1764e116316ce50c687c9653)
Myles Watson [Tue, 29 May 2018 23:55:58 +0000 (16:55 -0700)]
DO NOT MERGE: SDP: Recalculate param_len after max_list_len
Bug:
78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit
9cc9eea21c7868034242b7ab8be750c565e46bfd)
Jakub Pawlowski [Fri, 22 Jun 2018 11:46:39 +0000 (04:46 -0700)]
SDP: return error on offset bigger than atribute length
Test: none
Bug:
79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit
0a74ffa44cbe48f674387cc951e6011c28ca003c)
syphyr [Fri, 17 Aug 2018 18:31:58 +0000 (20:31 +0200)]
GATT: Use correct logging macro replacement
The original commit used the LOG(ERROR) macro and
GATT_TRACE_ERROR is the proper replacement for it.
Fixes: GATT: Handle too short Error Response PDU
Change-Id: I4460ab6215865b605faed5e640bf4fe47a5e4be8
akirilov [Mon, 21 May 2018 19:56:17 +0000 (12:56 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
Bug:
74075873
Test: manual test (poc in bug)
Change-Id: I56e87cfdf8731acca00cefac98abb2ba06f6e7ed
(cherry picked from commit
3575ba8ca36dccf7dcdb2dbf16ed170d549911d3)
Jakub Pawlowski [Thu, 24 May 2018 15:59:34 +0000 (08:59 -0700)]
Add PDU size checks in process_service_search_attr_rsp
Bug:
79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit
980f6427b183e013958acd6b70e91f58177408a6)
Jakub Pawlowski [Wed, 23 May 2018 17:19:53 +0000 (10:19 -0700)]
GATT: Handle too short Error Response PDU
Since the spec is not clear what to do in this case, use one of
reserved error codes as a failure reason, and pass it to upper layers.
Bug:
79591688
Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
(cherry picked from commit
f63c4b652b3231c2b4907bffd13410c6eb2aa760)
Pavlin Radoslavov [Thu, 31 May 2018 00:56:14 +0000 (17:56 -0700)]
Add checks whether the AVDTP element data length is valid
Bug:
78288378
Test: Manual: Python script and extra logging
Change-Id: I715b5977c833d33ff798f008fbf244effa13ea1f
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit
9b3f96f50287d8789aff6d6895d7ae02ca6ac619)
(cherry picked from commit
ee30c88a8d49b30860d35b34a57c3037a4045678)
Jack He [Fri, 1 Jun 2018 21:00:42 +0000 (14:00 -0700)]
BNEP: Fix OOB access in bnep_data_ind
* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
is most likely triggered
Bug:
78286118
Bug:
79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
BNEP_EXTENSION_CONTROL packet
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit
3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit
0416340ffa61337dbaa2f6602ef85a1c32563ec2)
Jakub Pawlowski [Tue, 29 May 2018 23:17:32 +0000 (16:17 -0700)]
Decrease length after reading from array in process_service_attr_req
Test: compilation
Bug:
78136677
Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0
(cherry picked from commit
6cd2e8bf6e5707e8e77e7aca6519c58200ee58db)
Hansong Zhang [Wed, 30 May 2018 00:38:39 +0000 (17:38 -0700)]
DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_event
Bug:
80145946
Test: manual
Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53
(cherry picked from commit
519b61392a96fbd45bdcc0bfddc881167c20cc23)
Andre Eisenbach [Thu, 1 Mar 2018 21:27:01 +0000 (13:27 -0800)]
DO NOT MERGE SMP: Validate remote elliptic curve points
Fixes:
72377774
Test: net_test_stack_smp (where applicable)
Change-Id: Iefcf97364493467075fadefd77d12716f71cd4f6
(cherry picked from commit
9181ec28da94705a763edbe60bd2a87e5f882beb)
(cherry picked from commit
e11ebfc21963ae905d58c034310efeca0e7cd2ee)
(cherry picked from commit
fa3d7e1f784d3bdbf8f9d8b572a60696289211b1)
Hansong Zhang [Thu, 26 Apr 2018 22:50:53 +0000 (15:50 -0700)]
DO NOT MERGE Prevent stack overflow in btif_storage
Bug:
73963551
Test: manual
Change-Id: I5f7a583aad150ebf9e3d492181d80ca935c8aa3f
(cherry picked from commit
e8d311224277e9db5dc94cb94929125992f546f3)
CVE-2018-9430
Ajay Panicker [Fri, 11 May 2018 19:03:07 +0000 (12:03 -0700)]
DO NOT MERGE: Check number of attributes before writing to a buffer
Bug:
73824150
Test: Compile
Change-Id: I2a28a503cd74758e707d1e591b55c278d2299f45
(cherry picked from commit
f6db54f071f6974e18b10bb0c2cfcf397cd4c980)
CVE-2018-9418
Hansong Zhang [Fri, 11 May 2018 18:36:29 +0000 (11:36 -0700)]
DO NOT MERGE AVRC: Add bound check for AVRC_EVT_APP_SETTING_CHANGE
Test: manual
Bug:
73782082
Change-Id: I4e384a2f8c0d8c4af03bd5865b2e907321419c86
(cherry picked from commit
0061dd6ae30ebcebce695c212c8bc0ceb276710e)
CVE-2018-9413
Ajay Panicker [Fri, 13 Apr 2018 00:03:09 +0000 (17:03 -0700)]
Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
Bug:
74121659
Test: Compiles
Change-Id: Idf58e7b25b41ae1bd43cdd51de424b18e03cc7e8
(cherry picked from commit
ca4f8a18bce9331360144f1dbc51db1e2525bcc3)
CVE-2018-9419
Hansong Zhang [Fri, 30 Mar 2018 23:27:37 +0000 (16:27 -0700)]
DO NOT MERGE Fix unexpected behavior in smp_sm_event
Bug:
74121126
Test: manual
Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53
(cherry picked from commit
652798b2f2d6c90e0fc95c00ccfb91e2870b03d4)
CVE-2018-9365
Stanley Tng [Thu, 29 Mar 2018 00:12:28 +0000 (17:12 -0700)]
DO NOT MERGE Drop LE CoC fragments when frame size is too big
Drop the LE CoC data fragments when the received fragment size is too
big.
