OSDN Git Service
Chih-Wei Huang [Fri, 14 Feb 2020 05:15:13 +0000 (13:15 +0800)]
Avoid more annoying crashing
Chih-Wei Huang [Wed, 16 Oct 2019 14:30:17 +0000 (22:30 +0800)]
Merge tag 'android-7.1.2_r39' into nougat-x86
Android 7.1.2 Release 39 (
5787804)
Conflicts:
bta/pan/bta_pan_act.c
stack/bnep/bnep_utils.c
Alistair Strachan [Sat, 2 Mar 2019 01:45:09 +0000 (17:45 -0800)]
Fall back to CLOCK_BOOTTIME if CLOCK_BOOTTIME_ALARM fails
If the cuttlefish device does not have an rtc device (such as the crosvm
VMM) the bt osi layer can promote crashes due to it not being able to
create a CLOCK_BOOTTIME_ALARM timer. Bring back a fallback but enable it
at runtime instead of compile time.
Bug:
126955943
Test: run with cuttlefish
Change-Id: I3ab0282b3e8fde776aa7b37d5772c8f62cf957bf
Arjun Garg [Mon, 15 Jul 2019 19:43:34 +0000 (12:43 -0700)]
Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"
This reverts commit
669c21e17874a11394668b2a927b04d03850d237.
Jakub Pawlowski [Thu, 6 Jun 2019 11:54:55 +0000 (13:54 +0200)]
DO NOT MERGE Fix for Bluetooth connection being dropped after HCI Read Encryption Key Size
If remote device stop the encryption before we call "Read Encryption Key Size",
we might receive Insufficient Security, which means that link is no longer
encrypted.
In such cases we should stay connected, rather than disconnecting the
link.
Test: Connect to device that stop encryption right after encryption is
complete, i.e. to change roles.
Bug:
124301137
Bug:
132626699
Change-Id: Iab0fd9f357d18a6b048b971d0393fbb47fd4d793
Merged-In: Iab0fd9f357d18a6b048b971d0393fbb47fd4d793
(cherry picked from commit
c5aa5feebf558df160772fefaf271a6f3251e261)
Ugo Yu [Thu, 23 May 2019 13:05:49 +0000 (21:05 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)
- Do not stay in bonding state if the device is paried but still
discovering service.
- Report BOND_BONDED to Java after authentication for a classic
Bluetooth device is completed.
- Send BONDING event to Java when static identity address is
first obtained during crosskey pairing
- Send BONDING event to Java for the initial random address
before send BONDED event
- Do not send bond event for static identity address when SDP is done.
- Make sure pairing control block always get cleaned up when both SDP
and pairing are done
- Send empty UUIDs to Java layer to unblock bonding intent broadcast
when SDP fails
Bug:
79703832
Test: runtest bluetooth, regression test
Change-Id: Ia50c42bbd7614ea13c7dd90dcfc7224f4681f479
(cherry picked from commit
553eb90719404652046698c9191e995c86743129)
Jakub Pawlowski [Fri, 24 May 2019 20:01:09 +0000 (22:01 +0200)]
DO NOT MERGE Send HCI Read Encryption Key properly
This patch fixes bad HCI command being send instead of Read Encryption
Key Size.
Bug:
124301137
Test: pair and connect with Bluetooth headset
Change-Id: If325ef2771ca1546ae58df7c684f66ae537b8573
(cherry picked from commit
a3cc7575f9ce644a3dfceee61ab7b4b206a3982e)
Ted Wang [Mon, 29 Apr 2019 02:11:04 +0000 (10:11 +0800)]
DO NOT MERGE Fix potential OOB read in sdpu_get_len_from_type
Add boundary check in sdpu_get_len_from_type to prevent potential OOB read.
Bug:
117105007
Test: Manul
Merged-In: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
Change-Id: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
(cherry picked from commit
08202bdcbe5e6cf826926d0995790fcfa309bca8)
Jakub Pawlowski [Mon, 11 Mar 2019 18:22:01 +0000 (19:22 +0100)]
DO NOT MERGE Don't persist bonds using sample LTK
Test: compilation, manual testing
Bug:
128843052
Change-Id: I52fd484d42bf87e96dbc9e6456090f231ed48111
(cherry picked from commit
c0fb2a25f92848f4d78f72d31e9705e29e6f5ca8)
Jakub Pawlowski [Thu, 14 Feb 2019 11:44:06 +0000 (12:44 +0100)]
DO NOT MERGE Drop Bluetooth connection with weak encryption key
This patch requires Bluetooth chip to support HCI Read Encryption Key Size
command and will cause Bluetooth to crash if this command is not supported
on a device. Such device should not take this patch and should look for
alternative solution to drop Bluetooth connection with weak encryption key.
Bug:
124301137
Change-Id: Id4b6b4e765628397a79e6806f45c2cd27acebd5b
(cherry picked from commit
027532b3678e3d50ed41270d747df5eb06bc6a8d)
JP Sugarbroad [Tue, 19 Mar 2019 21:44:11 +0000 (14:44 -0700)]
Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"
This reverts commit
5cd6a9f1a8d4b6e8fca2b69dbdaaa8faed27c072.
