OSDN Git Service
android-build-team Robot [Mon, 26 Nov 2018 17:21:00 +0000 (17:21 +0000)]
Merge cherrypicks of [
5610460,
5610582,
5610249,
5610250,
5610113,
5610163,
5610980,
5610981,
5610982,
5610983,
5610984,
5610461,
5610462,
5610463,
5610464,
5610114,
5610076,
5610985,
5610986,
5610251,
5610583] into oc-m8-release
Change-Id: I1404e0a821b4c44bd5a924a6e10dc3928672437f
Chienyuan [Thu, 11 Oct 2018 01:47:46 +0000 (09:47 +0800)]
DO NOT MERGE HFP: Check AT command buffer boundary during parsing
* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac
Bug:
112860487
Test: manual
Change-Id: I6bbbc2ba29ad025c7d3ba023d8191af6a11c4aa9
(cherry picked from commit
749063afebb8324276a47bdfbf320aa70f94a8ba)
(cherry picked from commit
9cb959d00d33737b399377cfc0f4070081d48f5e)
Myles Watson [Thu, 25 Oct 2018 21:33:33 +0000 (14:33 -0700)]
DO NOT MERGE: HH: Check parameter length in bta_hh_ctrl_dat_act
Bug:
116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit
ff8a52d8fefed1ba38f424b1db48a81d46cb7226)
Myles Watson [Thu, 25 Oct 2018 00:05:12 +0000 (17:05 -0700)]
DO NOT MERGE: SDP: Check p_end in save_attr_seq and add_attr
Bug:
115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit
2aad270709f01481e91f7fdaafbebee49130cd28)
Myles Watson [Thu, 25 Oct 2018 22:27:03 +0000 (15:27 -0700)]
DO NOT MERGE: MCAP: Check response length in mca_ccb_hdl_rsp
Bug:
116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit
f34d740521ec583b0089fdeca283748a809a9c1a)
Ugo Yu [Mon, 29 Oct 2018 16:47:04 +0000 (00:47 +0800)]
DO NOT MERGE: Fix possible OOB when AVDT data channel recive ACL data
Bug:
111450156
Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit
b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit
f349ff0c65523437b3f20ef54a7b0e5fd56364dc)
android-build-team Robot [Fri, 19 Oct 2018 16:33:43 +0000 (16:33 +0000)]
Merge cherrypicks of [
5313290,
5313323,
5313343,
5313415,
5313291,
5313441,
5313557,
5313344,
5313383,
5313384,
5313324,
5313325,
5313326,
5313294,
5313295,
5313296,
5313498] into oc-m8-release
Change-Id: If387e42363401bc4f4c362de2b66e910b38d7239
Jakub Pawlowski [Wed, 10 Oct 2018 17:35:37 +0000 (19:35 +0200)]
Fix possible OOB read
Bug:
74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit
6e6c347e798bf8195a9a02457edf871a97b1cfad)
Ugo Yu [Mon, 17 Sep 2018 07:59:30 +0000 (15:59 +0800)]
DO NOT MERGE - Check SDU lower bound before allocate p_data
Bug:
112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit
6fc96f847be808a4f38eae45b5e9bbc3f18b9a2d)
android-build-team Robot [Tue, 11 Sep 2018 23:09:09 +0000 (23:09 +0000)]
Merge cherrypicks of [
4995494,
4995495,
4995496,
4995497,
4997652,
4997881,
4997052,
4997883,
4995518,
4997653,
4997654] into oc-m8-release
Change-Id: I85beb831bb99d381e91572820887d034e9e4c942
Pavlin Radoslavov [Thu, 6 Sep 2018 01:21:31 +0000 (18:21 -0700)]
Check data length when parsing AVRCP vendor specific command responses
Bug:
111450531
Bug:
111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit
7439ea940354f65a147c4ecfce3bada49c688047)
Pavlin Radoslavov [Thu, 6 Sep 2018 22:41:27 +0000 (15:41 -0700)]
DO NOT MERGE - Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()
Bug:
111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit
2692408d05bf16738284b61833649cee5d2a2233)
android-build-team Robot [Thu, 30 Aug 2018 04:26:40 +0000 (04:26 +0000)]
Merge cherrypicks of [
4897833,
4897834,
4897835] into oc-m8-release
Change-Id: I67a29ac6b41042b98bf78c34151436502cc23c43
Hansong Zhang [Fri, 13 Jul 2018 20:45:46 +0000 (13:45 -0700)]
Fix a wrong check in rfc_parse_data
Bug:
78288018
Bug:
111436796
Test: manual
Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a
(cherry picked from commit
d1ced302cd1066087588c891027b1756be31db46)
Hansong Zhang [Thu, 7 Jun 2018 23:18:52 +0000 (16:18 -0700)]
Add bound check for rfc_parse_data
Bug:
78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit
6039cb7225733195192b396ad19c528800feb735)
android-build-team Robot [Thu, 16 Aug 2018 16:58:55 +0000 (16:58 +0000)]