Test: Runs LE CoC SL4A test, BleCocTest.
Bug:
75298652
Merged-In: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
Change-Id: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
(cherry picked from commit
8365a2ace5e89d8b81bab468f0f9bc1137d773b4)
(cherry picked from commit
17db92e4fc3c7127c0ace625ff9735a9972eee70)
CVE-2018-9380
Hansong Zhang [Thu, 12 Apr 2018 22:50:28 +0000 (15:50 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Bug:
74202041
Bug:
74196706
Bug:
74201143
Test: manual
Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d
(cherry picked from commit
ff15adf5150527db1012b9f7777066522835e2db)
CVE-2018-9359, CVE-2018-9360, CVE-2018-9361
Stanley Tng [Thu, 5 Apr 2018 16:54:13 +0000 (09:54 -0700)]
[Backport] DO NOT MERGE Handle bad packet length in gatts_process_read_req
Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.
Bug:
73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit
cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit
16f4c21be5bd0ea1968eee8a0f00648b1e326253)
CVE-2018-9358
Hansong Zhang [Wed, 11 Apr 2018 23:04:51 +0000 (16:04 -0700)]
DO NOT MERGE Add bounds check for BNEP_Write
Bug:
74947856
Test: manual
Change-Id: If5db8c6b6e509a330ae74808fc3f0ffac137af14
(cherry picked from commit
ae9d06c1dc84db36c0c4a07fc56a1fbf008cd1ce)
CVE-2018-9357
Myles Watson [Wed, 21 Mar 2018 23:45:32 +0000 (16:45 -0700)]
PAN: Always allocate in bta_pan_data_buf_ind_cback
Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free. Move the free call to pan_data_buf_ind_cb().
Free the buffer before every return in pan_data_buf_ind_cb.
Bug:
74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit
98232b084c66368234d19fafe3076bc1c0f1b578)
CVE-2018-9356
Hansong Zhang [Mon, 2 Apr 2018 17:05:56 +0000 (10:05 -0700)]
DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result
Check the number of UUIDs from remote device
Bug:
74016921
Test: manual
Change-Id: I1ca1f66bfc935f5fd219e8147511bdac7d2789ef
(cherry picked from commit
67ec216daa43f71adf103de6c4156c5a892c1460)
CVE-2018-9355
Ajay Panicker [Fri, 2 Feb 2018 09:26:34 +0000 (01:26 -0800)]
AVRCP: Initialize buffer for attribute values to be written to
Test: Build
Bug:
71603553
Change-Id: I978270605cfaa3b833d6c19f1b1d2cd5a82ac079
(cherry picked from commit
e36d6f8edceed860929901b6c49c1964a1ac563f)
(cherry picked from commit
1696f97011f5f30f1a630f3b24442ca64232b1f5)
Myles Watson [Fri, 12 Jan 2018 01:43:40 +0000 (17:43 -0800)]
SDP: Check p_req_end before reading from p_req
Bug:
69384124
Test: Connect a headset
Change-Id: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
Merged-In: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
(cherry picked from commit
dd856fbc4ade8f7d78873db3533b4c9fd7c6d612)
(cherry picked from commit
72b1cebaa9cc7ace841d887f0d4a4bf6daccde6e)
Hansong Zhang [Fri, 9 Feb 2018 22:16:59 +0000 (14:16 -0800)]
DO NOT MERGE Truncate new line characters when adding string to config
Bug:
70808273
Test: test with a device with newline character in name
Change-Id: I8729e12ad5851ee1ffbcb7c08e9a659f768ffc21
(cherry picked from commit
dd9bbfc2458569d9fecf35f7503d1b89b4c69aa0)
(cherry picked from commit
7f8bfcc35285ca6e93a4436699bc95c13b920caf)
mh0rst: Port to C
Ajay Panicker [Thu, 11 Jan 2018 00:58:16 +0000 (16:58 -0800)]
AVRCP: Check the number of text value attributes requested
Test: Builds
Bug:
69479009
Change-Id: I184ddfdb56c15c2b07d52a2624240738efb4d207
(cherry picked from commit
6313da35abc93fcfb783c68f2e02427df9928ecf)
(cherry picked from commit
57dc5964428697a104988f0aa0d1fd1d88fec939)
Ajay Panicker [Fri, 2 Feb 2018 09:11:37 +0000 (01:11 -0800)]
AVRCP: Check number of text attribute values in response
Test: Build
Bug:
71603410
Change-Id: I6f822b0bc7fc2fb042a70b64cff61583a86b36e2
(cherry picked from commit
4cd518cb3f8ac6ccb43c94a441bee67e041d0dd5)
(cherry picked from commit
e4ec79be45304f819c88c8dbf826d58b68f6c8f8)
Ajay Panicker [Fri, 2 Feb 2018 08:56:43 +0000 (00:56 -0800)]
AVRCP: Check number of text attributes in response
Test: Build
Bug:
71603315
Change-Id: Ieda5e410057062533ae09bd977bfe7f758a55140
(cherry picked from commit
658fd1b7c4ee959e42c20a2f1cfb7d895f94f6d2)
(cherry picked from commit
6ecbbc093f4383e90cbbf681cd55da1303a8ef94)
Eric Meddaugh [Tue, 3 Apr 2018 11:22:52 +0000 (07:22 -0400)]
bt: Fix 32k sbc_codec.sampling_rate
* 3200 is not 32k
Change-Id: Ie51d9f82f9de791f8cf1ffd9085c98326787133f
Myles Watson [Thu, 11 Jan 2018 22:20:26 +0000 (14:20 -0800)]
BNEP: Check received frame type
Bug:
68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
(cherry picked from commit
b910734a55fd3babf71b049d5638bf86f81d7c1e)
(cherry picked from commit
ae12fc48fa6c7a114234afa055ab1cd630d6da8d)
Stanley Tng [Wed, 10 Jan 2018 21:13:15 +0000 (13:13 -0800)]
Remove memory reference to invalid mem in error log
Remove the memory reference to an invalid memory inside an error log
message.