Hansong Zhang [Thu, 7 Mar 2019 18:50:04 +0000 (10:50 -0800)]
DO NOT MERGE Fix length for L2CAP config type EXT FLOW
Bug:
119870451
Test: POC
Change-Id: I11041dd03caad5569e930ff36b50fc9c2719c57f
(cherry picked from commit
1fa0f29dbe4f833049697b551f237bf0cd234ddc)
Hansong Zhang [Tue, 22 Jan 2019 21:46:47 +0000 (13:46 -0800)]
DO NOT MERGE btm_proc_smp_cback: Don't access p_dev_rec if freed
In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free
Bug:
120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: I09aa1cf1d1c835146b62d0f4989aeedfb885d95b
(cherry picked from commit
74c6d501ce55e7bbce4129fae26bd0b5f802a7fc)
Hansong Zhang [Fri, 18 Jan 2019 19:51:00 +0000 (11:51 -0800)]
DO NOT MERGE process_l2cap_cmd: Fix OOB
Bug:
119870451
Test: POC
Change-Id: Ieef322a3ad4cebcaf40e5388584d3a04a4761d2e
(cherry picked from commit
38f07a3c93143ca31229f0caa5b1a270dc1f5401)
Ugo Yu [Tue, 30 Oct 2018 07:10:35 +0000 (15:10 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)
- Do not stay in bonding state if the device is paried but still
discovering service.
- Report BOND_BONDED to Java after authentication is completed.
- Report empty UUID to Java if a classic Bluetooth device SDP
failed while pairing.
- Hold BOND_BONDED intent util SDP is findished.
- Only accept profile connection for the device is at bonded
state. Any attempt to connect while bonding would potentially
lead to an unauthorized connection.
Bug:
79703832
Test: runtest bluetooth, regression test.
Change-Id: I023713e07308bfc0e5bb8d67f386bcc50f6a0f85
(cherry picked from commit
122e115b87fe98ca5e5e65b9765c146f9e52b65e)
(cherry picked from commit
edd7e731edad067fe08b0623be6b2745bf81a445)
Stanley Tng [Tue, 11 Dec 2018 22:45:13 +0000 (14:45 -0800)]
DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu
Add check to make sure that data buffer is big enough to read the 2
bytes for length.
Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.
Bug:
120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit
fcb1994de1f6ee34b8dc6804a2b32e20bf138073)
(cherry picked from commit
1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit
6b2739f309f7719086eb8201b3e1a35ba60035f4)
(cherry picked from commit
c1fcbd5508a75ae3eaf5f311d706d026fee2fe48)
Jakub Pawlowski [Tue, 27 Nov 2018 16:59:57 +0000 (17:59 +0100)]
Fix buffer overflow in btif_dm_data_copy
When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.
Bug:
110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
(cherry picked from commit
d1179759041eb66baf1b5cd398d69ce58849d848)
Jakub Pawlowski [Tue, 20 Nov 2018 21:31:31 +0000 (22:31 +0100)]
Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
Bug:
116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
Merged-In: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit
78508d2c2cf93b4dd5c7aa630b90f5c6283fe53c)
Chienyuan [Thu, 11 Oct 2018 02:36:57 +0000 (10:36 +0800)]
DO NOT MERGE HFP: Check AT command buffer boundary during parsing
* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac
Bug:
112860487
Test: manual
Change-Id: Idbfa2b8bd4c1a0aeeacfe34349851b3bc8de7c69
(cherry picked from commit
5b1ef1038e3f4e4371c3d6718bf0f684be65eb2b)
(cherry picked from commit
aea10aec7f7e97e9c02f57adf455bdba9e13f210)
Myles Watson [Thu, 25 Oct 2018 00:05:12 +0000 (17:05 -0700)]
DO NOT MERGE: SDP: Check p_end in save_attr_seq and add_attr
Bug:
115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit
2091fe75013ded87e105b6c405573681fbf0698f)
Myles Watson [Thu, 25 Oct 2018 22:27:03 +0000 (15:27 -0700)]
DO NOT MERGE: MCAP: Check response length in mca_ccb_hdl_rsp
Bug:
116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit
840f70ca1e75bd7311b48ae80dea1c04b8b947e4)
Myles Watson [Thu, 25 Oct 2018 21:33:33 +0000 (14:33 -0700)]
DO NOT MERGE: HH: Check parameter length in bta_hh_ctrl_dat_act
Bug:
116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit
a4a11e198164027f86e74e10aa68b9327df5b589)
Ugo Yu [Mon, 29 Oct 2018 17:57:06 +0000 (01:57 +0800)]
DO NOT MERGE: Fix possible OOB when AVDT data channel recive ACL data
Bug:
111450156
Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit
b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit
ad4098c340b52acdb0f48fd3e2612d810e71f4c4)
Jakub Pawlowski [Wed, 10 Oct 2018 18:07:12 +0000 (20:07 +0200)]
Fix possible OOB read in process_service_search_rsp
Bug:
74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
Merged-In: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit
b6fa6e4fffe439abc97904b15088af88f983ca0d)
Ugo Yu [Tue, 18 Sep 2018 12:49:22 +0000 (20:49 +0800)]
DO NOT MERGE - Check SDU lower bound before allocate p_data
Bug:
112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit
87bcda81b8209a71b32351b54cedaad48a7a56b4)
Pavlin Radoslavov [Thu, 6 Sep 2018 22:41:27 +0000 (15:41 -0700)]
DO NOT MERGE - Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()
Bug:
111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit
2692408d05bf16738284b61833649cee5d2a2233)
(cherry picked from commit
b4cf8416bfd7922be02a246f50059c1309d6afc4)
Pavlin Radoslavov [Thu, 6 Sep 2018 01:21:31 +0000 (18:21 -0700)]
DO NOT MERGE - Check data length when parsing AVRCP vendor specific command responses
Bug:
111450531
Bug:
111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit
7439ea940354f65a147c4ecfce3bada49c688047)
(cherry picked from commit
8148397ca29a4795dffdd6daadc33af43aa9694f)
Hansong Zhang [Wed, 8 Aug 2018 18:38:30 +0000 (11:38 -0700)]
DO NOT MERGE Check remaining frame length in rfc_process_mx_message
Bug:
111936792
