OSDN Git Service
Rahul Sabnis [Fri, 31 Jul 2020 00:34:07 +0000 (00:34 +0000)]
[automerger skipped] Shows a consent dialog on the local device when pairing a bluetooth low am:
8709264b5c -s ours am:
e23f192e8b -s ours
am skip reason: Change-Id I7de396230beb84bd0fa2b0cea346523b6824472a with SHA-1
b6bcc43c7b is in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
12040241
Change-Id: Ic79fd0a950561b9136b4f854c931fea5b1d89df2
Rahul Sabnis [Fri, 31 Jul 2020 00:13:49 +0000 (00:13 +0000)]
[automerger skipped] Shows a consent dialog on the local device when pairing a bluetooth low am:
8709264b5c -s ours
am skip reason: Change-Id I7de396230beb84bd0fa2b0cea346523b6824472a with SHA-1
b6bcc43c7b is in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
12040241
Change-Id: If96604b3f5b0843bae5ea46c4806a46af523cf26
Rahul Sabnis [Thu, 30 Jul 2020 00:18:43 +0000 (00:18 +0000)]
[automerger skipped] Shows a consent dialog on the local device when pairing a bluetooth low am:
b6bcc43c7b -s ours
am skip reason: Change-Id I7de396230beb84bd0fa2b0cea346523b6824472a with SHA-1
fe287947a1 is in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
12040224
Change-Id: I6b5ff2607b726813fe329ec2938085cf5da8bffb
Rahul Sabnis [Fri, 26 Jun 2020 17:27:07 +0000 (10:27 -0700)]
Shows a consent dialog on the local device when pairing a bluetooth low
energy device if the local device has a display.
Tag: #security
Bug:
157038281
Test: Manual
Merged-In: I7de396230beb84bd0fa2b0cea346523b6824472a
Change-Id: I7de396230beb84bd0fa2b0cea346523b6824472a
Rahul Sabnis [Fri, 26 Jun 2020 17:27:07 +0000 (10:27 -0700)]
Shows a consent dialog on the local device when pairing a bluetooth low
energy device if the local device has a display.
Tag: #security
Bug:
157038281
Test: Manual
Merged-In: I7de396230beb84bd0fa2b0cea346523b6824472a
Change-Id: I7de396230beb84bd0fa2b0cea346523b6824472a
Rahul Sabnis [Fri, 26 Jun 2020 17:27:07 +0000 (10:27 -0700)]
Shows a consent dialog on the local device when pairing a bluetooth low
energy device if the local device has a display.
Tag: #security
Bug:
157038281
Test: Manual
Merged-In: I7de396230beb84bd0fa2b0cea346523b6824472a
Change-Id: I7de396230beb84bd0fa2b0cea346523b6824472a
Joseph Pirozzo [Fri, 26 Jun 2020 13:53:52 +0000 (13:53 +0000)]
Merge "Enable bitpool sanity checks" into oc-dev am:
15ccbf59de am:
b7bd79e254 am:
e7c4690a6b am:
6c9602b148 am:
31713cdf9f
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11593936
Change-Id: I8bf46f136caa5defcca728a93f2807a63cfa1096
Joseph Pirozzo [Fri, 26 Jun 2020 13:42:17 +0000 (13:42 +0000)]
Merge "Enable bitpool sanity checks" into oc-dev am:
15ccbf59de am:
b7bd79e254 am:
e7c4690a6b am:
6c9602b148
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11593936
Change-Id: Ie5a818b066a2d2d4401cbe22d399fd75a97a4f5b
Joseph Pirozzo [Fri, 26 Jun 2020 13:29:50 +0000 (13:29 +0000)]
Merge "Enable bitpool sanity checks" into oc-dev am:
15ccbf59de am:
b7bd79e254 am:
e7c4690a6b
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11593936
Change-Id: Id273f7a0dcccdd41a0cc5f7dc9c782477aaf046b
Joseph Pirozzo [Fri, 26 Jun 2020 13:13:54 +0000 (13:13 +0000)]
Merge "Enable bitpool sanity checks" into oc-dev am:
15ccbf59de am:
b7bd79e254
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11593936
Change-Id: I1f53339a2b08ec342d65fe45f6a69965b87edf4a
Joseph Pirozzo [Fri, 26 Jun 2020 13:01:21 +0000 (13:01 +0000)]
Merge "Enable bitpool sanity checks" into oc-dev am:
15ccbf59de
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11593936
Change-Id: I53a4ce34dba71b7715f791a03b6128458f8bc7e8
Joseph Pirozzo [Fri, 26 Jun 2020 12:40:58 +0000 (12:40 +0000)]
Merge "Enable bitpool sanity checks" into oc-dev
Myles Watson [Thu, 25 Jun 2020 22:22:23 +0000 (22:22 +0000)]
[automerger skipped] DO NOT MERGE: Remove pairing on incoming bond request am:
85b5df1d0d am:
ab50a6b284 -s ours am:
14b17d2fb1 -s ours am:
db513f6c97 -s ours am:
aba777da25 -s ours
am skip reason: Change-Id I048b7b142e3fe2096cf1a9aa2931c175fa52cd45 with SHA-1
e29c52cfda is in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11934228
Change-Id: Ib670a2692d6c3961d4e2eaade6b62d8994d690b4
Myles Watson [Thu, 25 Jun 2020 22:05:37 +0000 (22:05 +0000)]