Test: Edit code to force the error condition and make sure the new error
log does not crashed.
Bug:
67058064
Merged-In: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
Change-Id: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
(cherry picked from commit
11cd7277a1d0da9013a8381cddbfc096e9adaed6)
(cherry picked from commit
d10bc94f5ec64122382ed73a261c5f4d0a0fa195)
(cherry picked from commit
49a57cd2346a716eca07153ac83026787fb9d03a)
Myles Watson [Fri, 12 Jan 2018 04:43:47 +0000 (20:43 -0800)]
SDP: Include the offset in sdp_disc_server_rsp
The commit
SDP: Pass the bounds to process_service_*_rsp
with the change ID
Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
omitted the offset when calculating the end of the message.
Bug:
68161546
Test: Connect a headset
Change-Id: I6266b51e3871ed6ce9932161e4ab66de90af4ce6
(cherry picked from commit
1ff9151b7de9cff6aab3919d151542e7244cc0e5)
Merged-In: I6266b51e3871ed6ce9932161e4ab66de90af4ce6
(cherry picked from commit
c379fc0f7a158e7028771bcf9dea19987f771a8e)
(cherry picked from commit
1313abd1761c39e8619a77964f8c42e3e72b5fee)
Myles Watson [Wed, 10 Jan 2018 22:16:15 +0000 (14:16 -0800)]
SDP: Pass the bounds to process_service_*_rsp
Test: build
Bug:
68161546
Change-Id: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
(cherry picked from commit
3c7bd5a8453110a7bd1351648c5a4001b99afa70)
(cherry picked from commit
0627e76edefd948dc3efe11564d7e53d56aac80c)
Hansong Zhang [Wed, 10 Jan 2018 21:43:25 +0000 (13:43 -0800)]
Fix unexpected behavior in reading BNEP packets
Bug:
67863755
Bug:
69177251
Bug:
69177292
Bug:
69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
(cherry picked from commit
9844ddac4c0aaf217326c56f2814d145c11eb042)
(cherry picked from commit
a50e70468c0a8d207e416e273d05a08635bdd45f)
Myles Watson [Wed, 10 Jan 2018 17:51:28 +0000 (09:51 -0800)]
PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
Patch from b/
67078939
Test: build
Bug:
67110692
Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a
(cherry picked from commit
2a18e724b2bf101ea38a5b089de56842107c8369)
(cherry picked from commit
08e68337a9eb45818d5a770570c8b1d15a14d904)
Ajay Panicker [Thu, 11 Jan 2018 00:12:50 +0000 (16:12 -0800)]
AVRCP: Check the number of text attributes requested
Test: Build
Bug:
69478941
Change-Id: Ibc456511c8d7339213f08b07d70f5e25be140d68
(cherry picked from commit
249bb665b1020e81547246f5b29ed9040d696388)
(cherry picked from commit
2f2043f18463a5c963c138d24346870b1066e7a6)
Pavlin Radoslavov [Fri, 12 Jan 2018 01:28:16 +0000 (17:28 -0800)]
Allocate/free the SDP connection timers only during stack startup/shutdown
This avoids freeing the sdp_conn_timer within the alarm callback itself.
Bug:
67110137
Test: Manual
Change-Id: I775b4b532cd42cf207258c53c6052a167a124627
Merged-In: I775b4b532cd42cf207258c53c6052a167a124627
(cherry picked from commit
ef6a4a0c9d9220a7d909863349d7a0c0b967d54c)
(cherry picked from commit
0dbe21d88e05a43d6882248144e4e9128f4c1928)
(cherry picked from commit
ec16f7d8c7e359a68ffe6b76e88add2210bf2cbd)
Pavlin Radoslavov [Mon, 8 Jan 2018 19:37:05 +0000 (11:37 -0800)]
Removed alarm callback execution statistics
Updating the alarm state after the callback returns can be problematic
in case the callback itself deleted the alarm.