Bug:
80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
(cherry picked from commit
53e8b941fd918b6f03667e1bdd38fc73ac84396b)
Hansong Zhang [Fri, 13 Jul 2018 20:43:27 +0000 (13:43 -0700)]
DO NOT MERGE Fix a wrong check in rfc_parse_data
Bug:
78288018
Bug:
111436796
Test: manual
Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a
(cherry picked from commit
4cea9389422b1936ebdc2fcd78a0b71f419c6497)
Hansong Zhang [Thu, 7 Jun 2018 23:11:27 +0000 (16:11 -0700)]
DO NOT MERGE Add bound check for rfc_parse_data
Bug:
78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
Merged-In: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit
1b9a465eea85e86984bb1e53be69880159e59c69)
(cherry picked from commit
ee82a400c41fd7b141098e3f8659c44efa449e72)
Ugo Yu [Wed, 8 Aug 2018 08:18:08 +0000 (16:18 +0800)]
DO NOT MERGE Add packet length check in smp_proc_master_id
Bug:
111937027
Test: manual
Change-Id: I2009b6be38f9733931e625379b035e84371fdcaf
(cherry picked from commit
36bbbbf8db31aaea5e03fb50c8b64f5773d5c1e0)
Cheney Ni [Wed, 8 Aug 2018 14:40:27 +0000 (22:40 +0800)]
Checks the SMP length to fix OOB read
Bug:
111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit
353faee793b4f0ce349ef2c950902be561b64827)
Jakub Pawlowski [Mon, 16 Jul 2018 13:40:35 +0000 (06:40 -0700)]
Fix copy length calculation in sdp_copy_raw_data
Test: compilation
Bug:
110216176
Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
Merged-In: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
(cherry picked from commit
1a0571a4aca9d597a8f79665aa220decf0d45ce1)
Pavlin Radoslavov [Thu, 9 Aug 2018 20:40:54 +0000 (13:40 -0700)]
DO NOT MERGE: Add missing AVRCP message length checks inside avrc_msg_cback
Explicitly check the length of the received message before
accessing the data.
Bug:
111803925
Bug:
79883824
Test: POC scripts
Change-Id: I50d1d1f7dd7038ffcd5f0d5975ab1db43178067f
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit
b78d265f362dab7df559883617dd766bcc60ad43)
Cheney Ni [Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)]
DO NOT MERGE: Add packet length checks in mca_ccb_hdl_req
Bug:
110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
(cherry picked from commit
fb5115a9f8782cc27b2ba860f9855d3fe882e0fc)
Chienyuan [Wed, 8 Aug 2018 08:15:21 +0000 (16:15 +0800)]
DO NOT MERGE Check packet length in bta_av_proc_meta_cmd
Bug:
111893951
Test: manual
Change-Id: Ie562c393e949c275203617972d43bb005190b32b
(cherry picked from commit
82815f4498d35dcf8798ed6834e3a7f7212016d7)
Ugo Yu [Wed, 8 Aug 2018 06:57:25 +0000 (14:57 +0800)]
DO NOT MERGE Fix OOB read before buffer length check
Bug:
111936834
Test: manual
Change-Id: I60c500651f130876934a7b80889f4e021055fe73
(cherry picked from commit
e64b4a38b049853b8e6e2f8e16dd15765e290f42)
Hansong Zhang [Mon, 6 Aug 2018 21:36:41 +0000 (14:36 -0700)]
DO NOT MERGE Fix OOB read in avrc_ctrl_pars_vendor_rsp
Bug:
78526423
Test: manual
Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91
(cherry picked from commit
082353ad14082babaf8bcb1fba000b3cf1450c11)
Myles Watson [Tue, 29 May 2018 23:55:58 +0000 (16:55 -0700)]
DO NOT MERGE: SDP: Recalculate param_len after max_list_len
Bug:
78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit
ef7dddabbd70222fa0fafc97e8562d977f550d26)
(cherry picked from commit
ca8a83ba76685d164baf0825a82f8d95c677bd3c)
Hansong Zhang [Fri, 20 Jul 2018 17:16:14 +0000 (10:16 -0700)]
DO NOT MERGE SDP: Fix the param_len recalculation
Bug:
78136869
Test: manual connection to an A2DP device
Change-Id: If32b848696180ab2fd33f514de89cb8c3d202e39
(cherry picked from commit
51b656f12b82e47130c4a5b1d976ec1e2ab8e72b)
Jakub Pawlowski [Wed, 11 Jul 2018 09:57:07 +0000 (02:57 -0700)]
Don't use Address after it was deleted
Bug:
110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
Merged-In: Id3364cf53153eafed478546d7347ed1673217e91
(cherry picked from commit
228712652abbd605023849f60d603e96c6948816)
Jakub Pawlowski [Fri, 22 Jun 2018 05:56:11 +0000 (22:56 -0700)]
Add packet length checks in l2cble_process_sig_cmd
Bug:
80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
Merged-In: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit
329b7cfb446ed34a2b67e31267ff61ce12f1d70c)
Hansong Zhang [Thu, 12 Jul 2018 18:00:53 +0000 (11:00 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Test: manual
Bug:
79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
(cherry picked from commit
55afdafb272737a54bc629dbe4fdd4111ebb08f5)
Jakub Pawlowski [Fri, 22 Jun 2018 11:46:39 +0000 (04:46 -0700)]
SDP: return error on offset bigger than atribute length
Test: none
Bug:
79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
Merged-In: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit
3565eaf72d810688bf91f75002da1f25039996df)
Jack He [Wed, 27 Jun 2018 00:53:24 +0000 (17:53 -0700)]
DO NOT MERGE HFP: Fix out of bound access in phone number processing
* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
PhoneStateChange method
Bug:
79431031
Bug:
79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df
(cherry picked from commit
82371c1204cc0b48941ec1d41c516c4b40093879)
Hansong Zhang [Thu, 7 Jun 2018 21:18:22 +0000 (14:18 -0700)]
DO NOT MERGE HID Host: Check L2CAP packet data length
Bug:
80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit
4344cfb76ad4c1c660d00a7b306acccde9bdef77)
Max Spector [Fri, 20 Jul 2018 20:53:12 +0000 (13:53 -0700)]
Revert "DO NOT MERGE: SDP: Recalculate param_len after max_list_len"
This reverts commit
0f2114c7943106a566abd1064a5719ad0335bf0b.