[automerger skipped] DO NOT MERGE: Remove pairing on incoming bond request am:
85b5df1d0d am:
ab50a6b284 -s ours am:
14b17d2fb1 -s ours am:
db513f6c97 -s ours
am skip reason: subject contains skip directive
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11934228
Change-Id: Id0a0e93bcdc38a92212eed4e41d09db6ed6ab37f
Myles Watson [Thu, 25 Jun 2020 21:45:08 +0000 (21:45 +0000)]
[automerger skipped] DO NOT MERGE: Remove pairing on incoming bond request am:
85b5df1d0d am:
ab50a6b284 -s ours am:
14b17d2fb1 -s ours
am skip reason: subject contains skip directive
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11934228
Change-Id: Ide10d75b623cdb0bc7047529ce0c79e57a18120f
Myles Watson [Thu, 25 Jun 2020 21:28:30 +0000 (21:28 +0000)]
[automerger skipped] DO NOT MERGE: Remove pairing on incoming bond request am:
85b5df1d0d am:
ab50a6b284 -s ours
am skip reason: Change-Id I048b7b142e3fe2096cf1a9aa2931c175fa52cd45 with SHA-1
e29c52cfda is in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11934228
Change-Id: I01231f49767b1f5e54f43bf119e410a147198033
Myles Watson [Thu, 25 Jun 2020 21:15:23 +0000 (21:15 +0000)]
DO NOT MERGE: Remove pairing on incoming bond request am:
85b5df1d0d
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11934228
Change-Id: Icf0c4b744a56a06669fea1effd45c898063a4631
Myles Watson [Thu, 25 Jun 2020 20:39:33 +0000 (20:39 +0000)]
[automerger skipped] DO NOT MERGE: Remove pairing on incoming bond request am:
e29c52cfda -s ours am:
594c470d27 -s ours am:
230d3180fb -s ours
am skip reason: Change-Id I048b7b142e3fe2096cf1a9aa2931c175fa52cd45 with SHA-1
21e580de3b is in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11931864
Change-Id: I2a7bfd5c6ee7f01688ea3c680e29d692ed9cc56e
Myles Watson [Thu, 25 Jun 2020 20:27:15 +0000 (20:27 +0000)]
[automerger skipped] DO NOT MERGE: Remove pairing on incoming bond request am:
e29c52cfda -s ours am:
594c470d27 -s ours
am skip reason: subject contains skip directive
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11931864
Change-Id: I57e23a03647c13e6ffbb2e42b016e2fbb20c516f
Myles Watson [Thu, 25 Jun 2020 20:03:22 +0000 (20:03 +0000)]
[automerger skipped] DO NOT MERGE: Remove pairing on incoming bond request am:
e29c52cfda -s ours
am skip reason: subject contains skip directive
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11931864
Change-Id: I289b55466f022e0ee4422a142427014146eeb936
Myles Watson [Thu, 25 Jun 2020 19:50:05 +0000 (19:50 +0000)]
Remove pairing on incoming bond request am:
21e580de3b am:
73dd59984c
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11922796
Change-Id: If7636b869c35d1313637ca8200e36d13778832e3
Myles Watson [Thu, 25 Jun 2020 19:38:38 +0000 (19:38 +0000)]
Remove pairing on incoming bond request am:
21e580de3b
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/
11922796
Change-Id: I8eab6881fc28cd96fc7c7975d4ffb4bf75626eb2
Myles Watson [Thu, 18 Jun 2020 21:35:53 +0000 (14:35 -0700)]
DO NOT MERGE: Remove pairing on incoming bond request
Bug:
150156492
Tag: #security
Test: Bond two devices, forget from one device and reconnect
Change-Id: I048b7b142e3fe2096cf1a9aa2931c175fa52cd45
(cherry picked from commit
13f409ad3a2423b06af7a7f1a9b06fb06c8820a7)
Merged-In: I048b7b142e3fe2096cf1a9aa2931c175fa52cd45
Myles Watson [Thu, 18 Jun 2020 21:35:53 +0000 (14:35 -0700)]
DO NOT MERGE: Remove pairing on incoming bond request
Bug:
150156492
Tag: #security
Test: Bond two devices, forget from one device and reconnect
Change-Id: I048b7b142e3fe2096cf1a9aa2931c175fa52cd45
(cherry picked from commit
13f409ad3a2423b06af7a7f1a9b06fb06c8820a7)
Merged-In: I048b7b142e3fe2096cf1a9aa2931c175fa52cd45
Myles Watson [Thu, 18 Jun 2020 21:35:53 +0000 (14:35 -0700)]
Remove pairing on incoming bond request
Bug:
150156492
Tag: #security
Test: Bond two devices, forget from one device and reconnect
Change-Id: I048b7b142e3fe2096cf1a9aa2931c175fa52cd45
Merged-In: I048b7b142e3fe2096cf1a9aa2931c175fa52cd45
(cherry picked from commit
13f409ad3a2423b06af7a7f1a9b06fb06c8820a7)
Joseph Pirozzo [Mon, 25 May 2020 17:36:26 +0000 (10:36 -0700)]
Enable bitpool sanity checks
Enable bitpool sanity checks to run all the time, not just in debug
mode.