Bug:
67110137
Test: Manual
Change-Id: Id4de06eebedb792cadd63d09efb68672e9bddc69
Merged-In: Id4de06eebedb792cadd63d09efb68672e9bddc69
(cherry picked from commit
04574e1cde3b0d46b59b4b6ebab935ac60af9f97)
(cherry picked from commit
90ffe3f90a7589e4ff9e5e8bdf353cdcdfe88764)
(cherry picked from commit
935ee775421e0c8a14f26669d9ab99f110ceb7d5)
Hansong Zhang [Wed, 10 Jan 2018 01:16:35 +0000 (17:16 -0800)]
Fix unexpected behavior in SDP
Bug:
68776054
Bug:
68817966
Test: Bluetooth SDP still works
Change-Id: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
(cherry picked from commit
5d6b1b1316afecebd939f77e3d01ab0a400e68a9)
(cherry picked from commit
f0edf6571d2d58e66ee0b100ebe49c585d31489f)
Scott Bauer [Fri, 7 Apr 2017 00:35:40 +0000 (18:35 -0600)]
Read the correct amount of attributes
bta_gattc_cache_load currently attempts to read 0xFF attributes into an
allocation sized to num_attr attributes, which can be smaller than 0xFF.
There aren't more than num_attr bytes in correct data, but this breaks
with dynamic buffer overflow checking in CopperheadOS for the read
system call since fread ends up calling read, which obtains the size of
the allocation from the malloc implementation and then aborts due to the
(potential) overflow.
This would also fail with the default enabled _FORTIFY_SOURCE=2 feature
in the Android Open Source Project if osi_malloc was marked with the
alloc_size attribute. The way it wraps malloc loses that information so
fortify checks aren't done for calls like this.
Bug:
37160362
Change-Id: I68bd170d5378c9d9d21cbda376083bc0b857e15c
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
[migrated to C++ file, added 0xFFFF limit and wrote commit message]
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
(cherry picked from commit
68a1cf1a9de115b66bececf892588075595b263f)
Andre Eisenbach [Tue, 8 Aug 2017 22:41:21 +0000 (15:41 -0700)]
SDP: Bounds check 'id' parameter for free_sdp_slot()
Test: manual
Fixes:
37502513
Change-Id: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7
(cherry picked from commit
b413f1b1365af4273647727e497848f95312d0ec)
Dan Pasanen [Fri, 6 Oct 2017 13:31:00 +0000 (08:31 -0500)]
Fix allocating buffers of the right size when BT_HDR is included
Missed in
8825957cc44b705c782c8b2d33c87a66e02376f6
Change-Id: I5d631f609578ef8e4e2626d7f4a1cc77a6d90ecf
Pavlin Radoslavov [Tue, 18 Jul 2017 01:12:10 +0000 (18:12 -0700)]
Add missing extension length check while parsing BNEP control packets
Bug:
63146237
Test: External script
Change-Id: I4e519cec1c7dffb8bd42add00bd891e0969a3d9f
(cherry picked from commit
9ab89b7dbe5735b796799f65144efa48595d0230)
(cherry picked from commit
dc7700a43189d2a8607b69ae19a6d646f11ddf51)
(cherry picked from commit
c7874f25a0557ca4413d8db80bab8da842fc389a)
(cherry picked from commit
187bd8aec0aae63c6328981041e5ec7764ece6a9)
(cherry picked from commit
01f46e0aff705dab350cda7f648fb94976ea3988)
(cherry picked from commit
e07d37969e654fd6be308232b15c1ed716205543)
Pavlin Radoslavov [Tue, 18 Jul 2017 00:21:16 +0000 (17:21 -0700)]
Free p_pending_data from tBNEP_CONN to avoid potential memory leaks
Bug:
63146105
Test: External script
Change-Id: I1281779ccf38d1d2dfb1a6dc0e45c0e533cabbca
Merged-In: I1281779ccf38d1d2dfb1a6dc0e45c0e533cabbca
(cherry picked from commit
4982eb5df30cbcbee5c8b8807be95fdc6dfa63c5)
(cherry picked from commit
a654681c5558904a8abfa1bbab8eafb651c13231)
(cherry picked from commit
64a12d3b6e71d9161837f28ce18c34d924c2bafc)
(cherry picked from commit
8f18afd26c02ae3d46bf14d6e36017965dee0394)
(cherry picked from commit
f8fc7f7d112d5ff2064aaaa3c7fceb077169183e)
Pavlin Radoslavov [Thu, 13 Jul 2017 00:33:42 +0000 (17:33 -0700)]
Add a missing check for PAN buffer size before copying data
Bug:
63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
(cherry picked from commit
1d909399cb4259243dac2e531e3ce6ca1afa77e7)
(cherry picked from commit
aa486ad8b5ad6eaef732e5fa7f151495c8c3faf2)
(cherry picked from commit
a8a6a17fdfc8d930ba4ad18f92cf4453cc1a219e)
(cherry picked from commit
d1145e0af3507e37d4bd25f1833e22c5c716f0ac)
(cherry picked from commit
23642dc32ce8704067882cfb37745b62c2b3562a)
Pavlin Radoslavov [Thu, 13 Jul 2017 02:10:12 +0000 (19:10 -0700)]
Add missing packet length checks while parsing BNEP control packets
Bug:
63146237
Test: External script
Change-Id: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
Merged-In: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
(cherry picked from commit
7feaeb006941a1494d7cdc0a2ffc4bb1004b38b4)
(cherry picked from commit
6d415839da570b94b0763f6ab444f0dd1321fc33)
(cherry picked from commit
c68554feb3ddfd31cdec6d81a4b73a959c1b2a09)
(cherry picked from commit
3775b3c49e5d62349fd1f3dfb743fabadb43ea75)
(cherry picked from commit
f31afd3836184edccdfc8393dc4d168b0cfd912b)
Pavlin Radoslavov [Thu, 13 Jul 2017 01:56:03 +0000 (18:56 -0700)]
Add missing continuation offset check for SDP continuation requests
Bug:
63146698
Test: External script
Change-Id: Iea52f1689dc12bfe0d4b57996f17db4bc3bd5983
Merged-In: Iea52f1689dc12bfe0d4b57996f17db4bc3bd5983
(cherry picked from commit
e776c834768bedd043ace7e5714390b61c96a248)
(cherry picked from commit
10ce685cb025f6854be4ecc5329f2f684fd9ea5d)
(cherry picked from commit
3488364721ec066a03af14076bd312d27173115d)
Pavlin Radoslavov [Thu, 13 Jul 2017 01:39:31 +0000 (18:39 -0700)]
Disable PAN Reverse Tethering when connection originated by the Remote
* Check for valid interactions between the three PAN profile roles per
Table 1 in PAN Profile v1.0 spec.
