git.osdn.net Git - android-x86/system-bt.git/log

Fix a security issue in sdp_server.cc

Bug: 169342531
Test: POC
Change-Id: I0e8cdb9a00184f62d11fb06bc30f07b2a35bc49e
(cherry picked from commit d7573f4fa9007ab7750edfc56305eea97c525cdb)

Check Classic key before cross-key derivation

Bug: 158854097
Test: atest net_test_stack_smp
Tag: #security
Ignore-AOSP-First: Security fix
Exempt-From-Owner-Approval: Already got owner approval,
but somehow it still shows no owner vote

Change-Id: Id88241324e9fb89ef14e50b52eb459a0d81c492b
(cherry picked from commit 814160abca57badda240ff606444537c9d9e02df)

Send a response to an smp security request depending on the callback event

Tag: #feature
Bug: 157038281
Test: Manual
Merged-In: Iadeb25a43b46f615b55a0dfb6e7723e5d1204351
Change-Id: Iadeb25a43b46f615b55a0dfb6e7723e5d1204351
(cherry picked from commit 1570e8de12bd994abd8ac18e80734bcbd05430d1)

Check whether local device is an ATV device to determine whether to show the consent dialog for BLE pairing in JUSTWORKS and ENCRYPTION_ONLY mode

Tag: #feature
Bug: 157038281
Test: Manual
Merged-In: I6d06f5996da71e5a1407e544b0023d82924aa56f
Change-Id: I6d06f5996da71e5a1407e544b0023d82924aa56f
(cherry picked from commit 0b4c1014f7d1b22b5e397f7eee72f0a471f90519)

Shows a consent dialog on the local device when pairing a bluetooth low energy device if the local device has a display.

Tag: #security
Bug: 157038281
Test: Manual
Merged-In: I7de396230beb84bd0fa2b0cea346523b6824472a
Change-Id: I7de396230beb84bd0fa2b0cea346523b6824472a
(cherry picked from commit b5c0bfc132b296853ba1143f34394e2719ff876d)

Return after removing sample LTK device

Return directly after calling bta_dm_remove_device to
prevent from accessing the invalid security record (p_dev_rec).

Test: Hardcode to test bond with sample key
Tag: #security
Bug: 162497143
Change-Id: Iaa59f3c415dd8066849fd70912fdb83f890229d7
(cherry picked from commit 7c86810c44ef2efd97c3e78bd77e36257a05f75b)

Fix possible OOB when receive gatt read type response data

Bug: 158833854
Bug: 158778659
Test: manual
Tag: #security

[syphyr: Backport to 14.1:
- replace log function with GATT_TRACE_ERROR]
Signed-off-by: L.W.Reek <syphyr@gmail.com>
Change-Id: I1bd8713eecebc2bc3d919402b035987e06a2d4d3
(cherry picked from commit 0eb7a763dff47d349b5cfc5821116ece5a46ffa3)

DO NOT MERGE: Remove pairing on incoming bond request

Bug: 150156492
Tag: #security
Test: Bond two devices, forget from one device and reconnect
Change-Id: I048b7b142e3fe2096cf1a9aa2931c175fa52cd45
(cherry picked from commit 13f409ad3a2423b06af7a7f1a9b06fb06c8820a7)
Merged-In: I048b7b142e3fe2096cf1a9aa2931c175fa52cd45
(cherry picked from commit 85b5df1d0dcc782ed5afc1dcf9247880416d5fbd)

Enable bitpool sanity checks

Enable bitpool sanity checks to run all the time, not just in debug
mode.