Tag: #security
Test: sbcdecoder_fuzzer
Bug:
146398979
Change-Id: Iff58305cd18de35e37290f0c09fba01ee14e787a
Sterling Huber [Thu, 9 Apr 2020 17:17:37 +0000 (17:17 +0000)]
[automerger skipped] Merge "Check a2dp packet length is zero" into qt-dev am:
c909de62bf -s ours
am skip reason: skipped by user cmanton
Change-Id: I8ff4f933b88c68473b378d0894b89ae8b10431fd
TreeHugger Robot [Wed, 8 Apr 2020 16:40:55 +0000 (16:40 +0000)]
Merge "btm: fixing oob write in multi-adv SetData." into qt-qpr1-dev
Sterling Huber [Wed, 8 Apr 2020 00:13:33 +0000 (00:13 +0000)]
Merge "Check a2dp packet length is zero" into qt-dev
Jakub Pawlowski [Tue, 7 Apr 2020 23:50:35 +0000 (23:50 +0000)]
[automerger skipped] Fix potential stack overflow caused by integer overflow am:
1570b62c88 am:
5b4bf745e9 am:
6360e91bb3 am:
3cd74938d8 -s ours am:
db0c360dce -s ours
am skip reason: Change-Id I0655b0b62301f78cd8705cc7b0e4fc11522f00ca with SHA-1
ec0d507ed2 is in history
Change-Id: I2748027eb3a50e6ed5130be43861fa69d794bee8
Jakub Pawlowski [Tue, 7 Apr 2020 23:38:36 +0000 (23:38 +0000)]
[automerger skipped] Fix potential stack overflow caused by integer overflow am:
1570b62c88 am:
5b4bf745e9 am:
6360e91bb3 am:
3cd74938d8 -s ours
am skip reason: Change-Id I0655b0b62301f78cd8705cc7b0e4fc11522f00ca with SHA-1
ec0d507ed2 is in history
Change-Id: Ife4a1d737088dbf51ac29f0a6411d9468b456593
Jakub Pawlowski [Tue, 7 Apr 2020 23:24:21 +0000 (23:24 +0000)]
Fix potential stack overflow caused by integer overflow am:
1570b62c88 am:
5b4bf745e9 am:
6360e91bb3
Change-Id: I1e23e75fd05e41b9cd31bb93b945135bef21c04f
Jakub Pawlowski [Tue, 7 Apr 2020 23:09:11 +0000 (23:09 +0000)]
Fix potential stack overflow caused by integer overflow am:
1570b62c88 am:
5b4bf745e9
Change-Id: I91417fff40a89042993a9fcbfaa6b7f45c162d89
Jakub Pawlowski [Tue, 7 Apr 2020 22:51:21 +0000 (22:51 +0000)]
Fix potential stack overflow caused by integer overflow am:
1570b62c88
Change-Id: Iaf75d5b63297d50e3115422f15fa8511133ef45a
Jakub Pawlowski [Tue, 7 Apr 2020 22:31:00 +0000 (22:31 +0000)]
Fix potential stack overflow caused by integer overflow am:
ec0d507ed2
Change-Id: Ia8ae7d5d144e3a5e94728dc236d9e7af6ddd3dd2
Chris Manton [Tue, 10 Mar 2020 15:59:02 +0000 (08:59 -0700)]
Check a2dp packet length is zero
Bug:
142546668
Test: net_test_stack_a2dp_native
Change-Id: I105b445293c02cb4f37c759fd5b05758fd4e3646
Merged-In: I105b445293c02cb4f37c759fd5b05758fd4e3646
Chris Manton [Fri, 27 Mar 2020 00:36:19 +0000 (00:36 +0000)]
Merge "DO NOT MERGE Fix potential overflow in btif_rc" into qt-qpr1-dev
TreeHugger Robot [Thu, 26 Mar 2020 21:45:36 +0000 (21:45 +0000)]
Merge "Fix potential OOB vulnerability when an HCI event is received" into qt-qpr1-dev
Chris Manton [Wed, 4 Mar 2020 04:04:51 +0000 (20:04 -0800)]
DO NOT MERGE Fix potential overflow in btif_rc
Bug:
142878416
Test: net_test_btif_rc
Change-Id: Ia263bd5c863644f2adde759a103d79b812a9a5de
(cherry picked from commit
e5dd9c735a30188286c7c9b88c247e4f629bdd54)
Kelly Rossmoyer [Thu, 26 Mar 2020 20:57:42 +0000 (20:57 +0000)]
Revert "DO NOT MERGE Ensure hci command status event has sufficient packet length"
This reverts commit
179e1ee138a8811deffd49eae77f85246e5092a9.