* Explicitly disable connections to the local PANU if the remote is
not PANU.
Bug:
63145701
Test: External script
Change-Id: I29a7e404ba7e4453b6a7c59148a2b3eb7395303a
Merged-In: I29a7e404ba7e4453b6a7c59148a2b3eb7395303a
(cherry picked from commit
9aea2c2f92dd5245f6b35d564ce8e471fec2b4ec)
(cherry picked from commit
3f2ee5b546b65b5b021779588316249276ed3827)
(cherry picked from commit
40c7cefb12ac1a70bf7b1c770c1ab21a5b3f229e)
(cherry picked from commit
f7a7f7a948e38195e8ca897785ac5d489082f0cc)
(cherry picked from commit
b40497b27a0dce81d11f0dca09af6d81abf4bd92)
Pavlin Radoslavov [Thu, 6 Jul 2017 20:39:02 +0000 (13:39 -0700)]
Allocate buffers of the right size when BT_HDR is included
Bug:
63146105
Test: External script
Change-Id: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
Merged-In: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
(cherry picked from commit
d88838a7237cd672d87b6b9cc8d56fff625fd1d5)
(cherry picked from commit
b648c7dfe45c57842d58576f558fdf8edff10bec)
(cherry picked from commit
338e0485940ab278e6a2dc12285ba0798b79cfa4)
(cherry picked from commit
510697a0d79ac9816c0e2717c357c3330d89645a)
Dan Pasanen [Mon, 7 Aug 2017 20:09:26 +0000 (15:09 -0500)]
Revert "Merge tag 'LA.UM.5.5.r1-05300-8x96.0' into cm-14.1"
This reverts commit
b30e393e03d2cf58b05257d4bdae5c6f910fa20d, reversing
changes made to
331fc1e269eeda17dd649c71115e49e97d2b16ba.
Change-Id: I6829ecb512561d2ba68adac3fe5353004e53b15b
Dan Pasanen [Thu, 27 Jul 2017 15:44:37 +0000 (10:44 -0500)]
Merge tag 'LA.UM.5.5.r1-05300-8x96.0' into cm-14.1
"LA.UM.5.5.r1-05300-8x96.0"
Change-Id: I694c157134399f72d9178d18e988a17f7fcc8814
Linux Build Service Account [Sun, 9 Jul 2017 08:13:48 +0000 (01:13 -0700)]
Merge
61578191af535415104b2b1a5c9b9691430d289a on remote branch
Change-Id: I1f6c956ffaff2b7429b50aafd63a35499e8d9391
Linux Build Service Account [Fri, 30 Jun 2017 08:29:57 +0000 (02:29 -0600)]
Promotion of bt.lnx.2.1.c1-00059.
CRs Change ID Subject
--------------------------------------------------------------------------------------------------------------
2062337 I3ceea4f035a115985d692d30f39c3a0e4729a323 AV: Use separate AV sig timeout timer for dual connectio
Change-Id: I0b1df6756bec57a50812c07de2c9086aed68645d
CRs-Fixed:
2062337
CNSS_WLAN Service [Fri, 30 Jun 2017 07:28:47 +0000 (00:28 -0700)]
Merge "AV: Use separate AV sig timeout timer for dual connections." into bt.lnx.2.1.c1-dev
Linux Build Service Account [Fri, 23 Jun 2017 09:56:07 +0000 (03:56 -0600)]
Merge
e6ba9c4225b7639ce152017fa78356551d8756d8 on remote branch
Change-Id: Iffaf6d12087d527a6694cbc0221aaedb51ade44e
Linux Build Service Account [Mon, 19 Jun 2017 10:11:49 +0000 (04:11 -0600)]
Promotion of bt.lnx.2.1.c1-00058.
CRs Change ID Subject
--------------------------------------------------------------------------------------------------------------
2005284 Ic1debdee4b2140eb6400fecbaacb5909fbce6535 BT : Introduced an internal queue in hci thread to hold
2033948 I43f47e61a31cf917a4ddc1a9e6c5c13a25f8730d SDP: Dont start SDP search with invalid BD Addr
Change-Id: I1ea61f551a23b1b36492188a1f6c177caca3f135
CRs-Fixed:
2005284,
2033948
Linux Build Service Account [Sat, 17 Jun 2017 03:21:52 +0000 (20:21 -0700)]
Merge "BT : Introduced an internal queue in hci thread to hold commands"
Sumit Bajpai [Wed, 14 Jun 2017 08:45:25 +0000 (14:15 +0530)]
AV: Use separate AV sig timeout timer for dual connections.
