OSDN Git Service
Chih-Wei Huang [Wed, 5 Jun 2019 09:35:26 +0000 (17:35 +0800)]
Merge tag 'android-8.1.0_r65' into oreo-x86
Android 8.1.0 release 65
Chih-Wei Huang [Thu, 30 May 2019 09:04:59 +0000 (17:04 +0800)]
Support generic USB Bluetooth adapter
Find USB Bluetooth adapter according to device class and subclass.
See https://www.usb.org/defined-class-codes#anchor_BaseClassE0h.
Chih-Wei Huang [Thu, 30 May 2019 02:50:19 +0000 (10:50 +0800)]
hciblecmds: remove unnecessary checking
This fixes Bluetooth USB dongle support.
Chih-Wei Huang [Wed, 29 May 2019 03:56:16 +0000 (11:56 +0800)]
Replace Bluetooth HAL by Intel's implementation
Linaro's implementation is buggy.
Chih-Wei Huang [Fri, 24 May 2019 07:01:27 +0000 (15:01 +0800)]
Add back libbt-vendor
Chih-Wei Huang [Mon, 20 May 2019 09:39:52 +0000 (17:39 +0800)]
Merge tag 'android-8.1.0_r64' into oreo-x86
Android 8.1.0 Release 64 (OPM8.190505.001)
android-build-team Robot [Thu, 2 May 2019 06:21:28 +0000 (06:21 +0000)]
Merge cherrypicks of [
7293853,
7292376,
7293922] into oc-m8-release
Change-Id: Idcedfcefb63c6a909de08d4ca448ad5405968bee
Myles Watson [Wed, 1 May 2019 18:31:46 +0000 (18:31 +0000)]
Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"
This reverts commit
f3681c8616af4d052c410ba3e88747541a974bf5.
Bug:
79703832
Bug:
130553855
Reason for revert: Regression with cross-key pairing
Change-Id: If8652936eb3b24b3d1b3fded0be200bb986b70e3
(cherry picked from commit
c0c3804acd096a6c0fd3bd50b66c9579fed95a94)
android-build-team Robot [Tue, 16 Apr 2019 22:37:44 +0000 (22:37 +0000)]
Merge cherrypicks of [
7077328,
7074021,
7074022,
7077576,
7077577,
7077578,
7077579] into oc-m8-release
Change-Id: I13b58695eb4e461c6f451855cd54cd90219b3ca4
Jakub Pawlowski [Mon, 11 Mar 2019 18:22:01 +0000 (19:22 +0100)]
DO NOT MERGE Don't persist bonds using sample LTK
Test: compilation, manual testing
Bug:
128843052
Change-Id: I52fd484d42bf87e96dbc9e6456090f231ed48111
(cherry picked from commit
054dcec1c9b6ac732e7380c5e921407cd316474f)
Jakub Pawlowski [Thu, 14 Feb 2019 11:44:06 +0000 (12:44 +0100)]
DO NOT MERGE Drop Bluetooth connection with weak encryption key
This patch requires Bluetooth chip to support HCI Read Encryption Key Size
command and will cause Bluetooth to crash if this command is not supported
on a device. Such device should not take this patch and should look for
alternative solution to drop Bluetooth connection with weak encryption key.
Bug:
124301137
Change-Id: Id4b6b4e765628397a79e6806f45c2cd27acebd5b
(cherry picked from commit
e32d4aa7a4b02dd39e918b3b3efae0ccc60ef588)
android-build-team Robot [Tue, 19 Feb 2019 22:40:22 +0000 (22:40 +0000)]
Merge cherrypicks of [
6452478,
6451642,
6451643,
6453811,
6451644,
6451645,
6453831,
6453851,
6453852,
6453853,
6453854,
6452479,
6452480,
6452481,
6452482,
6452483] into oc-m8-release
Change-Id: Iadc4f830ab9ad69e26c783994413486d31c50c2a
Hansong Zhang [Thu, 10 Jan 2019 02:18:17 +0000 (18:18 -0800)]
btm_proc_smp_cback: Don't access p_dev_rec if freed
In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free
Bug:
120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
(cherry picked from commit
953dd279502980b1d8d30656eb78c6445a6e31f7)
Ugo Yu [Fri, 2 Nov 2018 12:32:14 +0000 (20:32 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)
- Do not stay in bonding state if the device is paried but still
discovering service.