Tag: #security
Test: sbcdecoder_fuzzer
Bug: 146398979
Change-Id: Iff58305cd18de35e37290f0c09fba01ee14e787a
(cherry picked from commit 59c234a8fddda37147bb3fe1dd3b3a668828bcab)

Fix potential stack overflow caused by integer overflow

Bug: 151155194
Merged-In: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
Change-Id: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
(cherry picked from commit 1570b62c88d7c5b9c6bfe43da8cc16ea30d3e8df)

GattServcer: Check invalid offset

Test: manual
Bug: 143231677
Merged-In: I0396380f431cdb7f91c78db6de9043ea0f373dfe
Merged-In: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8
Change-Id: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8
(cherry picked from commit 30a2860ed19866159a0870c57a94ad8df0b1a683)

SDP: add return after SDP disconnection

A return is needed after sdp_disconnect(). It is the logic
expected and it prevents the use of p_ccb after it's freed.

Bug: 144177780
Bug: 117105007
Test: manual test
Change-Id: I7a64382b36adca37a8ff0c7e361d89ecdc8f3b55
(cherry picked from commit 30efc8c90a846460359a489e17e1461c725958b3)
(cherry picked from commit 5edd605227af9a1b9eedf4fd9f02373a47fd49fb)

Fix potential OOB write in btm_read_remote_ext_features_complete

Add event length check to avoid hci event sent from controller not
correct.
Add page number check to avoid page number is bigger than
HCI_EXT_FEATURES_PAGE_MAX.

Bug: 141552859
Bug: 144205318
Test: inject function
Merged-In: Iaca4db4ee9bf27362f62aba0da088727e98955d1
Change-Id: Iaca4db4ee9bf27362f62aba0da088727e98955d1
(cherry picked from commit 140d8297ace9cd54a903a9cd3a079fd805030f1e)

GAP: Correct the continuous pkt length in l2cap

L2cap continuous pkt length wrongly calculated in
reassembly logic when remote sends more data
than expected.

Wrong pkt length leading to memory corruption

Hence the Correct the continuous pkt length in
l2cap reassembly logic.

Bug: 135239489
Bug: 143894715
CRs-Fixed: 2434229
Test: make and internal testing
Change-Id: I758d9e31465b99e436b9b1841320000f08186c97
Merged-In: I758d9e31465b99e436b9b1841320000f08186c97
(cherry picked from commit 337bd4579453bd6bf98ff519de3ac1019cd30d28)
(cherry picked from commit 602f4b44fe30ec8b225e1cee5f96817607d93e5a)

fix -Wdangling-gsl

BtAddrString() returns a std::string. It's not safe to chain a call to
c_str() as otherwise the returned std::string is a temporary, and the
expression evaluates to an immediately dangling pointer.

Bug: 139945549
Bug: 142558228
Test: mm
Change-Id: I30972458abcc563b24ee0d80b289c3efd6c3e04d
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
(cherry picked from commit 20ed45d6339079645ef9fe576b894e9497684c93)

JustWorks: Auto-accept only incoming temporary pairing.

Bug: 110433804
Bug: 134461862
Test: Manual; atest net_test_bluetooth
Change-Id: I4e3f39bc08e9d9493734a21ea29d76e43aeb50c8
Merged-In: I4e3f39bc08e9d9493734a21ea29d76e43aeb50c8
(cherry picked from commit 10e15ee4610969b10e7558969fed8ba229d8e5a0)

SDP: Disconnect when there is a bad length

Handle the case when SDP_RAW_DATA_INCLUDED is FALSE.
Related to: I9f0df8b2de28970e7d69b737ce5d363785183bf3

Bug: 137239831
Bug: 117105007
Test: manual test
Change-Id: I354494565005f2ca9093486546fc54c145066413
Merged-In: I354494565005f2ca9093486546fc54c145066413
(cherry picked from commit e45fe0a8ec678c73c57967b69c2fd485eef92927)
(cherry picked from commit 7f555a1a9b641a8e4892a4e7a7cc1ff294d8f2b7)

Use memcpy instead of casting to convert device_class to int

Bug: 140152619
Test: atest net_test_btcoreclear
Change-Id: Iee71ce35576e438317841d41a81fda6a87e1984a
Merged-In: Iee71ce35576e438317841d41a81fda6a87e1984a
(cherry picked from commit ec75f1efb6b9be4933225a4b724e7a3ef5e3d70b)
(cherry picked from commit ecf8f751b0ef9945b1a3e3433116d7363e3a24f9)

SDP: disconnect if sdp_copy_raw_data fails

Our partners met with the problem with sdp_copy_raw_data updated in
CVE-2019-2116. When peer device responds with a wrong size,
sdp_copy_raw_data will not complete and won't trigger
disconnection. This CL enables the disconnection when a wrong size is
received.