In dual a2dp connection scenario, if both remote devices
initiate connection at same time, DUT replaces AV signalling
timeout timer which started for 1st device when avdtp l2cap
sig channel was established with that of 2nd device when
its channel is established. In case remote1 doesn't start
AV signalling procedure hence, then DUT also fails to do
so as timer for remote1 was lost. The fix keeps two separate
timers for two connections.
Change-Id: I3ceea4f035a115985d692d30f39c3a0e4729a323
CNSS_WLAN Service [Fri, 16 Jun 2017 05:55:44 +0000 (22:55 -0700)]
Merge "SDP: Dont start SDP search with invalid BD Addr" into bt.lnx.2.1.c1-dev
Bandari Ramesh [Fri, 31 Mar 2017 12:45:00 +0000 (18:15 +0530)]
BT : Introduced an internal queue in hci thread to hold commands
- Added an internal queue to avoid making hci thread busy
due to unavailability of credits.
CRs-Fixed:
2005284
Change-Id: Ic1debdee4b2140eb6400fecbaacb5909fbce6535
Gabriele M [Mon, 12 Jun 2017 20:49:48 +0000 (22:49 +0200)]
bt: Disable AVRCP 1.6
Some car-kits won't display audio metadata if AVRCP 1.6 is enabled.
Disable it so that AVRCP 1.4 is instead used.
This change also fixes the build without AVRCP 1.5 and AVRCP 1.6
support enabled.
REGRESSION-130
Change-Id: I83323291a0f3a4dcfecb914a02b675366768059a
Linux Build Service Account [Sun, 11 Jun 2017 09:30:30 +0000 (03:30 -0600)]
Merge
0ebd2aa961dec52be53c255c47d478f0c52bbe48 on remote branch
Change-Id: I18ae4b4790902db3fe1bf0aff5ebd2db62780247
Linux Build Service Account [Fri, 9 Jun 2017 13:11:03 +0000 (07:11 -0600)]
Promotion of bt.lnx.2.1.c1-00057.
CRs Change ID Subject
--------------------------------------------------------------------------------------------------------------
2050966 Id624f0eb656dc782948d14542e4d321abff4339f Fix: btapp will crash when pair request from both DUT &
2054878 Ied08635e3f786a175dab192a5aba069f33d3f36f RFCOMM: stop multiplexer disconnect timer while reconnec
Change-Id: I62ff1687eb03958327a1638c3eaa238eaaf6934c
CRs-Fixed:
2050966,
2054878
CNSS_WLAN Service [Fri, 9 Jun 2017 11:32:26 +0000 (04:32 -0700)]
Merge "Fix: btapp will crash when pair request from both DUT & Remote device simultaneously" into bt.lnx.2.1.c1-dev
Dan Pasanen [Mon, 5 Jun 2017 23:29:52 +0000 (18:29 -0500)]
Merge tag 'android-7.1.2_r17' into cm-14.1
Android 7.1.2 Release 17 (NJH47B)
# gpg: Signature made Fri 02 Jun 2017 05:09:10 PM CDT
# gpg: using DSA key
E8AD3F819AB10E78
# gpg: Can't check signature: No public key
Tim Jiang [Tue, 23 May 2017 10:07:24 +0000 (06:07 -0400)]
Fix: btapp will crash when pair request from both DUT & Remote device simultaneously
Invalid p_rec_dev->p_callback pointer cause this issue.
CRs-Fixed:
2050966
Change-Id: Id624f0eb656dc782948d14542e4d321abff4339f
zhenchao [Thu, 18 May 2017 08:11:26 +0000 (16:11 +0800)]
RFCOMM: stop multiplexer disconnect timer while reconnect DLC
In very low rate, re-send file failed due to rfcomm multiplexer
disconnect timer timeout while reconnect RFCOMM DLC. During
reconnection, sender sent SABM to establish DLC and await UA.
But multiplexer disconnect timer of receiver timeout so that
rfcomm connection disconnect.
Change-Id: Ied08635e3f786a175dab192a5aba069f33d3f36f
CRs-Fixed:
2054878
Linux Build Service Account [Wed, 31 May 2017 06:40:50 +0000 (00:40 -0600)]
Promotion of bt.lnx.2.1.c1-00054.
CRs Change ID Subject
--------------------------------------------------------------------------------------------------------------
2018001 I41682be1476d4c1c4ee58061407b94cfd2a2657a Cancel the link idle timer during gatt_connect
Change-Id: Idf3650c26fcb7032f701dc062925dd0f1f2dacaa
CRs-Fixed:
2018001
Linux Build Service Account [Tue, 30 May 2017 21:12:58 +0000 (14:12 -0700)]
Merge "Cancel the link idle timer during gatt_connect"
Linux Build Service Account [Sun, 28 May 2017 11:32:38 +0000 (05:32 -0600)]
Merge
02e8947d1008393252b9169c53a7be9319ff93ba on remote branch
Change-Id: I1806eda43ecaf15d5f5da047762a5fdbb318869b
Linux Build Service Account [Wed, 17 May 2017 09:20:35 +0000 (03:20 -0600)]
Promotion of bt.lnx.2.1.c1-00053.