Ajay Panicker [Wed, 6 Jun 2018 21:58:54 +0000 (14:58 -0700)]
DO NOT MERGE: Don't reuse buffer when building response
Bug:
79541338
Test: Compile and connect to remote headset
Change-Id: I5e059615db589e165630f39d631a922006c2d70f
(cherry picked from commit
ecef51ee8fc216ef654fd73bdc5e2802b2cf9a7e)
Pavlin Radoslavov [Thu, 31 May 2018 17:23:02 +0000 (10:23 -0700)]
Add checks whether the AVDTP element data length is valid
Bug:
78288378
Test: Manual: Python script and extra logging
Change-Id: I576d798d8b566946a3f2d973cb9d4e8dbd22d09e
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit
e192c988cbe6c0593f23e6d8e2701b459e8d895c)
Jack He [Tue, 5 Jun 2018 00:40:42 +0000 (17:40 -0700)]
DO NOT MERGE BNEP: Fix build breakage by using osi_free instead of GKI_freebuf
Bug:
79164722
Bug:
78286118
Test: make
Change-Id: I04fc994d9bca80aa4711118d3c5be02f2b809a48
(cherry picked from commit
6245466d55c4abb8047b4c167fced0804a9f217e)
Jack He [Fri, 1 Jun 2018 21:00:42 +0000 (14:00 -0700)]
BNEP: Fix OOB access in bnep_data_ind
* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
is most likely triggered
Bug:
78286118
Bug:
79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
BNEP_EXTENSION_CONTROL packet
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit
3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit
0bd01271c4d888453ba375d9442ac27cd66961c9)
Jakub Pawlowski [Tue, 29 May 2018 23:25:56 +0000 (16:25 -0700)]
Decrease length after reading from array in process_service_attr_req
Test: compilation
Bug:
78136677
Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0
Merged-In: I4807a350e2b4764a93f104ce88f23a957a7e85c0
(cherry picked from commit
76e962892ea1419f69e3c7e26a09fa77948c46e6)
Myles Watson [Tue, 29 May 2018 23:55:58 +0000 (16:55 -0700)]
DO NOT MERGE: SDP: Recalculate param_len after max_list_len
Bug:
78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit
ef7dddabbd70222fa0fafc97e8562d977f550d26)
(cherry picked from commit
ca8a83ba76685d164baf0825a82f8d95c677bd3c)
Hansong Zhang [Wed, 30 May 2018 00:35:01 +0000 (17:35 -0700)]
DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_event
Bug:
80145946
Test: manual
Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53
(cherry picked from commit
078756d8071e0c122b2c75d416ebc22f77ed54e4)
Jakub Pawlowski [Wed, 23 May 2018 17:30:19 +0000 (10:30 -0700)]
GATT: Handle too short Error Response PDU
Since the spec is not clear what to do in this case, use one of
reserved error codes as a failure reason, and pass it to upper layers.