Bug: 137239831
Bug: 117105007
Test: manual test
Change-Id: I9f0df8b2de28970e7d69b737ce5d363785183bf3
Merged-In: I9f0df8b2de28970e7d69b737ce5d363785183bf3
(cherry picked from commit bc9df3451dad17c1ab1002fdbc85d60e57d4f0af)
(cherry picked from commit 41939a2b5a8e3584c5a99dfe264a47df79e3091f)

DO NOT MERGE: btif: require pairing dialog for JustWorks SSP

Bug: 110433804
Test: Manual; atest net_test_bluetooth
Change-Id: If65a8d53ff368ba3ddddb47cfc0072469090b46a
(cherry picked from commit ddae6274742e241c03526c7659dca7b3446b9f8d)
(cherry picked from commit ee34c562b296751cd457e828c3debf38a8d35fb4)

DO NOT MERGE Store BLE keys using the address from the ble_auth_cmpl_evt

Reading the peer address from btif_dm_ble_auth_cmpl_evt, instead
of using the value from the pairing control block in
btif_dm_save_ble_bonding_keys, ensures that BLE keys are stored with
the correct address.

Bug: 133234174
Bug: 79703832
Test: 1. Initiate crosskey pairing from BLE
2. Check whether BLE keys are stored correctly
Change-Id: I18b4a1d8e2cdcd6dd4a300f1dc9e6d3892a3baff
(cherry picked from commit 0d95651e8b22b1012f1ee103e4a0b8665a0c17d4)
(cherry picked from commit b2334f05895e9926666904c41f13821210cbd6e9)

Merge remote-tracking branch 'cm/cm-14.1' into cm-14.1-x86

Merge remote-tracking branch 'x86/nougat-x86' into cm-14.1-x86

Fall back to CLOCK_BOOTTIME if CLOCK_BOOTTIME_ALARM fails

If the cuttlefish device does not have an rtc device (such as the crosvm
VMM) the bt osi layer can promote crashes due to it not being able to
create a CLOCK_BOOTTIME_ALARM timer. Bring back a fallback but enable it
at runtime instead of compile time.

Bug: 126955943
Test: run with cuttlefish
Change-Id: I3ab0282b3e8fde776aa7b37d5772c8f62cf957bf

DO NOT MERGE Fix for Bluetooth connection being dropped after HCI Read Encryption Key Size

If remote device stop the encryption before we call "Read Encryption Key Size",
we might receive Insufficient Security, which means that link is no longer
encrypted.

In such cases we should stay connected, rather than disconnecting the
link.

Test: Connect to device that stop encryption right after encryption is
complete, i.e. to change roles.
Bug: 124301137
Bug: 132626699

Change-Id: Iab0fd9f357d18a6b048b971d0393fbb47fd4d793
Merged-In: Iab0fd9f357d18a6b048b971d0393fbb47fd4d793
(cherry picked from commit c5aa5feebf558df160772fefaf271a6f3251e261)

DO NOT MERGE Send HCI Read Encryption Key properly

This patch fixes bad HCI command being send instead of Read Encryption
Key Size.

Bug: 124301137
Test: pair and connect with Bluetooth headset
Change-Id: If325ef2771ca1546ae58df7c684f66ae537b8573
(cherry picked from commit a3cc7575f9ce644a3dfceee61ab7b4b206a3982e)

DO NOT MERGE Drop Bluetooth connection with weak encryption key

This patch requires Bluetooth chip to support HCI Read Encryption Key Size
command and will cause Bluetooth to crash if this command is not supported
on a device. Such device should not take this patch and should look for
alternative solution to drop Bluetooth connection with weak encryption key.