Merge cherrypicks of [
4793902] into oc-m8-release
Change-Id: I91773bc663618ed079887b7501b81bfb21e7abfb
Hansong Zhang [Thu, 16 Aug 2018 16:46:45 +0000 (09:46 -0700)]
Fix build failure in stack/rfcomm/rfc_ts_frames.c
Test: compile
Bug:
112673718
Change-Id: I93cd39f943dd2f0fb65b785c15dc91649c7ee384
(cherry picked from commit
eb3e2528714bd6ea59ad369798f522d75a2e55c7)
android-build-team Robot [Thu, 16 Aug 2018 01:24:41 +0000 (01:24 +0000)]
Merge cherrypicks of [
4787660,
4787680,
4787071,
4787700,
4787592,
4787701,
4787720,
4787721,
4787072,
4787073,
4787074,
4787075,
4787076,
4787077,
4787740,
4787760,
4787722,
4787723,
4787724,
4787725,
4787726,
4787727,
4787728,
4787729,
4787730,
4787731] into oc-m8-release
Change-Id: Ic84dec3c93161420dd4c72ee698154e8188d1ac7
Cheney Ni [Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)]
Add packet length checks in mca_ccb_hdl_req
Bug:
110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
(cherry picked from commit
4de7ccdd914b7a178df9180d15f675b257ea6e02)
Cheney Ni [Wed, 8 Aug 2018 14:40:27 +0000 (22:40 +0800)]
Checks the SMP length to fix OOB read
Bug:
111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit
4978acce4af0c3975ffde9386b7da38f88bb1711)
Ugo Yu [Wed, 8 Aug 2018 08:09:58 +0000 (16:09 +0800)]
Add packet length check in smp_proc_master_id
Bug:
111937027
Test: manual
Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075
(cherry picked from commit
c8294662d07a98e9b8b1cab1ab681ec0805ce4e8)
Pavlin Radoslavov [Thu, 9 Aug 2018 20:07:48 +0000 (13:07 -0700)]
Add missing AVRCP message length checks inside avrc_msg_cback
Explicitly check the length of the received message before
accessing the data.
Bug:
111803925
Bug:
79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit
282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit
007868d05f4b761842c7345161aeda6fd40dd245)
Ugo Yu [Wed, 8 Aug 2018 06:46:42 +0000 (14:46 +0800)]
DO NOT MERGE Fix OOB read before buffer length check
Bug:
111936834
Test: manual
Change-Id: Ib98528fb62db0d724ebd9112d071e367f78e369d
(cherry picked from commit
4548f34c90803c6544f6bed03399f2eabeab2a8e)
Chienyuan [Wed, 8 Aug 2018 03:21:28 +0000 (11:21 +0800)]
Check packet length in bta_av_proc_meta_cmd
Bug:
111893951
Test: manual - connect A2DP
Change-Id: Ibbf347863dfd29ea3385312e9dde1082bc90d2f3
(cherry picked from commit
ed51887f921263219bcd2fbf6650ead5ec8d334e)
Hansong Zhang [Mon, 6 Aug 2018 21:40:37 +0000 (14:40 -0700)]
Fix OOB read in avrc_ctrl_pars_vendor_rsp
Bug:
78526423
Test: manual
Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91
(cherry picked from commit
d945ada503ed9c9ea24e092df51faba57f5d589a)
Hansong Zhang [Wed, 8 Aug 2018 18:31:28 +0000 (11:31 -0700)]
Check remaining frame length in rfc_process_mx_message
Bug:
111936792
Bug:
80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
(cherry picked from commit
0471355c8b035aaa2ce07a33eecad60ad49c5ad0)
Jakub Pawlowski [Mon, 16 Jul 2018 13:40:35 +0000 (06:40 -0700)]
Fix copy length calculation in sdp_copy_raw_data
Test: compilation
Bug:
110216176
Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
(cherry picked from commit
23aa15743397b345f3d948289fe90efa2a2e2b3e)
Hansong Zhang [Thu, 14 Jun 2018 00:33:23 +0000 (17:33 -0700)]
DO NOT MERGE AVRC: Copy browse.p_browse_data in btif_av_event_deep_copy
p_msg_src->browse.p_browse_data is not copied, but used after the
original pointer is freed
Bug:
109699112
Test: manual
Change-Id: I1d014eb9a8911da6913173a9b11218bf1c89e16e
(cherry picked from commit
1d9a58768e6573899c7e80c2b3f52e22f2d8f58b)
android-build-team Robot [Fri, 3 Aug 2018 19:21:15 +0000 (19:21 +0000)]
Merge cherrypicks of [
4691111,
4689862,
4690575,
4690576,
4690577,
4690578,
4689866,
4689868,
4689869,
4689870,
4691132,
4689456,
4689963,
4691133,
4691134,
4691156,
4691157,
4691159,
4691161,
4690581,
4689964,
4689460,
4691112,
4690582,
4690583,
4691165,
4691166,
4691167,
4691168,
4691169,
4691170,
4691211,
4691212,
4691213,
4691214,
4691215,