- Report BOND_BONDED to Java after authentication is completed.
- Report empty UUID to Java if a classic Bluetooth device SDP
failed while pairing.
- Hold BOND_BONDED intent util SDP is findished.
- Only accept profile connection for the device is at bonded
state. Any attempt to connect while bonding would potentially
lead to an unauthorized connection.
Bug:
79703832
Test: runtest bluetooth
Change-Id: I023713e07308bfc0e5bb8d67f386bcc50f6a0f85
(cherry picked from commit
122e115b87fe98ca5e5e65b9765c146f9e52b65e)
(cherry picked from commit
f3681c8616af4d052c410ba3e88747541a974bf5)
Hansong Zhang [Mon, 14 Jan 2019 22:59:35 +0000 (14:59 -0800)]
process_l2cap_cmd: Fix OOB
Bug:
119870451
Test: POC
Change-Id: I2f5e7fedd9aed96c4ffc55af79fdac61c2e5b087
Merged-In: I5131bbf9cda6248fdbbc4bb91916b2fe3731246e
(cherry picked from commit
94fd011bc9a72081cc691ed7d6e6eec42e9f4539)
Hansong Zhang [Wed, 16 Jan 2019 20:33:26 +0000 (12:33 -0800)]
btm_ble_multi_adv: Check data length in HCI interface
For BleAdvertiserVscHciInterfaceImpl and
BleAdvertiserLegacyHciInterfaceImpl, the maximum size of scan response
and advertising packet data length should be BTM_BLE_AD_DATA_LEN (31).
Bug:
121145627
Test: POC
Change-Id: I7653a6c186b7313ef2b1547bca120b9d41c90140
(cherry picked from commit
a99fe8a175a6d209e741871544ae3f857c8a7cbb)
android-build-team Robot [Wed, 16 Jan 2019 18:57:19 +0000 (18:57 +0000)]
Merge cherrypicks of [
6072696,
6072074,
6072757,
6072120,
6072121,
6072122,
6072123,
6072575,
6072576,
6072577,
6072578,
6072579,
6072193,
6072131,
6072194,
6072076,
6072210,
6072759,
6072760,
6072698,
6072699,
6072700,
6072701,
6072702,
6072703,
6072704,
6072905,
6072906,
6072907,
6072761] into oc-m8-release
Change-Id: I27e774674fdab8b33d306a723f98a6038ddfd637
Stanley Tng [Tue, 11 Dec 2018 22:45:13 +0000 (14:45 -0800)]
DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu
Add check to make sure that data buffer is big enough to read the 2
bytes for length.
Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.
Bug:
120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit
fcb1994de1f6ee34b8dc6804a2b32e20bf138073)
(cherry picked from commit
1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit
6b2739f309f7719086eb8201b3e1a35ba60035f4)
(cherry picked from commit
8f52ed93ba0fe67c310473b539d37c7201c83454)
Chih-Wei Huang [Tue, 8 Jan 2019 08:16:56 +0000 (16:16 +0800)]
Merge tag 'android-8.1.0_r60' into oreo-x86
Android 8.1.0 Release 60 (OPM8.190105.002)
Chih-Wei Huang [Fri, 21 Dec 2018 09:19:56 +0000 (17:19 +0800)]
Merge tag 'android-8.1.0_r53' into oreo-x86
Android 8.1.0 release 53
android-build-team Robot [Fri, 7 Dec 2018 21:43:36 +0000 (21:43 +0000)]
Merge cherrypicks of [
5745882,
5746123,
5746124,
5746125,
5745544,
5745819,
5746700,
5745883,
5745545,
5746720,
5746344,
5745884,
5745885,
5745886,
5746740,
5746741] into oc-m8-release
Change-Id: I5edb98075600b97febb2b505a02ee7246d7e4612
Ugo Yu [Tue, 13 Nov 2018 12:03:28 +0000 (20:03 +0800)]
Add OOB check in avrc_pars_browse_rsp
Bug:
111451066
Test: Manully
Change-Id: I068d218b8957bb8f053148d252a9119a8def28cc
(cherry picked from commit
f44cbb20e7658116472981bac0ffb0305f4a2c04)
Jakub Pawlowski [Tue, 27 Nov 2018 17:22:22 +0000 (18:22 +0100)]
Fix buffer overflow in btif_dm_data_copy
When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.