Bug: 124301137
Change-Id: Id4b6b4e765628397a79e6806f45c2cd27acebd5b
(cherry picked from commit 027532b3678e3d50ed41270d747df5eb06bc6a8d)

Fix potential OOB read in sdpu_get_len_from_type

Add boundary check in sdpu_get_len_from_type to prevent potential OOB read.

Bug: 117105007
Test: Manul
Merged-In: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
Change-Id: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
(cherry picked from commit 1243f8da338dadfe2a3c281a08297b431402d41c)
(cherry picked from commit 4d8e1d63e1a2116c47702d38d858f5a742e8292f)

DO NOT MERGE Don't persist bonds using sample LTK

Test: compilation, manual testing
Bug: 128843052
Change-Id: I52fd484d42bf87e96dbc9e6456090f231ed48111
(cherry picked from commit c0fb2a25f92848f4d78f72d31e9705e29e6f5ca8)

btm_proc_smp_cback: Don't access p_dev_rec if freed

In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free

Bug: 120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
(cherry picked from commit 953dd279502980b1d8d30656eb78c6445a6e31f7)

process_l2cap_cmd: Fix OOB

Bug: 119870451
Test: POC
Change-Id: I2f5e7fedd9aed96c4ffc55af79fdac61c2e5b087
Merged-In: I5131bbf9cda6248fdbbc4bb91916b2fe3731246e
(cherry picked from commit 94fd011bc9a72081cc691ed7d6e6eec42e9f4539)

DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu

Add check to make sure that data buffer is big enough to read the 2
bytes for length.

Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.

Bug: 120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit fcb1994de1f6ee34b8dc6804a2b32e20bf138073)
(cherry picked from commit 1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit 6b2739f309f7719086eb8201b3e1a35ba60035f4)
(cherry picked from commit c1fcbd5508a75ae3eaf5f311d706d026fee2fe48)

Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm

Bug: 116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit 889efd5b9165ed7641fcd75eabbbef56be2ef5df)

Fix buffer overflow in btif_dm_data_copy

When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.

Bug: 110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
(cherry picked from commit ea90417d9965aec1c475418ca8f8f305af12de2d)

Fix possible OOB when AVDT data channel recive ACL data

Bug: 111450156

Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit ad4098c340b52acdb0f48fd3e2612d810e71f4c4)

MCAP: Check response length in mca_ccb_hdl_rsp

Bug: 116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit 0ab53ca2af26f70126d6d9d6600d090a720758fa)

HH: Check parameter length in bta_hh_ctrl_dat_act

Bug: 116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit b8fbe73f0d32686e8393bfe07a84b6f0e8829caf)

SDP: Check p_end in save_attr_seq and add_attr

Bug: 115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit b8a5081b00fc9730092d8392786f3f4e659cb602)

HFP: Check AT command buffer boundary during parsing

* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac

Bug: 112860487
Test: testplans/details/218593/3975
Change-Id: I6bbbc2ba29ad025c7d3ba023d8191af6a11c4aa9
(cherry picked from commit 28ddbe904bd15c9636063f5431a9360d8e9df8b9)

Fix possible OOB read

Bug: 74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit 6e6c347e798bf8195a9a02457edf871a97b1cfad)

DO NOT MERGE - Check SDU lower bound before allocate p_data

Bug: 112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit 6fc96f847be808a4f38eae45b5e9bbc3f18b9a2d)

Check data length when parsing AVRCP vendor specific command responses

Bug: 111450531
Bug: 111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit 7439ea940354f65a147c4ecfce3bada49c688047)

AVRCP: unify Get{Element,Item}Attributes response.