4691216,
4691217,
4691218,
4691219,
4691232,
4691233,
4691234,
4691235,
4691236,
4691237,
4691238,
4691239,
4691240,
4691241,
4691243,
4691245,
4691247,
4691249,
4691250,
4691291,
4691292,
4691293,
4691294,
4691295,
4691296,
4691255,
4689476,
4689477,
4689478,
4691223,
4691224,
4691136,
4689479,
4689480,
4691137,
4691225,
4691226,
4691227,
4691371,
4691228,
4691328,
4689967,
4691138,
4691139,
4691140,
4691433,
4689968,
4689969,
4691395,
4691230,
4691297,
4691298,
4691299,
4691300,
4691396,
4691397,
4691398,
4691399,
4691400,
4691401,
4691402,
4691403,
4691404,
4691405,
4691406,
4691407,
4691408,
4691409,
4691410,
4691471,
4691472,
4691473,
4691474,
4691475,
4691476,
4691477,
4691478,
4691479,
4691480,
4691481,
4691482,
4691483,
4691484,
4691485,
4691486,
4691487,
4691488,
4691143,
4691144,
4691511,
4691113,
4689482,
4691533,
4691145,
4691146,
4691147,
4691148,
4691536] into sparse-
4732991-L01200000196794104
Change-Id: I5204d6196d849176ea6dd24498f8f2a4b8f8d7c8
Hansong Zhang [Thu, 7 Jun 2018 21:25:09 +0000 (14:25 -0700)]
HID Host: Check L2CAP packet data length
Bug:
80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit
ca47a05acb66218ff2123f8d4642961f7f2eb5e2)
Hansong Zhang [Thu, 12 Jul 2018 17:51:30 +0000 (10:51 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Test: manual
Bug:
79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
(cherry picked from commit
54c6a9dfd52ac6711d6f2101d233b276b2e3bb53)
Jakub Pawlowski [Fri, 22 Jun 2018 05:56:11 +0000 (22:56 -0700)]
Add packet length checks in l2cble_process_sig_cmd
Bug:
80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit
02f47a752c818277b31852e3ff940764d5c7f9c7)
Jakub Pawlowski [Wed, 11 Jul 2018 09:57:07 +0000 (02:57 -0700)]
Don't use Address after it was deleted
Bug:
110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
(cherry picked from commit
9930f6f4e14e64966869b119994126283d645fd0)
Hansong Zhang [Wed, 27 Jun 2018 21:26:40 +0000 (14:26 -0700)]
HFP: Fix out of bound access in phone number processing
* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
PhoneStateChange method
Bug:
79431031
Bug:
79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df
(cherry picked from commit
820b4327b1359fb1b389e07fc0f8c5e1304a7bfa)
Jakub Pawlowski [Fri, 22 Jun 2018 11:46:39 +0000 (04:46 -0700)]
SDP: return error on offset bigger than atribute length
Test: none
Bug:
79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit
0a74ffa44cbe48f674387cc951e6011c28ca003c)
Hansong Zhang [Thu, 21 Jun 2018 23:53:41 +0000 (16:53 -0700)]
HIDD: Prevent integer underflow in bta_hd_act
Bug:
109757435
Bug:
109757168
Bug:
110846194
Bug:
109757986
Test: manual
Change-Id: I80a6f3f931ac7512f1ba801cc5d8de6ac04f3422
(cherry picked from commit
74a6392875166698b64b624d12b6d2e404b75d72)
Ajay Panicker [Tue, 5 Jun 2018 23:08:06 +0000 (16:08 -0700)]
DO NOT MERGE: Don't reuse buffer when building response
Bug:
79541338
Test: Compile and connect to remote headset
Change-Id: I2d808f941d3c71fcb6306c733717624be10478e0
(cherry picked from commit
9bbce8603846159dec0d506ba867b7616557a303)
Pavlin Radoslavov [Thu, 31 May 2018 18:04:54 +0000 (11:04 -0700)]
Add BT_HDR length check for received AVCTP packets
Bug:
79944113
Test: Code compilation
Change-Id: I02c76ab8fad61669394062bf34656ea32f465b6a
Merged-In: I02c76ab8fad61669394062bf34656ea32f465b6a
(cherry picked from commit
4262b932e487b19d578d79e0120cf03291f44efc)
(cherry picked from commit
fa538540a7f147b8440ac49735a8dc596ce8dfc7)
Pavlin Radoslavov [Thu, 31 May 2018 02:26:16 +0000 (19:26 -0700)]
Add packet length check for received AVCTP packets
Bug:
79944113
Test: Manual: Custom test program and extra logging
Change-Id: Icde465fed723bf876ce3885d11099fddcb92de81
Merged-In: Icde465fed723bf876ce3885d11099fddcb92de81
(cherry picked from commit
2a934acf498a6b715cc7c634123aa403a70fe9e6)
(cherry picked from commit
d6fb21d8d8ae20addfc51246d840151fc86d8572)
Pavlin Radoslavov [Thu, 31 May 2018 00:56:14 +0000 (17:56 -0700)]