Reason for revert: build breakage (b/
152543627)
Change-Id: I437c99613732a5feb4ecbd082598f2efa5853c1e
TreeHugger Robot [Thu, 26 Mar 2020 19:27:55 +0000 (19:27 +0000)]
Merge "DO NOT MERGE Ensure hci command status event has sufficient packet length" into qt-qpr1-dev
TreeHugger Robot [Mon, 23 Mar 2020 05:36:25 +0000 (05:36 +0000)]
Merge "AVDTP: Prevent OOB read when parsing rejected response" into qt-qpr1-dev
Joseph Pirozzo [Fri, 20 Mar 2020 17:19:37 +0000 (17:19 +0000)]
Merge changes I685873b0,Iac3078fa into qt-qpr1-dev
* changes:
HF_Client: Send BTA_HF_CLIENT_RFC_CLOSE_EVT when client_cb == NULL
HF_Client: Free the RFC if the handle doesn't match
Jakub Pawlowski [Fri, 20 Mar 2020 14:24:00 +0000 (15:24 +0100)]
Fix potential stack overflow caused by integer overflow
Bug:
151155194
Merged-In: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
Change-Id: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
Jakub Pawlowski [Mon, 16 Mar 2020 11:09:15 +0000 (12:09 +0100)]
Fix potential stack overflow caused by integer overflow
Bug:
151155194
Merged-In: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
Change-Id: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
TreeHugger Robot [Fri, 20 Mar 2020 03:33:52 +0000 (03:33 +0000)]
Merge "Fix bluetooth can't turn off during network reset (3/3)" into qt-qpr1-dev
TreeHugger Robot [Fri, 20 Mar 2020 03:29:10 +0000 (03:29 +0000)]
Merge "avrc: Validating msg size before accessing fields" into qt-qpr1-dev
Joseph Pirozzo [Thu, 19 Mar 2020 17:54:22 +0000 (17:54 +0000)]
Merge changes from topic "AutomotiveQBTSync" into qt-qpr1-dev
* changes:
AVRCP Controller manage focus while disconnected
AVRCP Controller refresh track data on Interim
AVRCP Controller get play status
ServiceDiscoveryProtocol DB Full
AVRCP Position Changed Notification
DO NOT MERGE: AVRCP Controller Shuffle/Repeat support
jonerlin [Mon, 2 Mar 2020 11:13:31 +0000 (19:13 +0800)]
Fix potential OOB vulnerability when an HCI event is received
* Check the minimum length of Hci Events to avoid OOB vulnerability
Bug:
142546104
Bug:
142546561
Bug:
142544089
Bug:
142638492
Bug:
142638392
Bug:
142544079
Bug:
142543497
Test: inject function, Bluetooth regression test PASS.
Change-Id: I761fc56dae45bd1fe24e55669adf6a9965717830
More Kuo [Thu, 19 Mar 2020 02:05:39 +0000 (02:05 +0000)]
Merge "Notify remote name failed for LE device" into qt-qpr1-dev
TreeHugger Robot [Wed, 18 Mar 2020 22:52:14 +0000 (22:52 +0000)]
Merge "Make sure only valid packet fields are accessed in VendorPacketHandler" into qt-qpr1-dev
Song Gao [Thu, 12 Dec 2019 18:32:27 +0000 (10:32 -0800)]
HF_Client: Send BTA_HF_CLIENT_RFC_CLOSE_EVT when client_cb == NULL
Bug:
146086992
Test: manual
Change-Id: I685873b0c4c74ddb4e273e2a38307ec2af0bbd13
Merged-In: I685873b0c4c74ddb4e273e2a38307ec2af0bbd13
(cherry picked from commit
daa34793f2e076be3bf600e079128754a0cb8576)
Song Gao [Thu, 12 Dec 2019 18:28:36 +0000 (10:28 -0800)]
HF_Client: Free the RFC if the handle doesn't match
Bug:
146086995
Test: manual
Change-Id: Iac3078fa2d10373f295fe9c6fd49ddc39f15eb98
Merged-In: Iac3078fa2d10373f295fe9c6fd49ddc39f15eb98
(cherry picked from commit
8da3a9ed0886821be7fb4a9fa71abbb112e7a95f)
More Kuo [Fri, 13 Mar 2020 06:43:29 +0000 (14:43 +0800)]
Notify remote name failed for LE device
When cancel discovery for LE device in BTA_DM_DISCOVER_ACTIVE state,
there is no notification to indicate the remote name request of LE
device is cancelled and change the search state back to
BTA_DM_SEARCH_IDLE state. Call btm_inq_rmt_name_failed_cancelled()
to notify in this situation.
Bug:
146840780
Test: Manual
Change-Id: I4ab2a2f413e4ac19765476039f4127ce045e84d9
Chris Manton [Tue, 3 Mar 2020 18:33:42 +0000 (10:33 -0800)]
DO NOT MERGE Ensure hci command status event has sufficient packet length
Bug:
141618611
Test: net_test_hci_native
Change-Id: I70a318b05d7781ddf8f82d7922a8ee7afc8d2e9f
(cherry picked from commit
6e25c5d81c4a43c2794a605c9fc8a194f37889af)
Joseph Pirozzo [Mon, 18 Nov 2019 19:44:37 +0000 (11:44 -0800)]
AVRCP Controller manage focus while disconnected
If Audio focus is lost(or gained) while A2DP is not connected there is the
possibility for states to get out of sync. Removing the check for
connectivity ensures that the state can be properly managed.