GetElementAttributes response and GetItemAttributes response share the
same format and require the same checks for length.

Test: play media on carkit, see media. especially with long items.
Bug: 32407250
Bug: 30571638
Change-Id: I8623e7d662f7a39112b7527b6f5ab63c5e32379c

Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()

Bug: 111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit 1c14e10cac53d5a5724dcf34c5679ad8819f9442)
(cherry picked from commit f779ebe368d245c0d9ac954cf7b2b102e7da56be)

Checks the SMP length to fix OOB read

Bug: 111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit fceb753bda651c4135f3f93a510e5fcb4c7542b8)

Add packet length check in smp_proc_master_id

Bug: 111937027
Test: manual

Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075
(cherry picked from commit c8294662d07a98e9b8b1cab1ab681ec0805ce4e8)

DO NOT MERGE Fix OOB read before buffer length check

Bug: 111936834
Test: manual
Change-Id: Ib98528fb62db0d724ebd9112d071e367f78e369d
(cherry picked from commit 4548f34c90803c6544f6bed03399f2eabeab2a8e)

Check packet length in bta_av_proc_meta_cmd

Bug: 111893951
Test: manual - connect A2DP
Change-Id: Ibbf347863dfd29ea3385312e9dde1082bc90d2f3
(cherry picked from commit ed51887f921263219bcd2fbf6650ead5ec8d334e)

Add missing AVRCP message length checks inside avrc_msg_cback

Explicitly check the length of the received message before
accessing the data.

Bug: 111803925
Bug: 79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit 282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit 007868d05f4b761842c7345161aeda6fd40dd245)

Add packet length checks in mca_ccb_hdl_req

Bug: 110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
(cherry picked from commit 4de7ccdd914b7a178df9180d15f675b257ea6e02)

Fix a wrong check in rfc_parse_data

Bug: 78288018
Bug: 111436796
Test: manual
Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a
(cherry picked from commit d1ced302cd1066087588c891027b1756be31db46)

Add bound check for rfc_parse_data

Bug: 78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit 6039cb7225733195192b396ad19c528800feb735)

Check remaining frame length in rfc_process_mx_message

Bug: 111936792
Bug: 80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
(cherry picked from commit 0471355c8b035aaa2ce07a33eecad60ad49c5ad0)

Fix copy length calculation in sdp_copy_raw_data

Test: compilation
Bug: 110216176
Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
(cherry picked from commit 23aa15743397b345f3d948289fe90efa2a2e2b3e)

Fix OOB read in avrc_ctrl_pars_vendor_rsp

Bug: 78526423
Test: manual
Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91
(cherry picked from commit d945ada503ed9c9ea24e092df51faba57f5d589a)

DO NOT MERGE HFP: Fix out of bound access in phone number processing

* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
PhoneStateChange method

Bug: 79431031
Bug: 79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df
(cherry picked from commit 82371c1204cc0b48941ec1d41c516c4b40093879)

Don't use Address after it was deleted

Bug: 110216173
(cherry picked from commit 9930f6f4e14e64966869b119994126283d645fd0)

Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
Backported-By: Vasyl Gello <vasek.gello@gmail.com>

HID Host: Check L2CAP packet data length

Bug: 80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit ca47a05acb66218ff2123f8d4642961f7f2eb5e2)

Add packet length checks in l2cble_process_sig_cmd

Bug: 80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit 02f47a752c818277b31852e3ff940764d5c7f9c7)

Fix OOB read in process_l2cap_cmd

Test: manual
Bug: 79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
(cherry picked from commit 5bb66307b555b17d1764e116316ce50c687c9653)

DO NOT MERGE: SDP: Recalculate param_len after max_list_len

Bug: 78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit 9cc9eea21c7868034242b7ab8be750c565e46bfd)

SDP: return error on offset bigger than atribute length

Test: none
Bug: 79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit 0a74ffa44cbe48f674387cc951e6011c28ca003c)

GATT: Use correct logging macro replacement

The original commit used the LOG(ERROR) macro and
GATT_TRACE_ERROR is the proper replacement for it.