Add checks whether the AVDTP element data length is valid
Bug:
78288378
Test: Manual: Python script and extra logging
Change-Id: I715b5977c833d33ff798f008fbf244effa13ea1f
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit
9b3f96f50287d8789aff6d6895d7ae02ca6ac619)
(cherry picked from commit
ee30c88a8d49b30860d35b34a57c3037a4045678)
Jack He [Fri, 1 Jun 2018 21:00:42 +0000 (14:00 -0700)]
BNEP: Fix OOB access in bnep_data_ind
* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
is most likely triggered
Bug:
78286118
Bug:
79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
BNEP_EXTENSION_CONTROL packet
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit
3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit
0416340ffa61337dbaa2f6602ef85a1c32563ec2)
akirilov [Mon, 21 May 2018 18:45:55 +0000 (11:45 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)
Bug:
74075873
Test: manual
Change-Id: I9a7035a74aca3256c5712ea67a7435627b139c37
(cherry picked from commit
9d647b201b64949e04eade9b594af76c764dbb96)
akirilov [Mon, 21 May 2018 19:56:17 +0000 (12:56 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
Bug:
74075873
Test: manual test (poc in bug)
Change-Id: I56e87cfdf8731acca00cefac98abb2ba06f6e7ed
(cherry picked from commit
3575ba8ca36dccf7dcdb2dbf16ed170d549911d3)
Myles Watson [Tue, 29 May 2018 23:55:58 +0000 (16:55 -0700)]
DO NOT MERGE: SDP: Recalculate param_len after max_list_len
Bug:
78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit
9cc9eea21c7868034242b7ab8be750c565e46bfd)
Jakub Pawlowski [Tue, 29 May 2018 23:17:32 +0000 (16:17 -0700)]
Decrease length after reading from array in process_service_attr_req
Test: compilation
Bug:
78136677
Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0
(cherry picked from commit
6cd2e8bf6e5707e8e77e7aca6519c58200ee58db)
Hansong Zhang [Wed, 30 May 2018 00:38:39 +0000 (17:38 -0700)]
DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_event
Bug:
80145946
Test: manual
Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53
(cherry picked from commit
519b61392a96fbd45bdcc0bfddc881167c20cc23)
Jakub Pawlowski [Wed, 23 May 2018 17:19:53 +0000 (10:19 -0700)]
GATT: Handle too short Error Response PDU
Since the spec is not clear what to do in this case, use one of
reserved error codes as a failure reason, and pass it to upper layers.
Bug:
79591688
Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
(cherry picked from commit
f63c4b652b3231c2b4907bffd13410c6eb2aa760)
Jakub Pawlowski [Thu, 24 May 2018 15:59:34 +0000 (08:59 -0700)]
Add PDU size checks in process_service_search_attr_rsp
Bug:
79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit
980f6427b183e013958acd6b70e91f58177408a6)
Ajay Panicker [Fri, 13 Apr 2018 00:03:09 +0000 (17:03 -0700)]
Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
Bug:
74121659
Test: Compiles
Change-Id: Idf58e7b25b41ae1bd43cdd51de424b18e03cc7e8
(cherry picked from commit
ca4f8a18bce9331360144f1dbc51db1e2525bcc3)
Ajay Panicker [Fri, 11 May 2018 19:03:07 +0000 (12:03 -0700)]
DO NOT MERGE: Check number of attributes before writing to a buffer
Bug:
73824150
Test: Compile
Change-Id: I2a28a503cd74758e707d1e591b55c278d2299f45
(cherry picked from commit
f6db54f071f6974e18b10bb0c2cfcf397cd4c980)
Hansong Zhang [Fri, 11 May 2018 18:36:29 +0000 (11:36 -0700)]
DO NOT MERGE AVRC: Add bound check for AVRC_EVT_APP_SETTING_CHANGE
Test: manual
Bug:
73782082
Change-Id: I4e384a2f8c0d8c4af03bd5865b2e907321419c86
(cherry picked from commit
0061dd6ae30ebcebce695c212c8bc0ceb276710e)
Hansong Zhang [Thu, 26 Apr 2018 22:50:53 +0000 (15:50 -0700)]
DO NOT MERGE Prevent stack overflow in btif_storage
Bug:
73963551
Test: manual
Change-Id: I5f7a583aad150ebf9e3d492181d80ca935c8aa3f
(cherry picked from commit
e8d311224277e9db5dc94cb94929125992f546f3)
Jakub Pawlowski [Fri, 9 Mar 2018 04:11:41 +0000 (20:11 -0800)]
Get rid of BTM_IS_PUBLIC_BDA
One can't really guess address type based on last bits.
Instead, for new devices always assume public address.