CRs Change ID Subject
--------------------------------------------------------------------------------------------------------------
2017829 I04ec116773bd8bfd033c76e9645acc06138b52e0 Fix time consuming doing Bluetooth OFF/ON while a2dp ste
2039987 Ieff690edd3aa527a0639483ec8e1e3b661f0ecc4 resolve merge conflicts of
a3ee2e35 to nyc-dev
Change-Id: Ia9e80ba5c1eca5ac8efe68c6f7630540c0011086
CRs-Fixed:
2017829,
2039987
CNSS_WLAN Service [Wed, 17 May 2017 07:32:28 +0000 (00:32 -0700)]
Merge "Fix time consuming doing Bluetooth OFF/ON while a2dp steaming." into bt.lnx.2.1.c1-dev
Linux Build Service Account [Sat, 13 May 2017 11:39:27 +0000 (04:39 -0700)]
Merge "resolve merge conflicts of
a3ee2e35 to nyc-dev"
Linux Build Service Account [Fri, 12 May 2017 10:33:34 +0000 (04:33 -0600)]
Promotion of bt.lnx.2.1.c1-00052.
CRs Change ID Subject
--------------------------------------------------------------------------------------------------------------
2038030 I7fdb0433353ba5793470313d205a68e8eb3fb5ac SDP: Add logic to downgrade PBAP version for blacklisted
2031104 Ic7f0bb53dce9fe1b72bf34c61c0b6ea3daf1e025 Configure correct remote MTU
1095999 I7bcff61d36249fd1a2d2101ec4745b7f7426fe0f Fix timestamp error in btsnoop log
Change-Id: I753581064525c4773fa11f12ed9fc0787412eb6a
CRs-Fixed:
1095999,
2031104,
2038030
Pavlin Radoslavov [Tue, 14 Mar 2017 21:46:15 +0000 (14:46 -0700)]
resolve merge conflicts of
a3ee2e35 to nyc-dev
Bug:
34946955
Change-Id: Ieff690edd3aa527a0639483ec8e1e3b661f0ecc4
Merged-In: I0b6f50dee05a58db8c043b4d01fb58c9acbeede9
(cherry picked from commit
1c6662b6263298b97122ab308d8dde1d5ed66ef7)
siminy [Tue, 25 Apr 2017 07:03:10 +0000 (15:03 +0800)]
SDP: Add logic to downgrade PBAP version for blacklisted device
As some remote devices go in bad state on parsing PBAP 1.2 SDP record.
Add them to PBAP version downgrade blacklist.Upgrade PBAP version
downgrade logic from to include name based blacklist and also remove
SDP attributes not suppported in PBAP 1.1 specifications like
GoepL2capPsm, SupportedFeatures.
CRs-Fixed:
2038030
Change-Id: I7fdb0433353ba5793470313d205a68e8eb3fb5ac
Linux Build Service Account [Mon, 8 May 2017 08:31:52 +0000 (02:31 -0600)]
Merge
4316cf4e1fc0e2dcb7cdc94eae2ae335c95a01fe on remote branch
Change-Id: I4f50eee012ed6105d0477957bf68e32e1ca8257a
juncao [Fri, 10 Mar 2017 08:19:15 +0000 (16:19 +0800)]
Fix time consuming doing Bluetooth OFF/ON while a2dp steaming.
When BT off, DUT send the avdtp suspend cmd to remote, at the same time
BT also do BREDR cleanup work, it shall make av state machine goes
into closing state. It will not repsonde to suspend response from remote,
hence the A2DP COMMND form audio HAL doesn't got ACK. The fix shall
ACK the pending command before clear the UIPC channel.
Change-Id: I04ec116773bd8bfd033c76e9645acc06138b52e0
CRs-Fixed:
2017829
Linux Build Service Account [Fri, 5 May 2017 11:19:49 +0000 (04:19 -0700)]
Merge "Fix timestamp error in btsnoop log"
Linux Build Service Account [Fri, 5 May 2017 11:19:48 +0000 (04:19 -0700)]
Merge "Configure correct remote MTU"
Timm Korte [Mon, 1 May 2017 16:05:50 +0000 (18:05 +0200)]
Do not include the trailing NULL from the C-String in the SDP service name
Change-Id: Ia9e589cafda38705ea1e1a163665d157748661b1
zhenchao [Thu, 1 Dec 2016 09:43:43 +0000 (17:43 +0800)]
Fix timestamp error in btsnoop log
Overflow occurs while caculate the time of packet arrival.
Type convert timestamp to 64-bit unsigned integer to avoid
overflow issue.
CRs-Fixed:
1095999
Change-Id: I7bcff61d36249fd1a2d2101ec4745b7f7426fe0f
Dan Pasanen [Mon, 1 May 2017 23:30:11 +0000 (18:30 -0500)]
Merge tag 'android-7.1.2_r8' into cm-14.1
Android 7.1.2 release 8
# gpg: Signature made Mon 01 May 2017 10:39:12 AM CDT
# gpg: using DSA key
E8AD3F819AB10E78
# gpg: Can't check signature: No public key
Linux Build Service Account [Thu, 27 Apr 2017 20:19:51 +0000 (14:19 -0600)]
Promotion of bt.lnx.2.1.c1-00049.