Bug:
79591688
Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
(cherry picked from commit
03881d1055cf98b15ced06300e03a947b5300878)
Jakub Pawlowski [Thu, 24 May 2018 15:59:34 +0000 (08:59 -0700)]
Add PDU size checks in process_service_search_attr_rsp
Bug:
79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit
3181bdee7d207c9894dd1dfca02fad71cb2430e8)
akirilov [Fri, 27 Apr 2018 22:12:59 +0000 (15:12 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)
Bug:
74075873
Test: manual
Change-Id: I76058b11c90dc40b78f26fb64b74d609f3473f5d
(cherry picked from commit
23918433c1f4970ae04c09a9fe096bf87cd83d76)
akirilov [Fri, 27 Apr 2018 20:08:05 +0000 (13:08 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
Bug:
74075873
Test: manual test (poc in bug)
Change-Id: I18e652f7e10ba42db6f2553083d2a2eec10e2998
(cherry picked from commit
4375ef17844b4d338754d517400ddd029d0882d3)
Ajay Panicker [Fri, 11 May 2018 18:47:31 +0000 (11:47 -0700)]
DO NOT MERGE: Check number of attributes before writing to a buffer
Bug:
73824150
Test: Compile
Change-Id: Ie38ba177d6599afe28b5c6684bd951a75fa8a805
(cherry picked from commit
d28e985241e4efdf6f3ce7d665fe50f48be13dae)
Hansong Zhang [Fri, 11 May 2018 18:40:44 +0000 (11:40 -0700)]
DO NOT MERGE AVRC: Add bound check for AVRC_EVT_APP_SETTING_CHANGE
Test: manual
Bug:
73782082
Change-Id: I4e384a2f8c0d8c4af03bd5865b2e907321419c86
(cherry picked from commit
9ca83201006bf938b9f2fad7fce121c26dc77028)
Hansong Zhang [Thu, 26 Apr 2018 22:45:28 +0000 (15:45 -0700)]
DO NOT MERGE Prevent stack overflow in btif_storage
Bug:
73963551
Test: manual
Change-Id: I5f7a583aad150ebf9e3d492181d80ca935c8aa3f
(cherry picked from commit
1d200be95816e6e82f3876ec03091a1b07a827a7)
Ajay Panicker [Thu, 12 Apr 2018 23:50:06 +0000 (16:50 -0700)]
DO NOT MERGE: Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
Bug:
74121659
Test: Compiles
Change-Id: Ib29dd50cee9decda2d73bb79b84215ea4c6ead75
(cherry picked from commit
a75ccdc7ee6c6f60baaf78717926faa9504f9f3f)
Hansong Zhang [Fri, 30 Mar 2018 23:55:49 +0000 (16:55 -0700)]
DO NOT MERGE Fix unexpected behavior in smp_sm_event
Bug:
74121126
Test: manual
Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53
(cherry picked from commit
61c9430c58544b4bd4846ed0d5e6de0ae5150414)
Andre Eisenbach [Wed, 4 Apr 2018 20:38:38 +0000 (13:38 -0700)]
DO NOT MERGE SMP: Validate remote elliptic curve points
Fixes:
72377774
Test: net_test_stack_smp (where applicable)
Change-Id: Iefcf97364493467075fadefd77d12716f71cd4f6
(cherry picked from commit
9181ec28da94705a763edbe60bd2a87e5f882beb)
(cherry picked from commit
4f9ed8f66eb57142f4bedd667230b55bbf8da366)
Hansong Zhang [Thu, 12 Apr 2018 23:01:19 +0000 (16:01 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Bug:
74202041
Bug:
74196706
Bug:
74201143
Test: manual
Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d
(cherry picked from commit
1bbea25a24004a371f4aed1c69b976fd23407d73)
Hansong Zhang [Thu, 12 Apr 2018 19:23:36 +0000 (12:23 -0700)]
DO NOT MERGE Add bounds check for BNEP_Write
Bug:
74947856
Test: manual
Change-Id: I19d9dee53b9cac800c66becef4861e4ad9602bdf
(cherry picked from commit
769aeaaf444e08bad9d4e902242a3b8a1765202d)
Stanley Tng [Thu, 5 Apr 2018 16:54:13 +0000 (09:54 -0700)]
DO NOT MERGE Handle bad packet length in gatts_process_read_req
Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.
Bug:
73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit
cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit
810e669d7ae55dd50ec1ea159cd87c3f1cdf5695)
Stanley Tng [Wed, 4 Apr 2018 23:38:22 +0000 (16:38 -0700)]
DO NOT MERGE Drop LE CoC fragments when frame size is too big
Drop the LE CoC data fragments when the received fragment size is too
big.
Test: Runs LE CoC SL4A test, BleCocTest.
Bug:
75298652
Merged-In: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
Change-Id: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
(cherry picked from commit
235eab9efd27469ac0dd82f63d198421f0e0f400)
Myles Watson [Wed, 21 Mar 2018 23:45:32 +0000 (16:45 -0700)]
DO NOT MERGE: PAN: Always allocate in bta_pan_data_buf_ind_cback
Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free. Move the free call to pan_data_buf_ind_cb().
Free the buffer before every return in pan_data_buf_ind_cb.