Test: scan, toggle bluetooth, try connecting to device with public
address
Bug:
74413120
Change-Id: Id558260798e717c214a5a817cea0c204c5f4858e
(cherry-picked from
8c2e78b44727789d641492beeef873b230c7e568)
(cherry picked from commit
14ef59e5a391a6dda7295ebe7d0d7c52875f76b0)
(cherry picked from commit
c03c56afefe62f4e3761bc26c1f8b457dae3af3a)
Andre Eisenbach [Thu, 1 Mar 2018 21:27:01 +0000 (13:27 -0800)]
DO NOT MERGE SMP: Validate remote elliptic curve points
Fixes:
72377774
Test: net_test_stack_smp (where applicable)
Change-Id: Iefcf97364493467075fadefd77d12716f71cd4f6
(cherry picked from commit
9181ec28da94705a763edbe60bd2a87e5f882beb)
(cherry picked from commit
e11ebfc21963ae905d58c034310efeca0e7cd2ee)
Hansong Zhang [Wed, 11 Apr 2018 23:04:51 +0000 (16:04 -0700)]
DO NOT MERGE Add bounds check for BNEP_Write
Bug:
74947856
Test: manual
Change-Id: If5db8c6b6e509a330ae74808fc3f0ffac137af14
(cherry picked from commit
ae9d06c1dc84db36c0c4a07fc56a1fbf008cd1ce)
Hansong Zhang [Thu, 12 Apr 2018 18:58:49 +0000 (11:58 -0700)]
DO NOT MERGE Initialize local variable in gatts_process_read_by_type_req
Bug:
73125709
Test: manual
Change-Id: I8b3346f605e0820385ea5ed7401bbee664fd15aa
(cherry picked from commit
0e34139d7fa338df6c99aaba13eb839a3dbc2548)
Hansong Zhang [Thu, 12 Apr 2018 22:50:28 +0000 (15:50 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Bug:
74202041
Bug:
74196706
Bug:
74201143
Test: manual
Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d
(cherry picked from commit
ff15adf5150527db1012b9f7777066522835e2db)
Myles Watson [Wed, 21 Mar 2018 23:45:32 +0000 (16:45 -0700)]
PAN: Always allocate in bta_pan_data_buf_ind_cback
Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free. Move the free call to pan_data_buf_ind_cb().
Free the buffer before every return in pan_data_buf_ind_cb.
Bug:
74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit
98232b084c66368234d19fafe3076bc1c0f1b578)
Stanley Tng [Thu, 5 Apr 2018 16:54:13 +0000 (09:54 -0700)]
DO NOT MERGE Handle bad packet length in gatts_process_read_req
Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.
Bug:
73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit
cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit
16f4c21be5bd0ea1968eee8a0f00648b1e326253)
Stanley Tng [Thu, 29 Mar 2018 00:12:28 +0000 (17:12 -0700)]
DO NOT MERGE Drop LE CoC fragments when frame size is too big
Drop the LE CoC data fragments when the received fragment size is too
big.
Test: Runs LE CoC SL4A test, BleCocTest.
Bug:
75298652
Merged-In: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
Change-Id: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
(cherry picked from commit
8365a2ace5e89d8b81bab468f0f9bc1137d773b4)
(cherry picked from commit
17db92e4fc3c7127c0ace625ff9735a9972eee70)
Hansong Zhang [Mon, 2 Apr 2018 17:05:56 +0000 (10:05 -0700)]
DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result
Check the number of UUIDs from remote device
Bug:
74016921
Test: manual
Change-Id: I1ca1f66bfc935f5fd219e8147511bdac7d2789ef
(cherry picked from commit
67ec216daa43f71adf103de6c4156c5a892c1460)
Hansong Zhang [Fri, 30 Mar 2018 23:27:37 +0000 (16:27 -0700)]
DO NOT MERGE Fix unexpected behavior in smp_sm_event
Bug:
74121126
Test: manual
Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53
(cherry picked from commit
652798b2f2d6c90e0fc95c00ccfb91e2870b03d4)
android-build-team Robot [Wed, 21 Mar 2018 21:24:14 +0000 (21:24 +0000)]
Snap for
4657601 from
6bde1f2e5c1700370fe98eba5e7b00b13debe68b to oc-m4-release
Change-Id: Id1b372c15a7ff2ea4b71af1a020a102355efb0f5
android-build-team Robot [Thu, 15 Mar 2018 17:02:36 +0000 (17:02 +0000)]
Snap for
4603989 from
cf98916401833f40c3aa5bf42dee577153ed4816 to oc-m2-release
Change-Id: I1670462ff0d485683973f498f53a9b4facdc4259
android-build-team Robot [Mon, 26 Feb 2018 23:53:31 +0000 (23:53 +0000)]
Merge cherrypicks of [
3661626,
3661980,
3662429,
3661545,
3661546,
3661579,
3661580,
3662430,
3661547,
3661548,
3661549,
3661550,
3662578,
3662579,
3662580,
3662581,
3662582,
3662583,
3661597,
3661598,
3661551,
3661552,
3661553,
3661554,
3661555,
3662596,
3662597,
3662598,
3662599,
3662584,
3662585,
3662586,
3662616,
3662617,
3662618] into oc-m4-release
Change-Id: I725e9b7e0aaa0d5767b92f0096d2a5691d2af035
Ajay Panicker [Fri, 2 Feb 2018 09:11:37 +0000 (01:11 -0800)]