Bug:
110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
(cherry picked from commit
64c6f33e7e3245f0bc2109001893704763a2ff79)
Jakub Pawlowski [Tue, 20 Nov 2018 21:31:31 +0000 (22:31 +0100)]
Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
Bug:
116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit
889efd5b9165ed7641fcd75eabbbef56be2ef5df)
android-build-team Robot [Mon, 26 Nov 2018 17:21:00 +0000 (17:21 +0000)]
Merge cherrypicks of [
5610460,
5610582,
5610249,
5610250,
5610113,
5610163,
5610980,
5610981,
5610982,
5610983,
5610984,
5610461,
5610462,
5610463,
5610464,
5610114,
5610076,
5610985,
5610986,
5610251,
5610583] into oc-m8-release
Change-Id: I1404e0a821b4c44bd5a924a6e10dc3928672437f
Chienyuan [Thu, 11 Oct 2018 01:47:46 +0000 (09:47 +0800)]
DO NOT MERGE HFP: Check AT command buffer boundary during parsing
* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac
Bug:
112860487
Test: manual
Change-Id: I6bbbc2ba29ad025c7d3ba023d8191af6a11c4aa9
(cherry picked from commit
749063afebb8324276a47bdfbf320aa70f94a8ba)
(cherry picked from commit
9cb959d00d33737b399377cfc0f4070081d48f5e)
Myles Watson [Thu, 25 Oct 2018 21:33:33 +0000 (14:33 -0700)]
DO NOT MERGE: HH: Check parameter length in bta_hh_ctrl_dat_act
Bug:
116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit
ff8a52d8fefed1ba38f424b1db48a81d46cb7226)
Myles Watson [Thu, 25 Oct 2018 00:05:12 +0000 (17:05 -0700)]
DO NOT MERGE: SDP: Check p_end in save_attr_seq and add_attr
Bug:
115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit
2aad270709f01481e91f7fdaafbebee49130cd28)
Myles Watson [Thu, 25 Oct 2018 22:27:03 +0000 (15:27 -0700)]
DO NOT MERGE: MCAP: Check response length in mca_ccb_hdl_rsp
Bug:
116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit
f34d740521ec583b0089fdeca283748a809a9c1a)
Ugo Yu [Mon, 29 Oct 2018 16:47:04 +0000 (00:47 +0800)]
DO NOT MERGE: Fix possible OOB when AVDT data channel recive ACL data
Bug:
111450156
Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit
b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit
f349ff0c65523437b3f20ef54a7b0e5fd56364dc)
android-build-team Robot [Fri, 19 Oct 2018 16:33:43 +0000 (16:33 +0000)]
Merge cherrypicks of [
5313290,
5313323,
5313343,
5313415,
5313291,
5313441,
5313557,
5313344,
5313383,
5313384,
5313324,
5313325,
5313326,
5313294,
5313295,
5313296,
5313498] into oc-m8-release
Change-Id: If387e42363401bc4f4c362de2b66e910b38d7239
Jakub Pawlowski [Wed, 10 Oct 2018 17:35:37 +0000 (19:35 +0200)]
Fix possible OOB read
Bug:
74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit
6e6c347e798bf8195a9a02457edf871a97b1cfad)
Ugo Yu [Mon, 17 Sep 2018 07:59:30 +0000 (15:59 +0800)]
DO NOT MERGE - Check SDU lower bound before allocate p_data
Bug:
112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit
6fc96f847be808a4f38eae45b5e9bbc3f18b9a2d)