Fixes: GATT: Handle too short Error Response PDU

Change-Id: I4460ab6215865b605faed5e640bf4fe47a5e4be8

RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)

Bug: 74075873
Test: manual test (poc in bug)
Change-Id: I56e87cfdf8731acca00cefac98abb2ba06f6e7ed
(cherry picked from commit 3575ba8ca36dccf7dcdb2dbf16ed170d549911d3)

Add PDU size checks in process_service_search_attr_rsp

Bug: 79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit 980f6427b183e013958acd6b70e91f58177408a6)

GATT: Handle too short Error Response PDU

Since the spec is not clear what to do in this case, use one of
reserved error codes as a failure reason, and pass it to upper layers.

Bug: 79591688
Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
(cherry picked from commit f63c4b652b3231c2b4907bffd13410c6eb2aa760)

Add checks whether the AVDTP element data length is valid

Bug: 78288378
Test: Manual: Python script and extra logging
Change-Id: I715b5977c833d33ff798f008fbf244effa13ea1f
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit 9b3f96f50287d8789aff6d6895d7ae02ca6ac619)
(cherry picked from commit ee30c88a8d49b30860d35b34a57c3037a4045678)

BNEP: Fix OOB access in bnep_data_ind

* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
  the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
  is most likely triggered

Bug: 78286118
Bug: 79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
      BNEP_EXTENSION_CONTROL packet
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit 3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit 0416340ffa61337dbaa2f6602ef85a1c32563ec2)

Decrease length after reading from array in process_service_attr_req

Test: compilation
Bug: 78136677
Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0
(cherry picked from commit 6cd2e8bf6e5707e8e77e7aca6519c58200ee58db)

DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_event

Bug: 80145946
Test: manual
Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53
(cherry picked from commit 519b61392a96fbd45bdcc0bfddc881167c20cc23)

DO NOT MERGE SMP: Validate remote elliptic curve points

Fixes: 72377774
Test: net_test_stack_smp (where applicable)
Change-Id: Iefcf97364493467075fadefd77d12716f71cd4f6
(cherry picked from commit 9181ec28da94705a763edbe60bd2a87e5f882beb)
(cherry picked from commit e11ebfc21963ae905d58c034310efeca0e7cd2ee)
(cherry picked from commit fa3d7e1f784d3bdbf8f9d8b572a60696289211b1)

DO NOT MERGE Prevent stack overflow in btif_storage

Bug: 73963551
Test: manual
Change-Id: I5f7a583aad150ebf9e3d492181d80ca935c8aa3f
(cherry picked from commit e8d311224277e9db5dc94cb94929125992f546f3)
CVE-2018-9430

DO NOT MERGE: Check number of attributes before writing to a buffer

Bug: 73824150
Test: Compile
Change-Id: I2a28a503cd74758e707d1e591b55c278d2299f45
(cherry picked from commit f6db54f071f6974e18b10bb0c2cfcf397cd4c980)
CVE-2018-9418

DO NOT MERGE AVRC: Add bound check for AVRC_EVT_APP_SETTING_CHANGE

Test: manual
Bug: 73782082
Change-Id: I4e384a2f8c0d8c4af03bd5865b2e907321419c86
(cherry picked from commit 0061dd6ae30ebcebce695c212c8bc0ceb276710e)
CVE-2018-9413

Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ

Bug: 74121659
Test: Compiles
Change-Id: Idf58e7b25b41ae1bd43cdd51de424b18e03cc7e8
(cherry picked from commit ca4f8a18bce9331360144f1dbc51db1e2525bcc3)
CVE-2018-9419

DO NOT MERGE Fix unexpected behavior in smp_sm_event

Bug: 74121126
Test: manual
Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53
(cherry picked from commit 652798b2f2d6c90e0fc95c00ccfb91e2870b03d4)
CVE-2018-9365

DO NOT MERGE Drop LE CoC fragments when frame size is too big

Drop the LE CoC data fragments when the received fragment size is too
big.