Bug:
144082798
Test: Disconnect BT device, lose audio focus, verify
btif_a2dp_sink_set_focus_state_event state gets updated.
Change-Id: If5802418f6069dbc72824745307342776175d9d8
(cherry picked from commit
7661c2a8b90bee7edcf7c1279abe06ed32e22a2c)
Change-Id: I22a7ee2a3e51c3dea441a6f185e1c993cd65c4a1
Merged-In: If5802418f6069dbc72824745307342776175d9d8
Joseph Pirozzo [Thu, 14 Nov 2019 00:02:06 +0000 (16:02 -0800)]
AVRCP Controller refresh track data on Interim
Upon receiving an interim track changed event fetch the now playing
track information. Resolves issues where track changes get out of sync.
Bug:
143954201
Test: connect a phone and change tracks rapidly on phone.
Change-Id: I1e4ce62df6839dd2b9cf40832556a9b2608593e7
(cherry picked from commit
a3d62166f685f5249b813bd110e894682c84da54)
Change-Id: Ia6cc2a7a0430d6d9e3ae6e911e3fc8834221b599
Merged-In: I1e4ce62df6839dd2b9cf40832556a9b2608593e7
Joseph Pirozzo [Mon, 21 Oct 2019 22:39:09 +0000 (15:39 -0700)]
AVRCP Controller get play status
Correct the parsing error in the GET_PLAY_STATUS message and call the
proper jni callback when it is received.
Bug:
139033614
Test: Connect AVRCP change media players, observe correct value parsed.
Change-Id: I8302b64efdd72bfa671cca5b8c512a436fa54ab3
(cherry picked from commit
86b473cae724e9db2efec9ed1ee50a71f2a2dd22)
Merged-In:
86b473cae724e9db2efec9ed1ee50a71f2a2dd22
Change-Id: I0c753fbc7bb62698cf23b9ded13497b6b60cda35
Merged-In: I8302b64efdd72bfa671cca5b8c512a436fa54ab3
Joseph Pirozzo [Tue, 1 Oct 2019 21:13:29 +0000 (14:13 -0700)]
ServiceDiscoveryProtocol DB Full
Increase the size of the local SDP DB to cope with newer phones supporting
more Bluetooth profiles.
Bug:
141889288
Test: pair Bluetooth device verify no warning "SDP - DB full add_attr"
Change-Id: I823ea6e178f098a0441efde4fb7d8e7fb68e38c0
(cherry picked from commit
e62a51a4d6a25de3629194bad7d1d42b739e231f)
Change-Id: I06259aa3aa9b1d034b8b60dd9dcbfffe0080bacc
Merged-In: I823ea6e178f098a0441efde4fb7d8e7fb68e38c0
Joseph Pirozzo [Fri, 28 Jun 2019 18:07:52 +0000 (11:07 -0700)]
AVRCP Position Changed Notification
Correct position change notification to be received every 2000 ms
instead of every 2000 s.
Bug:
133400561
Test: Connect to device and monitor avrcp traffic.
Change-Id: Id8a33670b207f4a9ac03da957075acbac0c7c052
(cherry picked from commit
f11c6baecf498b2f407c545ab8d9dcc34cc62c4d)
Change-Id: If5324d4ef5fe20c71c7b603d648fff82b81ce550
Merged-In: Id8a33670b207f4a9ac03da957075acbac0c7c052
Joseph Pirozzo [Fri, 26 Jul 2019 19:26:01 +0000 (12:26 -0700)]
DO NOT MERGE: AVRCP Controller Shuffle/Repeat support
Fetch player settings when the addressed player changes.