CRs Change ID Subject
--------------------------------------------------------------------------------------------------------------
2020549 I29cf2824d12a26aaedde31e156f1b7bf69af65e6 Fix HOGP report handling with HOGP devices
Change-Id: Ida529f2b6481183c814c5d28ac611f4c888f384e
CRs-Fixed:
2020549
Linux Build Service Account [Wed, 26 Apr 2017 17:42:17 +0000 (11:42 -0600)]
Promotion of bt.lnx.2.1.c1-00048.
CRs Change ID Subject
--------------------------------------------------------------------------------------------------------------
2019703 I89720e636acf645a6cd9288a45ac543d7cd3da21 Double Audio stream output buffer size.
2019822 I227659b7e6973589c72c50af46a54878bdab5b32 check controller state before handling gatt client reque
2029615 Ie052c7ecafe4816a8c2fbc212a3b52a25b08543c Fix BLE stability issues when BT is being turned off
2029248 I1e54ded102d38cd42b3df40d405205a79b08928b uipc: retry to create srv chan if EADDRINUSE error
Change-Id: Ic2cf93a7a9f487d32090d71ba452a8865ac7cba2
CRs-Fixed:
2029615,
2029248,
2019703,
2019822
Linux Build Service Account [Wed, 26 Apr 2017 16:49:12 +0000 (09:49 -0700)]
Merge "Fix HOGP report handling with HOGP devices"
CNSS_WLAN Service [Wed, 26 Apr 2017 13:01:25 +0000 (06:01 -0700)]
Merge "uipc: retry to create srv chan if EADDRINUSE error" into bt.lnx.2.1.c1-dev
Pradeep Panigrahi [Thu, 16 Mar 2017 05:35:28 +0000 (11:05 +0530)]
check controller state before handling gatt client request.
Add change to ensure that controller interface is ready before
trying to handle client request for cleaning up the client
interface . This will fix stability issues,where assert is
happening while we try to access controller module before its ready.
CRs-fixed:
2019822
Change-Id: I227659b7e6973589c72c50af46a54878bdab5b32
CNSS_WLAN Service [Tue, 25 Apr 2017 10:22:30 +0000 (03:22 -0700)]
Merge "Fix BLE stability issues when BT is being turned off" into bt.lnx.2.1.c1-dev
Venkata Jagadeesh Garaga [Fri, 14 Apr 2017 09:35:01 +0000 (15:05 +0530)]
SDP: Dont start SDP search with invalid BD Addr
When any profile initiates SDP search with null bd addr
connection fails with page time out and SDP state machine
will stuck in search active state until bt reset.
Hence dont allow any service search with NULL bd addr
Change-Id: I43f47e61a31cf917a4ddc1a9e6c5c13a25f8730d
juncao [Tue, 25 Apr 2017 09:44:16 +0000 (17:44 +0800)]
Configure correct remote MTU
Remote MTU shall be configured to L2CAP_DEFAULT_MTU if
there is no MTU in configuration request
Change-Id: Ic7f0bb53dce9fe1b72bf34c61c0b6ea3daf1e025
CRs-Fixed:
2031104
android-build-team Robot [Fri, 21 Apr 2017 20:42:40 +0000 (20:42 +0000)]
Merge cherrypicks of [
2007123,
2089669,
2072002,
2094113,
1989895,
2094094,
2017568,
2054111,
2054025,
2074928,
2066476,
2092431,
2053944,
2095243,
2092549,
2065088,
2007730,
2008313,
2053983,
2025333,
2094716,
2026590,
2059276,
2089422,
2080090] into nyc-mr2-pixel-monthly-release
Change-Id: I15905521312ca9db242ef3eb65125df80b4a9275
Jack He [Thu, 6 Apr 2017 00:59:58 +0000 (17:59 -0700)]
Check LE advertising data length before caching advertising records
Change-Id: Ib14ee8aa165b11002cdf82f86a1e547854c98347
android-build-team Robot [Fri, 21 Apr 2017 17:31:09 +0000 (17:31 +0000)]
release-request-
762540b1-1728-41bc-a9ce-
e977f3e2683f-for-git_nyc-mr2-pixel-monthly-release-
3888830 snap-temp-L22300000056915770
Change-Id: I6bcb0d7906f30abb7a42947d5f93b12a335a3e82
android-build-team Robot [Thu, 20 Apr 2017 22:39:41 +0000 (22:39 +0000)]
Merge cherrypicks of [
2089422,
2053944,
2094094,
2007730,
2072002,
2065088,
1989895,
2080090,
2026590,
2008313,
2089669,
2059276,
2094716,
2066476,
2053983,
2007123,
2017568,
2054111,
2054025,
2095243,
2092431,
2092549,
2025333,
2099168,
2074928] into nyc-mr2-pixel-monthly-release
Change-Id: Ibcb6be2c5641ce560673032d48ecaf7b3055b5e9
Jack He [Thu, 6 Apr 2017 00:59:58 +0000 (17:59 -0700)]
Check LE advertising data length before caching advertising records
Change-Id: I9d34dceaead4dde72c36842af477758462cca67c
Pradeep Panigrahi [Thu, 30 Mar 2017 19:15:22 +0000 (00:45 +0530)]
Fix BLE stability issues when BT is being turned off
Incorporates the following changes to take care of BLE
stability issues:
1) Third party apps are not in sync with bluetooth adapter and
sometimes call gatt client/server calls while bluetooth is
turning off, causing assert. Add change to not process the
application request at btif, if the bluetooth adapter is not
ready or is turning off.
2) return max adv instance count as 0 if controller interface is
not ready.
Change-Id: Ie052c7ecafe4816a8c2fbc212a3b52a25b08543c