Test: Runs LE CoC SL4A test, BleCocTest.
Bug: 75298652
Merged-In: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
Change-Id: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
(cherry picked from commit 8365a2ace5e89d8b81bab468f0f9bc1137d773b4)
(cherry picked from commit 17db92e4fc3c7127c0ace625ff9735a9972eee70)
CVE-2018-9380

DO NOT MERGE Fix OOB read in process_l2cap_cmd

Bug: 74202041
Bug: 74196706
Bug: 74201143
Test: manual
Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d
(cherry picked from commit ff15adf5150527db1012b9f7777066522835e2db)
CVE-2018-9359, CVE-2018-9360, CVE-2018-9361

[Backport] DO NOT MERGE Handle bad packet length in gatts_process_read_req

Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.

Bug: 73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit 16f4c21be5bd0ea1968eee8a0f00648b1e326253)
CVE-2018-9358

DO NOT MERGE Add bounds check for BNEP_Write

Bug: 74947856
Test: manual
Change-Id: If5db8c6b6e509a330ae74808fc3f0ffac137af14
(cherry picked from commit ae9d06c1dc84db36c0c4a07fc56a1fbf008cd1ce)
CVE-2018-9357

PAN: Always allocate in bta_pan_data_buf_ind_cback

Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free. Move the free call to pan_data_buf_ind_cb().

Free the buffer before every return in pan_data_buf_ind_cb.

Bug: 74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit 98232b084c66368234d19fafe3076bc1c0f1b578)
CVE-2018-9356

DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result

Check the number of UUIDs from remote device

Bug: 74016921
Test: manual
Change-Id: I1ca1f66bfc935f5fd219e8147511bdac7d2789ef
(cherry picked from commit 67ec216daa43f71adf103de6c4156c5a892c1460)
CVE-2018-9355

Merge remote-tracking branch 'cm/cm-14.1' into cm-14.1-x86

AVRCP: Initialize buffer for attribute values to be written to

Test: Build
Bug: 71603553
Change-Id: I978270605cfaa3b833d6c19f1b1d2cd5a82ac079
(cherry picked from commit e36d6f8edceed860929901b6c49c1964a1ac563f)
(cherry picked from commit 1696f97011f5f30f1a630f3b24442ca64232b1f5)

SDP: Check p_req_end before reading from p_req

Bug: 69384124
Test: Connect a headset
Change-Id: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
Merged-In: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
(cherry picked from commit dd856fbc4ade8f7d78873db3533b4c9fd7c6d612)
(cherry picked from commit 72b1cebaa9cc7ace841d887f0d4a4bf6daccde6e)

DO NOT MERGE Truncate new line characters when adding string to config

Bug: 70808273
Test: test with a device with newline character in name
Change-Id: I8729e12ad5851ee1ffbcb7c08e9a659f768ffc21
(cherry picked from commit dd9bbfc2458569d9fecf35f7503d1b89b4c69aa0)
(cherry picked from commit 7f8bfcc35285ca6e93a4436699bc95c13b920caf)
mh0rst: Port to C

AVRCP: Check the number of text value attributes requested

Test: Builds
Bug: 69479009
Change-Id: I184ddfdb56c15c2b07d52a2624240738efb4d207
(cherry picked from commit 6313da35abc93fcfb783c68f2e02427df9928ecf)
(cherry picked from commit 57dc5964428697a104988f0aa0d1fd1d88fec939)

AVRCP: Check number of text attribute values in response

Test: Build
Bug: 71603410
Change-Id: I6f822b0bc7fc2fb042a70b64cff61583a86b36e2
(cherry picked from commit 4cd518cb3f8ac6ccb43c94a441bee67e041d0dd5)
(cherry picked from commit e4ec79be45304f819c88c8dbf826d58b68f6c8f8)