AVRCP: Check number of text attribute values in response
Test: Build
Bug:
71603410
Change-Id: I6f822b0bc7fc2fb042a70b64cff61583a86b36e2
(cherry picked from commit
4cd518cb3f8ac6ccb43c94a441bee67e041d0dd5)
Ajay Panicker [Fri, 9 Feb 2018 08:21:06 +0000 (00:21 -0800)]
AVRCP: Set maximum string length when copying to buffer
Test: Compile
Bug:
71603262
Change-Id: I2416cdbcc3e4c5d71ab45998c02eb7cf679b1c10
(cherry picked from commit
a3077fa62c2fc1c6be3a3dd1ecda1eb64472f36f)
Ajay Panicker [Fri, 2 Feb 2018 09:26:34 +0000 (01:26 -0800)]
AVRCP: Initialize buffer for attribute values to be written to
Test: Build
Bug:
71603553
Change-Id: I978270605cfaa3b833d6c19f1b1d2cd5a82ac079
(cherry picked from commit
e36d6f8edceed860929901b6c49c1964a1ac563f)
Ajay Panicker [Fri, 2 Feb 2018 08:56:43 +0000 (00:56 -0800)]
AVRCP: Check number of text attributes in response
Test: Build
Bug:
71603315
Change-Id: Ieda5e410057062533ae09bd977bfe7f758a55140
(cherry picked from commit
658fd1b7c4ee959e42c20a2f1cfb7d895f94f6d2)
Hansong Zhang [Fri, 9 Feb 2018 22:16:59 +0000 (14:16 -0800)]
DO NOT MERGE Truncate new line characters when adding string to config
Bug:
70808273
Test: test with a device with newline character in name
Change-Id: I8729e12ad5851ee1ffbcb7c08e9a659f768ffc21
(cherry picked from commit
dd9bbfc2458569d9fecf35f7503d1b89b4c69aa0)
Ajay Panicker [Thu, 11 Jan 2018 00:58:16 +0000 (16:58 -0800)]
AVRCP: Check the number of text value attributes requested
Test: Builds
Bug:
69479009
Change-Id: I184ddfdb56c15c2b07d52a2624240738efb4d207
(cherry picked from commit
6313da35abc93fcfb783c68f2e02427df9928ecf)
Myles Watson [Fri, 12 Jan 2018 01:43:40 +0000 (17:43 -0800)]
SDP: Check p_req_end before reading from p_req
Bug:
69384124
Test: Connect a headset
Change-Id: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
Merged-In: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
(cherry picked from commit
dd856fbc4ade8f7d78873db3533b4c9fd7c6d612)
android-build-team Robot [Mon, 26 Feb 2018 18:09:22 +0000 (18:09 +0000)]
Snap for
4565141 from
83c8be063854a84843042a2089f63e77777f18e8 to oc-m4-release
Change-Id: I71410e578ad486a8d0a899e0215a54596250eac3
android-build-team Robot [Wed, 14 Feb 2018 17:18:27 +0000 (17:18 +0000)]
Merge cherrypicks of [
3614756,
3614757,
3614861,
3614758,
3614759,
3615200,
3615201,
3615202,
3615203,
3615204,
3614670,
3614671,
3615108,
3615109] into oc-mr1-release
Change-Id: Ia5da8d2f00425b1f21c3afcff6eefbed68c12346
Ajay Panicker [Fri, 2 Feb 2018 09:11:37 +0000 (01:11 -0800)]
AVRCP: Check number of text attribute values in response
Test: Build
Bug:
71603410
Change-Id: I6f822b0bc7fc2fb042a70b64cff61583a86b36e2
(cherry picked from commit
4cd518cb3f8ac6ccb43c94a441bee67e041d0dd5)
Ajay Panicker [Fri, 9 Feb 2018 08:21:06 +0000 (00:21 -0800)]
AVRCP: Set maximum string length when copying to buffer
Test: Compile
Bug:
71603262
Change-Id: I2416cdbcc3e4c5d71ab45998c02eb7cf679b1c10
(cherry picked from commit
a3077fa62c2fc1c6be3a3dd1ecda1eb64472f36f)
Ajay Panicker [Fri, 2 Feb 2018 09:26:34 +0000 (01:26 -0800)]
AVRCP: Initialize buffer for attribute values to be written to
Test: Build
Bug:
71603553
Change-Id: I978270605cfaa3b833d6c19f1b1d2cd5a82ac079
(cherry picked from commit
e36d6f8edceed860929901b6c49c1964a1ac563f)
Ajay Panicker [Fri, 2 Feb 2018 08:56:43 +0000 (00:56 -0800)]
AVRCP: Check number of text attributes in response
Test: Build
Bug:
71603315
Change-Id: Ieda5e410057062533ae09bd977bfe7f758a55140
(cherry picked from commit
658fd1b7c4ee959e42c20a2f1cfb7d895f94f6d2)
Hansong Zhang [Fri, 9 Feb 2018 22:16:59 +0000 (14:16 -0800)]
DO NOT MERGE Truncate new line characters when adding string to config
Bug:
70808273
Test: test with a device with newline character in name
Change-Id: I8729e12ad5851ee1ffbcb7c08e9a659f768ffc21
(cherry picked from commit
dd9bbfc2458569d9fecf35f7503d1b89b4c69aa0)
Ajay Panicker [Thu, 11 Jan 2018 00:58:16 +0000 (16:58 -0800)]
AVRCP: Check the number of text value attributes requested
Test: Builds
Bug:
69479009
Change-Id: I184ddfdb56c15c2b07d52a2624240738efb4d207
(cherry picked from commit
6313da35abc93fcfb783c68f2e02427df9928ecf)
android-build-team Robot [Thu, 8 Feb 2018 04:16:34 +0000 (04:16 +0000)]
Merge cherrypicks of [
3581037,
3581038,
3580473,
3580624,
3580656,
3580657,
3580658,
3580382,