Bug:
72495707
Test: AvrcpControllerStateMachineTest#testShuffle
AvrcpControllerStateMachineTest#testRepeat
Change-Id: I4df1f130dafb96708ec7a0a2c13c776affcc6318
(cherry picked from commit
60a193dfeb155aeb8428fb341737b385f8260899)
Change-Id: I944419ad0bd5e49bad8a988851c1a753c0753d01
Merged-In: I4df1f130dafb96708ec7a0a2c13c776affcc6318
TreeHugger Robot [Fri, 13 Mar 2020 04:21:17 +0000 (04:21 +0000)]
Merge "While AVDT opened or its AVRC_TIMER_EVT expired, it is no needed to start the 2nd AVDT stream" into qt-qpr1-dev
Automerger Merge Worker [Wed, 11 Mar 2020 00:42:51 +0000 (00:42 +0000)]
[automerger skipped] GattServcer: Check invalid offset am:
30a2860ed1 am:
2865a273f2 -s ours am:
b9e373e364 -s ours am:
78003bf5ef -s ours am:
987f4b2bfe -s ours
am skip reason: Change-Id I0396380f431cdb7f91c78db6de9043ea0f373dfe with SHA-1
c14c1fb864 is in history
Change-Id: I0001be297b99dd938b255af6c0986b05236c3895
Automerger Merge Worker [Wed, 11 Mar 2020 00:26:11 +0000 (00:26 +0000)]
[automerger skipped] GattServcer: Check invalid offset am:
30a2860ed1 am:
2865a273f2 -s ours am:
b9e373e364 -s ours am:
78003bf5ef -s ours
am skip reason: Change-Id I0396380f431cdb7f91c78db6de9043ea0f373dfe with SHA-1
c14c1fb864 is in history
Change-Id: I9583370dee55f32ebda4a009c1a9a2b5586b1c95
Automerger Merge Worker [Wed, 11 Mar 2020 00:14:09 +0000 (00:14 +0000)]
[automerger skipped] GattServcer: Check invalid offset am:
30a2860ed1 am:
2865a273f2 -s ours am:
b9e373e364 -s ours
am skip reason: Change-Id I0396380f431cdb7f91c78db6de9043ea0f373dfe with SHA-1
c14c1fb864 is in history
Change-Id: I19ce865f59ffe8bee30c81401a480d1b32ee632b
Automerger Merge Worker [Tue, 10 Mar 2020 23:58:30 +0000 (23:58 +0000)]
[automerger skipped] GattServcer: Check invalid offset am:
30a2860ed1 am:
2865a273f2 -s ours
am skip reason: Change-Id I0396380f431cdb7f91c78db6de9043ea0f373dfe with SHA-1
c14c1fb864 is in history
Change-Id: Iba77996d7a5acdbee2865868d506634620ccf793
Automerger Merge Worker [Tue, 10 Mar 2020 23:42:03 +0000 (23:42 +0000)]
GattServcer: Check invalid offset am:
30a2860ed1
Change-Id: I1d3aae196fb82155b88e2377e96670797f228f8a
Automerger Merge Worker [Tue, 10 Mar 2020 21:39:14 +0000 (21:39 +0000)]
[automerger skipped] GattServcer: Check invalid offset am:
c14c1fb864 -s ours am:
e3b33dec09 -s ours am:
2dd6490cfe -s ours
am skip reason: Change-Id I97e2c3ae15fccc482d07d8d621c455cc74900cfd with SHA-1
7674de8fc8 is in history
Change-Id: I498e1841598b1142881eb386ef9e46faa754cabb
Automerger Merge Worker [Tue, 10 Mar 2020 21:22:16 +0000 (21:22 +0000)]
[automerger skipped] GattServcer: Check invalid offset am:
c14c1fb864 -s ours am:
e3b33dec09 -s ours
am skip reason: Change-Id I97e2c3ae15fccc482d07d8d621c455cc74900cfd with SHA-1
7674de8fc8 is in history
Change-Id: Id5714e151ff13706e496b71898712b9410be7746
Hansong Zhang [Thu, 13 Feb 2020 19:40:44 +0000 (11:40 -0800)]
GattServcer: Check invalid offset
Test: manual
Bug:
143231677
Merged-In: I0396380f431cdb7f91c78db6de9043ea0f373dfe
Merged-In: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8
Change-Id: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8
Automerger Merge Worker [Tue, 10 Mar 2020 21:02:22 +0000 (21:02 +0000)]
[automerger skipped] GattServcer: Check invalid offset am:
c14c1fb864 -s ours
am skip reason: Change-Id I97e2c3ae15fccc482d07d8d621c455cc74900cfd with SHA-1
7674de8fc8 is in history
Change-Id: Ied357d149b40fd00da201593f9d3e16c899fa7ca
Hansong Zhang [Thu, 13 Feb 2020 19:40:44 +0000 (11:40 -0800)]
GattServcer: Check invalid offset
Test: manual
Bug:
143231677
Change-Id: I0396380f431cdb7f91c78db6de9043ea0f373dfe
Merged-In: I97e2c3ae15fccc482d07d8d621c455cc74900cfd
Merged-In: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8
Automerger Merge Worker [Tue, 10 Mar 2020 03:12:00 +0000 (03:12 +0000)]
GattServcer: Check invalid offset am:
7674de8fc8 am:
8b1db2dabf
Change-Id: I1d497b86f89219c8a8885f17bf969a670c6433b6
Automerger Merge Worker [Tue, 10 Mar 2020 02:51:00 +0000 (02:51 +0000)]
GattServcer: Check invalid offset am:
7674de8fc8
Change-Id: I84a04a3671ff7d501bf9bfb483830ec48d30ce62
Alain Michaud [Fri, 7 Feb 2020 01:50:52 +0000 (01:50 +0000)]
avrc: Validating msg size before accessing fields
This change adds buffer length validation during the parsing of AVRCP
browse commands.
Bug:
79945152
Test: net_test_stack
Change-Id: Icfc44f9a91fe004932e15182b1ca3ad5bdac6370
(cherry picked from commit
03bfb9e880764c1fbad3c7ce5159c295f1c6d551)
Alain Michaud [Fri, 14 Feb 2020 21:20:38 +0000 (21:20 +0000)]
btm: fixing oob write in multi-adv SetData.
Fixing size checks when searching to fill in the TX_Power data section.
Bug: b/
123292010
Test: ./test/run_unit_tests.sh
Change-Id: If6e7aa40a1a08b098e71ca0ccc8ef66f488571fb
(cherry picked from commit
d75b102b125a9b788ddb3dba5e2e56bbc8a3faeb)
weichinweng [Thu, 5 Mar 2020 02:53:29 +0000 (10:53 +0800)]
Fix bluetooth can't turn off during network reset (3/3)
Add onFactoryReset into IBluetoothManager interface.