AVRCP: Check number of text attributes in response

Test: Build
Bug: 71603315
Change-Id: Ieda5e410057062533ae09bd977bfe7f758a55140
(cherry picked from commit 658fd1b7c4ee959e42c20a2f1cfb7d895f94f6d2)
(cherry picked from commit 6ecbbc093f4383e90cbbf681cd55da1303a8ef94)

bt: Fix 32k sbc_codec.sampling_rate

* 3200 is not 32k

Change-Id: Ie51d9f82f9de791f8cf1ffd9085c98326787133f

BNEP: Check received frame type

Bug: 68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
(cherry picked from commit b910734a55fd3babf71b049d5638bf86f81d7c1e)
(cherry picked from commit ae12fc48fa6c7a114234afa055ab1cd630d6da8d)

Remove memory reference to invalid mem in error log

Remove the memory reference to an invalid memory inside an error log
message.

Test: Edit code to force the error condition and make sure the new error
log does not crashed.
Bug: 67058064
Merged-In: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
Change-Id: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
(cherry picked from commit 11cd7277a1d0da9013a8381cddbfc096e9adaed6)
(cherry picked from commit d10bc94f5ec64122382ed73a261c5f4d0a0fa195)
(cherry picked from commit 49a57cd2346a716eca07153ac83026787fb9d03a)

SDP: Include the offset in sdp_disc_server_rsp

The commit
SDP: Pass the bounds to process_service_*_rsp
with the change ID
Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
omitted the offset when calculating the end of the message.

Bug: 68161546
Test: Connect a headset
Change-Id: I6266b51e3871ed6ce9932161e4ab66de90af4ce6
(cherry picked from commit 1ff9151b7de9cff6aab3919d151542e7244cc0e5)
Merged-In: I6266b51e3871ed6ce9932161e4ab66de90af4ce6
(cherry picked from commit c379fc0f7a158e7028771bcf9dea19987f771a8e)
(cherry picked from commit 1313abd1761c39e8619a77964f8c42e3e72b5fee)

SDP: Pass the bounds to process_service_*_rsp

Test: build
Bug: 68161546
Change-Id: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
(cherry picked from commit 3c7bd5a8453110a7bd1351648c5a4001b99afa70)
(cherry picked from commit 0627e76edefd948dc3efe11564d7e53d56aac80c)

Fix unexpected behavior in reading BNEP packets

Bug: 67863755
Bug: 69177251
Bug: 69177292
Bug: 69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
(cherry picked from commit 9844ddac4c0aaf217326c56f2814d145c11eb042)
(cherry picked from commit a50e70468c0a8d207e416e273d05a08635bdd45f)

PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback

Patch from b/67078939

Test: build
Bug: 67110692
Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a
(cherry picked from commit 2a18e724b2bf101ea38a5b089de56842107c8369)
(cherry picked from commit 08e68337a9eb45818d5a770570c8b1d15a14d904)

AVRCP: Check the number of text attributes requested

Test: Build
Bug: 69478941
Change-Id: Ibc456511c8d7339213f08b07d70f5e25be140d68
(cherry picked from commit 249bb665b1020e81547246f5b29ed9040d696388)
(cherry picked from commit 2f2043f18463a5c963c138d24346870b1066e7a6)

Allocate/free the SDP connection timers only during stack startup/shutdown

This avoids freeing the sdp_conn_timer within the alarm callback itself.

Bug: 67110137
Test: Manual
Change-Id: I775b4b532cd42cf207258c53c6052a167a124627
Merged-In: I775b4b532cd42cf207258c53c6052a167a124627
(cherry picked from commit ef6a4a0c9d9220a7d909863349d7a0c0b967d54c)
(cherry picked from commit 0dbe21d88e05a43d6882248144e4e9128f4c1928)
(cherry picked from commit ec16f7d8c7e359a68ffe6b76e88add2210bf2cbd)