3580474,
3580475,
3581039,
3581040,
3580476,
3580206,
3581527,
3580955,
3580956,
3580957,
3580958,
3580959,
3580960,
3580961,
3580962,
3580963,
3580964,
3580965,
3580966,
3581567,
3581568,
3581569,
3581570,
3581571,
3580625,
3580626,
3581587,
3581513,
3581514,
3581515,
3580477,
3581588,
3580659,
3580660,
3580383,
3580384,
3580478,
3580719,
3580479,
3580480,
3581385,
3581528,
3581041,
3581042,
3581043,
3581044,
3581045,
3581046,
3581607,
3580385,
3580481,
3580482,
3580483,
3580661,
3580662,
3580663,
3580664,
3580665,
3580484,
3580485,
3581608,
3581609,
3581610,
3581611,
3581612,
3581589,
3581613,
3580486,
3581519,
3581627,
3581628,
3581529,
3581530,
3581531,
3581629,
3581630] into oc-mr1-release
Change-Id: Idad72f8100382bf89a70f797f55169262d619791
Myles Watson [Fri, 12 Jan 2018 01:43:40 +0000 (17:43 -0800)]
SDP: Check p_req_end before reading from p_req
Bug:
69384124
Test: Connect a headset
Change-Id: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
Merged-In: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
(cherry picked from commit
dd856fbc4ade8f7d78873db3533b4c9fd7c6d612)
android-build-team Robot [Thu, 18 Jan 2018 22:44:47 +0000 (22:44 +0000)]
Merge cherrypicks of [
3478238,
3478653,
3478239,
3478580,
3478612,
3478240,
3478654,
3478655,
3478656,
3479494,
3479495,
3478933,
3478934,
3479496,
3479497,
3479498,
3478160,
3478161,
3478162,
3478876,
3478877,
3478878,
3478241,
3478163,
3478164,
3478165,
3478166,
3478167,
3478168,
3478169,
3479990,
3479991,
3479992,
3480010,
3480011,
3480012] into oc-m2-release
Change-Id: Iacfe7684cc7ab1a86df8c2fb5b06beac14378044
Myles Watson [Fri, 12 Jan 2018 04:43:47 +0000 (20:43 -0800)]
SDP: Include the offset in sdp_disc_server_rsp
The commit
SDP: Pass the bounds to process_service_*_rsp
with the change ID
Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
omitted the offset when calculating the end of the message.
Bug:
68161546
Test: Connect a headset
Change-Id: I6266b51e3871ed6ce9932161e4ab66de90af4ce6
(cherry picked from commit
1ff9151b7de9cff6aab3919d151542e7244cc0e5)
Merged-In: I6266b51e3871ed6ce9932161e4ab66de90af4ce6
(cherry picked from commit
c379fc0f7a158e7028771bcf9dea19987f771a8e)
Ajay Panicker [Thu, 11 Jan 2018 00:12:50 +0000 (16:12 -0800)]
AVRCP: Check the number of text attributes requested
Test: Build
Bug:
69478941
Change-Id: Ibc456511c8d7339213f08b07d70f5e25be140d68
(cherry picked from commit
249bb665b1020e81547246f5b29ed9040d696388)
Stanley Tng [Wed, 10 Jan 2018 21:13:15 +0000 (13:13 -0800)]
Remove memory reference to invalid mem in error log
Remove the memory reference to an invalid memory inside an error log
message.
Test: Edit code to force the error condition and make sure the new error
log does not crashed.
Bug:
67058064
Merged-In: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
Change-Id: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
(cherry picked from commit
11cd7277a1d0da9013a8381cddbfc096e9adaed6)
(cherry picked from commit
d10bc94f5ec64122382ed73a261c5f4d0a0fa195)
Myles Watson [Thu, 11 Jan 2018 22:20:26 +0000 (14:20 -0800)]
BNEP: Check received frame type
Bug:
68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
(cherry picked from commit
b910734a55fd3babf71b049d5638bf86f81d7c1e)
Myles Watson [Wed, 10 Jan 2018 17:51:28 +0000 (09:51 -0800)]
PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
Patch from b/
67078939
Test: build
Bug:
67110692
Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a
(cherry picked from commit
2a18e724b2bf101ea38a5b089de56842107c8369)
Hansong Zhang [Wed, 10 Jan 2018 21:43:25 +0000 (13:43 -0800)]
Fix unexpected behavior in reading BNEP packets
Bug:
67863755
Bug:
69177251
Bug:
69177292
Bug:
69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
(cherry picked from commit
9844ddac4c0aaf217326c56f2814d145c11eb042)
Hansong Zhang [Wed, 10 Jan 2018 01:16:35 +0000 (17:16 -0800)]
Fix unexpected behavior in SDP
Bug:
68776054
Bug:
68817966
Test: Bluetooth SDP still works
Change-Id: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
(cherry picked from commit
5d6b1b1316afecebd939f77e3d01ab0a400e68a9)
Pavlin Radoslavov [Fri, 12 Jan 2018 01:28:16 +0000 (17:28 -0800)]
Allocate/free the SDP connection timers only during stack startup/shutdown
This avoids freeing the sdp_conn_timer within the alarm callback itself.