Bug:
110181479
Test: manual
Change-Id: Ic36ffd63c376f84e3c9f0388820da86f63465c8f
Merged-In: Ic36ffd63c376f84e3c9f0388820da86f63465c8f
Cheney Ni [Wed, 15 May 2019 06:09:49 +0000 (14:09 +0800)]
While AVDT opened or its AVRC_TIMER_EVT expired, it is no needed to start the 2nd AVDT stream
There were 2 cases to start the 2nd stream automatically by the stack:
* When the 2nd AVDT opened, the stack would check the 1st stream state
to determinate the 2nd should be starting or not.
* While the AVRC timer which was fired after AVDT opened was expired,
the stack would open the AVRC and start the 2nd stream if the 1st was
started.
Both of them are unnecessary since all the stream must be controlled by
the upper layer. We currently support an active device only, and the
2nd stream will be tracked as remote triggered and suspended immediately.
To samplize the behavior, it is better to not start the 2nd stream
automatically by the stack.
Bug:
132146974
Bug:
150797902
Test: manual
Change-Id: I75f39801e9779ee55fa574e30051e01966c61ea3
Merged-In: I75f39801e9779ee55fa574e30051e01966c61ea3
(cherry picked from commit
ba432366f9959b46e5b28198f2623ac4e32fb94a)
Hansong Zhang [Thu, 13 Feb 2020 19:40:44 +0000 (11:40 -0800)]
GattServcer: Check invalid offset
Test: manual
Bug:
143231677
Change-Id: I97e2c3ae15fccc482d07d8d621c455cc74900cfd
Merged-In: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8
Automerger Merge Worker [Tue, 3 Mar 2020 23:49:37 +0000 (23:49 +0000)]
AAC Decoder: Use osi_free() to free buffers allocated by osi_malloc() am:
7a6fd5459e am:
c4d6c95107
Change-Id: I7f0f617b594bd6800a92d5a04e8ef0ce0f285cd2
Automerger Merge Worker [Tue, 3 Mar 2020 23:32:21 +0000 (23:32 +0000)]
AAC Decoder: Use osi_free() to free buffers allocated by osi_malloc() am:
7a6fd5459e
Change-Id: I8fb43f7467aedd4e36237d7f355c8ed175e1e33c
Hansong Zhang [Tue, 11 Feb 2020 23:15:22 +0000 (15:15 -0800)]
AAC Decoder: Use osi_free() to free buffers allocated by osi_malloc()
* buffers allocated by osi_malloc() have canary bytes around it and need special method
osi_free() to free them
Bug:
148107188
Test: manual
Change-Id: Ifcfe494737c47e33755297214d3f637852a8be0b
(cherry picked from commit
b88f8057fd28ca271ccd436a17f6489d4cf46697)
Cheney Ni [Fri, 7 Feb 2020 11:42:42 +0000 (19:42 +0800)]
AVDTP: Prevent OOB read when parsing rejected response
Because different AVDTP rejected response has different fields, we check
its data length based on the signal to prevent OOB read.
Bug:
79702484
Test: PoC
Change-Id: Iddb887c79bd8a2caa2ae5f21af15219807f9dd63
Merged-In: Iddb887c79bd8a2caa2ae5f21af15219807f9dd63
Jakub Pawlowski [Thu, 23 Jan 2020 13:32:56 +0000 (14:32 +0100)]
Make sure only valid packet fields are accessed in VendorPacketHandler
Move packet validation above first access to GetEvent()
Bug:
144066833
Test: avrcp_device_fuzz
Change-Id: I62c03763e7e921adc3456c53090fbf30ff87946e
(cherry picked from commit
cd32e0d7cc0712c35f1652a9180f32be6b1cade8)
Jack He [Tue, 28 Jan 2020 03:33:45 +0000 (19:33 -0800)]
L2CAP socket: Stop L2CAP server by ID instead of PSM
* There could be multiple L2CAP socket control blocks with the same PSM
* The unique identifier for a L2CAP socket control block should be the
unique ID allocated during control block initialization
* Use this ID to track L2CAP socket control block instead of PSM ensure
that we close the correct socket
* Reset GAP handle and L2CAP socket ID to 0 when calling
bta_jv_free_l2c_cb() so that disconnected L2CAP control blocks does
not count
Test: CtsVerifier
Bug:
147997447
Bug:
144148429
Change-Id: Ideb428bc73aa0b36b8deb20fac280e44c8fe7db1
(cherry picked from commit
ad23e6b2f473829b1819918cd3f927d1134c83b3)
Jack He [Tue, 28 Jan 2020 01:09:17 +0000 (17:09 -0800)]
L2CAP Socket: Keep track of last allocated socket ID
* Keep track of last allocated socket ID in L2CAP socket stack
* Use last_sock_id + 1 as new IDs when allocating new socket blocks