Bug:
74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit
2e0deb1d135805b37697f0e02a55269c6cc500fe)
(cherry picked from commit
e04c8be75d115e5d241afe95148e0093ef8c72eb)
Hansong Zhang [Mon, 2 Apr 2018 16:29:49 +0000 (09:29 -0700)]
DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result
Check the number of UUIDs from remote device
Bug:
74016921
Test: manual
Change-Id: I7e1fd420c96bdb4d8b1bb129eb85045f9e3da443
(cherry picked from commit
f55b3093f1c5659da16c3df2670edd9089844526)
Ajay Panicker [Fri, 2 Feb 2018 09:11:37 +0000 (01:11 -0800)]
DO NOT MERGE: AVRCP: Check number of text attribute values in response
Test: Build
Bug:
71603410
Change-Id: I6f822b0bc7fc2fb042a70b64cff61583a86b36e2
(cherry picked from commit
8a6fb368847794adb2365f91aa60a36a61d02607)
Hansong Zhang [Fri, 9 Feb 2018 23:23:07 +0000 (15:23 -0800)]
DO NOT MERGE Truncate new line characters when adding string to config
Bug:
70808273
Test: test with a device with newline character in name
Change-Id: Ie7e0b5d93047bc12a9cb84cc15f7f68f38f36441
(cherry picked from commit
01facbcf9762e93010744edfa9bd04a46f95be6e)
Ajay Panicker [Fri, 2 Feb 2018 08:56:43 +0000 (00:56 -0800)]
DO NOT MERGE: AVRCP: Check number of text attributes in response
Test: Build
Bug:
71603315
Change-Id: Ieda5e410057062533ae09bd977bfe7f758a55140
(cherry picked from commit
07900311fbd68eba44c46ed491368597a63ae770)
Ajay Panicker [Fri, 2 Feb 2018 09:26:34 +0000 (01:26 -0800)]
DO NOT MERGE: AVRCP: Initialize buffer for attribute values to be written to
Test: Build
Bug:
71603553
Change-Id: I978270605cfaa3b833d6c19f1b1d2cd5a82ac079
(cherry picked from commit
aeff2c709c34a56058f3a67a86acf96733bd6061)
Myles Watson [Fri, 12 Jan 2018 01:43:40 +0000 (17:43 -0800)]
DO NOT MERGE: SDP: Check p_req_end before reading from p_req
Bug:
69384124
Test: Connect a headset
Change-Id: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
(cherry picked from commit
d321b13feaebb6ce83d4c449b3ef500ddbbef716)
xiezhongtian [Fri, 2 Feb 2018 11:14:19 +0000 (19:14 +0800)]
Avoid crash for Broadcom 2070 Bluetooth
Myles Watson [Wed, 10 Jan 2018 17:51:28 +0000 (09:51 -0800)]
PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
Patch from b/
67078939
Test: build
Bug:
67110692
Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a
Merged-In: I63b857d031c55d3a0754e4101e330843eb422b2a
(cherry picked from commit
bcad4b57fa67826fa254e987959b2666616fd6e9)
Myles Watson [Thu, 11 Jan 2018 22:20:26 +0000 (14:20 -0800)]
BNEP: Check received frame type
Bug:
68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
Merged-In: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
(cherry picked from commit
c1778018189498da0ecb35e9356d11c9dc315353)
Myles Watson [Thu, 11 Jan 2018 00:32:59 +0000 (16:32 -0800)]
SDP: Pass the bounds to process_service_*_rsp
Test: build
Bug:
68161546
Change-Id: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
Merged-In: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
(cherry picked from commit
88beb384eb3ab97d3da2902e3477e68e44345bd2)
Pavlin Radoslavov [Fri, 12 Jan 2018 01:28:16 +0000 (17:28 -0800)]
Allocate/free the SDP connection timers only during stack startup/shutdown
This avoids freeing the sdp_conn_timer within the alarm callback itself.
Bug:
67110137
Test: Manual
Change-Id: I775b4b532cd42cf207258c53c6052a167a124627
Merged-In: I775b4b532cd42cf207258c53c6052a167a124627
(cherry picked from commit
ef6a4a0c9d9220a7d909863349d7a0c0b967d54c)
(cherry picked from commit
486d27733fd3db14575370985ae50a02cbb193d4)
Hansong Zhang [Thu, 11 Jan 2018 00:59:48 +0000 (16:59 -0800)]
DO NOT MERGE Fix unexpected behavior in reading BNEP packets
Bug:
67863755
Bug:
69177251
Bug:
69177292
Bug:
69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
(cherry picked from commit
1ba7a489f57252de63d95d0374fccc002fe3d35a)
Stanley Tng [Wed, 10 Jan 2018 21:13:15 +0000 (13:13 -0800)]
DO NOT MERGE Remove memory reference to invalid mem in error log
Remove the memory reference to an invalid memory inside an error log
message.
Test: Edit code to force the error condition and make sure the new error
log does not crashed.
Bug:
67058064
Merged-In: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
Change-Id: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
(cherry picked from commit
11cd7277a1d0da9013a8381cddbfc096e9adaed6)
(cherry picked from commit
c779dc72e098a65fea6774d7ffdd036086ef7cd2)
Ajay Panicker [Thu, 11 Jan 2018 04:50:20 +0000 (20:50 -0800)]
DO NOT MERGE: AVRCP: Check the number of text value attributes requested
Test: Builds
Bug:
69479009
Change-Id: Ibd6a448eda65f857ddfacc1ee7ad1ead3b46fb8d
(cherry picked from commit
03ffdc94b07ad40d99b298137877aa9b5ebecb58)
Ajay Panicker [Thu, 11 Jan 2018 00:34:50 +0000 (16:34 -0800)]
DO NOT MERGE: AVRCP: Check the number of text attributes requested
Test: Build
Bug:
69478941
Change-Id: Ic7e2632e5dab9031703b2bf8747e27f90f92f0e4
(cherry picked from commit
1661401e3a7b535f4c7eccfc15e4f228bf385eea)
Hansong Zhang [Wed, 10 Jan 2018 03:43:20 +0000 (19:43 -0800)]
DO NOT MERGE Fix unexpected behavior in SDP
Bug:
68776054
Bug:
68817966
Test: Bluetooth SDP still works
Change-Id: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
Merged-In: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
(cherry picked from commit
968df7a80cc1901fb63ec0eb7a5080f64da3819e)
Pavlin Radoslavov [Mon, 8 Jan 2018 19:37:05 +0000 (11:37 -0800)]
Removed alarm callback execution statistics
Updating the alarm state after the callback returns can be problematic
in case the callback itself deleted the alarm.