Bug:
67110137
Test: Manual
Change-Id: I775b4b532cd42cf207258c53c6052a167a124627
Merged-In: I775b4b532cd42cf207258c53c6052a167a124627
(cherry picked from commit
ef6a4a0c9d9220a7d909863349d7a0c0b967d54c)
(cherry picked from commit
0dbe21d88e05a43d6882248144e4e9128f4c1928)
Myles Watson [Wed, 10 Jan 2018 22:16:15 +0000 (14:16 -0800)]
SDP: Pass the bounds to process_service_*_rsp
Test: build
Bug:
68161546
Change-Id: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
(cherry picked from commit
3c7bd5a8453110a7bd1351648c5a4001b99afa70)
Pavlin Radoslavov [Mon, 8 Jan 2018 19:37:05 +0000 (11:37 -0800)]
Removed alarm callback execution statistics
Updating the alarm state after the callback returns can be problematic
in case the callback itself deleted the alarm.
Bug:
67110137
Test: Manual
Change-Id: Id4de06eebedb792cadd63d09efb68672e9bddc69
Merged-In: Id4de06eebedb792cadd63d09efb68672e9bddc69
(cherry picked from commit
04574e1cde3b0d46b59b4b6ebab935ac60af9f97)
(cherry picked from commit
90ffe3f90a7589e4ff9e5e8bdf353cdcdfe88764)
android-build-team Robot [Thu, 18 Jan 2018 19:09:18 +0000 (19:09 +0000)]
Merge cherrypicks of [
3478311,
3478390,
3478133,
3478175,
3478391,
3478392,
3478393,
3478134,
3478135,
3478213,
3478214,
3478215,
3478233,
3478234,
3478235,
3478251,
3478252,
3478253,
3478254,
3478394,
3478395,
3478396,
3478397,
3478398,
3478399,
3478400,
3478401,
3478402,
3478403,
3478292,
3478293,
3478312,
3478136,
3477911] into oc-mr1-release
Change-Id: I8aa7841acf92f8acda1bfaada082013a83c8d3de
Myles Watson [Fri, 12 Jan 2018 04:43:47 +0000 (20:43 -0800)]
SDP: Include the offset in sdp_disc_server_rsp
The commit
SDP: Pass the bounds to process_service_*_rsp
with the change ID
Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
omitted the offset when calculating the end of the message.
Bug:
68161546
Test: Connect a headset
Change-Id: I6266b51e3871ed6ce9932161e4ab66de90af4ce6
(cherry picked from commit
1ff9151b7de9cff6aab3919d151542e7244cc0e5)
Merged-In: I6266b51e3871ed6ce9932161e4ab66de90af4ce6
(cherry picked from commit
c379fc0f7a158e7028771bcf9dea19987f771a8e)
Ajay Panicker [Thu, 11 Jan 2018 00:12:50 +0000 (16:12 -0800)]
AVRCP: Check the number of text attributes requested
Test: Build
Bug:
69478941
Change-Id: Ibc456511c8d7339213f08b07d70f5e25be140d68
(cherry picked from commit
249bb665b1020e81547246f5b29ed9040d696388)
Stanley Tng [Wed, 10 Jan 2018 21:13:15 +0000 (13:13 -0800)]
Remove memory reference to invalid mem in error log
Remove the memory reference to an invalid memory inside an error log
message.
Test: Edit code to force the error condition and make sure the new error
log does not crashed.
Bug:
67058064
Merged-In: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
Change-Id: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
(cherry picked from commit
11cd7277a1d0da9013a8381cddbfc096e9adaed6)
(cherry picked from commit
d10bc94f5ec64122382ed73a261c5f4d0a0fa195)
Myles Watson [Thu, 11 Jan 2018 22:20:26 +0000 (14:20 -0800)]
BNEP: Check received frame type
Bug:
68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
(cherry picked from commit
b910734a55fd3babf71b049d5638bf86f81d7c1e)
Myles Watson [Wed, 10 Jan 2018 17:51:28 +0000 (09:51 -0800)]
PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
Patch from b/
67078939
Test: build
Bug:
67110692
Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a
(cherry picked from commit
2a18e724b2bf101ea38a5b089de56842107c8369)
Hansong Zhang [Wed, 10 Jan 2018 21:43:25 +0000 (13:43 -0800)]
Fix unexpected behavior in reading BNEP packets
Bug:
67863755
Bug:
69177251
Bug:
69177292
Bug:
69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
(cherry picked from commit
9844ddac4c0aaf217326c56f2814d145c11eb042)