* The de-dupe and overflow detection mechanism in btsock_l2cap_alloc_l()
would handle the uint32_t overflow and duplicate ID cases
Test: CtsBluetoothTestCases
Bug:
144148429
Change-Id: Ieb9791ffa34eef919a32e4aff6f4b514859c69c0
(cherry picked from commit
79eda3270bbd23814b5ec73ee3fd96ac80222db8)
Jack He [Fri, 17 Jan 2020 00:20:06 +0000 (16:20 -0800)]
LE-COC: Free LE-COC server resource when BluetoothServerSocket is closed
* When BluetoothServerSocket is closed in the Java layer, the native
layer should respond by freeing all resources used by the server
including file descriptors, structs, PSMs, and security IDs
* We did this correctly for BR_EDR L2CAP COC channels after
I4e37dcd858af258fbd64fbfb2fbf0083bd743e06, but the same fix did not
apply to LE COC
* This CL make sure LE COC server resources are freed propertly upon
server fd closure
Test: open and close LE COC server repeatedly on an Android phone
Fixes:
144148429
Change-Id: I16fa10e77612105d23848f71925ff6efc95bc75a
(cherry picked from commit
d3c9966624530772fbdc469179726bd9191314c5)
TreeHugger Robot [Fri, 20 Dec 2019 18:45:07 +0000 (18:45 +0000)]
Merge "L2CAP: Check length for packet before connection complete" into qt-qpr1-dev
Mike Logan [Fri, 20 Dec 2019 18:35:38 +0000 (18:35 +0000)]
Merge "HCI: Check length of connection complete event" into qt-qpr1-dev
TreeHugger Robot [Fri, 20 Dec 2019 18:08:56 +0000 (18:08 +0000)]
Merge "L2CAP: Bounds check num_handles in NumCompletedPackets" into qt-qpr1-dev
TreeHugger Robot [Fri, 20 Dec 2019 18:07:53 +0000 (18:07 +0000)]
Merge "Fix potential OOB when parsing inquiry results" into qt-qpr1-dev
TreeHugger Robot [Fri, 20 Dec 2019 18:04:52 +0000 (18:04 +0000)]
Merge "VSC batch scan: Check packet length" into qt-qpr1-dev
Hansong Zhang [Fri, 18 Oct 2019 20:14:23 +0000 (13:14 -0700)]
L2CAP: Check length for packet before connection complete
Bug:
141745011
Test: Run POC
Change-Id: I9dc27521fa2e7f6ea345ec65dc9d3e873d71ef0f
Hansong Zhang [Fri, 18 Oct 2019 20:36:43 +0000 (13:36 -0700)]
VSC batch scan: Check packet length
Bug:
142543524
Test: POC
Merged-In: I32633d5e6dfdd17b00d468cfd29ad081ae91f0e4
Change-Id: I32633d5e6dfdd17b00d468cfd29ad081ae91f0e4
Weichin Weng [Fri, 20 Dec 2019 08:38:01 +0000 (08:38 +0000)]
Merge changes from topic "NIAP_patch" into qt-qpr1-dev
* changes:
DO NOT MERGE: NIAP: Use AES-GCM 256 bits to encrypt key.
DO NOT MERGE: NIAP: Use keystore to encrypt KEY
Myles Watson [Thu, 10 Oct 2019 20:36:06 +0000 (13:36 -0700)]
L2CAP: Bounds check num_handles in NumCompletedPackets
Bug:
141617601
Test: Pair and connect
Change-Id: I1a8ff39f677c6957e99a4d3cbd278720dd273a83
(cherry picked from commit
2506db7d01939b286e34e404b80a73e6f4dc8593)
Myles Watson [Thu, 10 Oct 2019 21:19:33 +0000 (14:19 -0700)]
HCI: Check length of connection complete event
Fixes:
141619686
Test: Pair and connect
Change-Id: Ib15d6a8cbb8c6a7404bf1afa023277429029867d
(cherry picked from commit
7ee6458cf4939ad78dbebd70c2520ad56c31f4a9)
Jakub Pawlowski [Fri, 4 Oct 2019 14:40:41 +0000 (16:40 +0200)]
Fix potential OOB when parsing inquiry results
Bug:
141620271
Change-Id: I30c7558b1ae1a77d0004760ef831480347a06e11
(cherry picked from commit
c44516749af81bc5fc79afc0772f42bf0ec37bd4)
TreeHugger Robot [Thu, 19 Dec 2019 16:47:01 +0000 (16:47 +0000)]
Merge "Handle BQR root inflammation event" into qt-qpr1-dev
Ugo Yu [Tue, 26 Nov 2019 09:18:32 +0000 (17:18 +0800)]
Handle BQR root inflammation event
* When Bluetooth process recieves BQR root inflammation event, wait
5 seconds for possible DEBUG_INFO events, then abort.
* Fix the DEBUG_INFO not working problem.
* Do not immediately abort when HAL service dies if abort_timer has
already started, so we won't interrupt log collecting procedure.
Bug:
145568772
Bug:
144572644
Bug:
144592765
Test: Manual
Change-Id: Ibe6c341a3e9aabec33de8d3f90c4a6a3403d06bc
Merged-In: Ibe6c341a3e9aabec33de8d3f90c4a6a3403d06bc