Bug:
67110137
Test: Manual
Change-Id: Id4de06eebedb792cadd63d09efb68672e9bddc69
Merged-In: Id4de06eebedb792cadd63d09efb68672e9bddc69
(cherry picked from commit
04574e1cde3b0d46b59b4b6ebab935ac60af9f97)
(cherry picked from commit
b9ebb4ab26e27d0701d43faee775c1b1975d0191)
Chih-Wei Huang [Thu, 4 Jan 2018 08:43:21 +0000 (16:43 +0800)]
Merge tag 'android-7.1.2_r36' into nougat-x86
Android 7.1.2 Release 36 (N2G48H)
android-build-team Robot [Fri, 3 Nov 2017 19:55:59 +0000 (19:55 +0000)]
Merge cherrypicks of [
3166006,
3165952,
3164925,
3164926,
3164927,
3164928,
3167313,
3167314,
3167315,
3167316,
3167317,
3167318,
3167319,
3167320,
3167321,
3167322,
3166318,
3166319,
3166320,
3166321,
3166322,
3166323,
3166324,
3167333,
3167334,
3167373,
3165112,
3166325,
3165229,
3165230] into nyc-mr2-release
Change-Id: I021f1a3719f16c3ea2e9b47d3a5c039f5a83a1ca
Scott Bauer [Fri, 7 Apr 2017 00:35:40 +0000 (18:35 -0600)]
Read the correct amount of attributes
bta_gattc_cache_load currently attempts to read 0xFF attributes into an
allocation sized to num_attr attributes, which can be smaller than 0xFF.
There aren't more than num_attr bytes in correct data, but this breaks
with dynamic buffer overflow checking in CopperheadOS for the read
system call since fread ends up calling read, which obtains the size of
the allocation from the malloc implementation and then aborts due to the
(potential) overflow.
This would also fail with the default enabled _FORTIFY_SOURCE=2 feature
in the Android Open Source Project if osi_malloc was marked with the
alloc_size attribute. The way it wraps malloc loses that information so
fortify checks aren't done for calls like this.
Bug:
37160362
Change-Id: I68bd170d5378c9d9d21cbda376083bc0b857e15c
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
[migrated to C++ file, added 0xFFFF limit and wrote commit message]
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
(cherry picked from commit
8eb6493ad56ed4fd8310bf96042cc54eb5b450dd)
Scott Bauer [Fri, 7 Apr 2017 00:35:40 +0000 (18:35 -0600)]
Read the correct amount of attributes
bta_gattc_cache_load currently attempts to read 0xFF attributes into an
allocation sized to num_attr attributes, which can be smaller than 0xFF.
There aren't more than num_attr bytes in correct data, but this breaks
with dynamic buffer overflow checking in CopperheadOS for the read
system call since fread ends up calling read, which obtains the size of
the allocation from the malloc implementation and then aborts due to the
(potential) overflow.
This would also fail with the default enabled _FORTIFY_SOURCE=2 feature
in the Android Open Source Project if osi_malloc was marked with the
alloc_size attribute. The way it wraps malloc loses that information so
fortify checks aren't done for calls like this.
Bug:
37160362
Change-Id: I68bd170d5378c9d9d21cbda376083bc0b857e15c
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
[migrated to C++ file, added 0xFFFF limit and wrote commit message]
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
(cherry picked from commit
8eb6493ad56ed4fd8310bf96042cc54eb5b450dd)
android-build-team Robot [Thu, 28 Sep 2017 17:17:11 +0000 (17:17 +0000)]
Merge cherrypicks of [
2973982,
2974657,
2974658,
2973983,
2973984,
2974689,
2974690,
2974691,
2974692,
2974710,
2974711,
2974713,
2974714,
2974215,
2974216,
2974217,
2974218,
2974219,
2974220,
2974729,
2974730,
2974731,
2974732,
2974733,
2974734,
2974735,
2974736,
2974737,
2974738,
2974739,
2974740,
2974741,
2974742,
2974749,
2974750,
2974751,
2974752,
2974753,
2974647,
2974744,
2974693,
2974694,
2974648,
2974513,
2974665,
2974746] into nyc-mr2-release
Change-Id: I1343a6e044021a57cb32927982ac6a2582d330a1
Andre Eisenbach [Tue, 8 Aug 2017 22:41:21 +0000 (15:41 -0700)]
SDP: Bounds check 'id' parameter for free_sdp_slot()
Merged-In: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7
Test: manual
Fixes:
37502513
Change-Id: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7
(cherry picked from commit
b413f1b1365af4273647727e497848f95312d0ec)
(cherry picked from commit
82e4754aaafe820619a51f8eeaa858db8735d9c1)
Andre Eisenbach [Tue, 8 Aug 2017 22:41:21 +0000 (15:41 -0700)]
SDP: Bounds check 'id' parameter for free_sdp_slot()
Merged-In: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7
Test: manual
Fixes:
37502513
Change-Id: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7
(cherry picked from commit
b413f1b1365af4273647727e497848f95312d0ec)
(cherry picked from commit
82e4754aaafe820619a51f8eeaa858db8735d9c1)
android-build-team Robot [Thu, 27 Jul 2017 00:30:23 +0000 (00:30 +0000)]
Merge cherrypicks of [
2607234,
2607235,
2606313,
2607236,
2607238,
2607239,
2606314,
2606315,
2607240,
2606316,
2606317,
2607241,
2607242,
2607243,
2607244,
2607370,
2607371,
2607245,
2607246,
2607247,
2607248,
2607249,
2607372,
2607390,
2607391,
2607392,
2607393,
2607373,
2607394,
2607397,
2607398,
2607375,
2607401,
2607376,
2607402,
2607377,
2607403,
2607404,
2607378,
2607405,
2607379,
2607380,
2607381,
2607406,
2607382,
2607407,
2607408,
2607409] into nyc-mr2-release
Change-Id: Ia2067c24c334563afb1f54dca60a79a350d568f0
Pavlin Radoslavov [Tue, 18 Jul 2017 01:12:10 +0000 (18:12 -0700)]
Add missing extension length check while parsing BNEP control packets
Bug:
63146237
Test: External script
Change-Id: I4e519cec1c7dffb8bd42add00bd891e0969a3d9f
(cherry picked from commit
9ab89b7dbe5735b796799f65144efa48595d0230)
(cherry picked from commit
dc7700a43189d2a8607b69ae19a6d646f11ddf51)
(cherry picked from commit
c7874f25a0557ca4413d8db80bab8da842fc389a)
(cherry picked from commit
187bd8aec0aae63c6328981041e5ec7764ece6a9)
(cherry picked from commit
01f46e0aff705dab350cda7f648fb94976ea3988)
(cherry picked from commit
e07d37969e654fd6be308232b15c1ed716205543)
Pavlin Radoslavov [Tue, 18 Jul 2017 00:21:16 +0000 (17:21 -0700)]
Free p_pending_data from tBNEP_CONN to avoid potential memory leaks
Bug:
63146105
Test: External script
Change-Id: I1281779ccf38d1d2dfb1a6dc0e45c0e533cabbca
Merged-In: I1281779ccf38d1d2dfb1a6dc0e45c0e533cabbca
(cherry picked from commit
4982eb5df30cbcbee5c8b8807be95fdc6dfa63c5)
(cherry picked from commit
a654681c5558904a8abfa1bbab8eafb651c13231)
(cherry picked from commit
64a12d3b6e71d9161837f28ce18c34d924c2bafc)
(cherry picked from commit
8f18afd26c02ae3d46bf14d6e36017965dee0394)
(cherry picked from commit
f8fc7f7d112d5ff2064aaaa3c7fceb077169183e)
Pavlin Radoslavov [Thu, 13 Jul 2017 00:33:42 +0000 (17:33 -0700)]
Add a missing check for PAN buffer size before copying data
Bug:
63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
(cherry picked from commit
1d909399cb4259243dac2e531e3ce6ca1afa77e7)
(cherry picked from commit
aa486ad8b5ad6eaef732e5fa7f151495c8c3faf2)
(cherry picked from commit
a8a6a17fdfc8d930ba4ad18f92cf4453cc1a219e)
(cherry picked from commit
d1145e0af3507e37d4bd25f1833e22c5c716f0ac)
(cherry picked from commit
23642dc32ce8704067882cfb37745b62c2b3562a)
Pavlin Radoslavov [Thu, 13 Jul 2017 02:10:12 +0000 (19:10 -0700)]
Add missing packet length checks while parsing BNEP control packets
Bug:
63146237
Test: External script
Change-Id: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
Merged-In: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
(cherry picked from commit
7feaeb006941a1494d7cdc0a2ffc4bb1004b38b4)
(cherry picked from commit
6d415839da570b94b0763f6ab444f0dd1321fc33)
(cherry picked from commit
c68554feb3ddfd31cdec6d81a4b73a959c1b2a09)
(cherry picked from commit
3775b3c49e5d62349fd1f3dfb743fabadb43ea75)
(cherry picked from commit
f31afd3836184edccdfc8393dc4d168b0cfd912b)
Pavlin Radoslavov [Thu, 13 Jul 2017 01:56:03 +0000 (18:56 -0700)]
Add missing continuation offset check for SDP continuation requests
Bug:
63146698
Test: External script
Change-Id: Iea52f1689dc12bfe0d4b57996f17db4bc3bd5983
Merged-In: Iea52f1689dc12bfe0d4b57996f17db4bc3bd5983
(cherry picked from commit
e776c834768bedd043ace7e5714390b61c96a248)
(cherry picked from commit
10ce685cb025f6854be4ecc5329f2f684fd9ea5d)
(cherry picked from commit
3488364721ec066a03af14076bd312d27173115d)
Pavlin Radoslavov [Thu, 13 Jul 2017 01:39:31 +0000 (18:39 -0700)]
Disable PAN Reverse Tethering when connection originated by the Remote
* Check for valid interactions between the three PAN profile roles per
Table 1 in PAN Profile v1.0 spec.
* Explicitly disable connections to the local PANU if the remote is
not PANU.
Bug:
63145701
Test: External script
Change-Id: I29a7e404ba7e4453b6a7c59148a2b3eb7395303a
Merged-In: I29a7e404ba7e4453b6a7c59148a2b3eb7395303a
(cherry picked from commit
9aea2c2f92dd5245f6b35d564ce8e471fec2b4ec)
(cherry picked from commit
3f2ee5b546b65b5b021779588316249276ed3827)
(cherry picked from commit
40c7cefb12ac1a70bf7b1c770c1ab21a5b3f229e)
(cherry picked from commit
f7a7f7a948e38195e8ca897785ac5d489082f0cc)
(cherry picked from commit
b40497b27a0dce81d11f0dca09af6d81abf4bd92)
OSDN Git Service