Chih-Wei Huang [Tue, 9 Oct 2018 10:01:42 +0000 (18:01 +0800)]
Merge tag 'android-8.1.0_r48' into oreo-x86
Android 8.1.0 release 48
android-build-team Robot [Tue, 11 Sep 2018 23:09:09 +0000 (23:09 +0000)]
Merge cherrypicks of [
4995494,
4995495,
4995496,
4995497,
4997652,
4997881,
4997052,
4997883,
4995518,
4997653,
4997654] into oc-m8-release
Change-Id: I85beb831bb99d381e91572820887d034e9e4c942
Pavlin Radoslavov [Thu, 6 Sep 2018 01:21:31 +0000 (18:21 -0700)]
Check data length when parsing AVRCP vendor specific command responses
Bug:
111450531
Bug:
111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit
7439ea940354f65a147c4ecfce3bada49c688047)
Pavlin Radoslavov [Thu, 6 Sep 2018 22:41:27 +0000 (15:41 -0700)]
DO NOT MERGE - Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()
Bug:
111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit
2692408d05bf16738284b61833649cee5d2a2233)
Chih-Wei Huang [Mon, 10 Sep 2018 16:20:37 +0000 (00:20 +0800)]
Merge tag 'android-8.1.0_r46' into oreo-x86
Android 8.1.0 Release 46 (OPM6.171019.030.K1)
android-build-team Robot [Thu, 30 Aug 2018 04:26:40 +0000 (04:26 +0000)]
Merge cherrypicks of [
4897833,
4897834,
4897835] into oc-m8-release
Change-Id: I67a29ac6b41042b98bf78c34151436502cc23c43
Hansong Zhang [Fri, 13 Jul 2018 20:45:46 +0000 (13:45 -0700)]
Fix a wrong check in rfc_parse_data
Bug:
78288018
Bug:
111436796
Test: manual
Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a
(cherry picked from commit
d1ced302cd1066087588c891027b1756be31db46)
Hansong Zhang [Thu, 7 Jun 2018 23:18:52 +0000 (16:18 -0700)]
Add bound check for rfc_parse_data
Bug:
78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit
6039cb7225733195192b396ad19c528800feb735)
android-build-team Robot [Thu, 16 Aug 2018 16:58:55 +0000 (16:58 +0000)]
Merge cherrypicks of [
4793902] into oc-m8-release
Change-Id: I91773bc663618ed079887b7501b81bfb21e7abfb
Hansong Zhang [Thu, 16 Aug 2018 16:46:45 +0000 (09:46 -0700)]
Fix build failure in stack/rfcomm/rfc_ts_frames.c
Test: compile
Bug:
112673718
Change-Id: I93cd39f943dd2f0fb65b785c15dc91649c7ee384
(cherry picked from commit
eb3e2528714bd6ea59ad369798f522d75a2e55c7)
android-build-team Robot [Thu, 16 Aug 2018 01:24:41 +0000 (01:24 +0000)]
Merge cherrypicks of [
4787660,
4787680,
4787071,
4787700,
4787592,
4787701,
4787720,
4787721,
4787072,
4787073,
4787074,
4787075,
4787076,
4787077,
4787740,
4787760,
4787722,
4787723,
4787724,
4787725,
4787726,
4787727,
4787728,
4787729,
4787730,
4787731] into oc-m8-release
Change-Id: Ic84dec3c93161420dd4c72ee698154e8188d1ac7
Cheney Ni [Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)]
Add packet length checks in mca_ccb_hdl_req
Bug:
110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
(cherry picked from commit
4de7ccdd914b7a178df9180d15f675b257ea6e02)
Cheney Ni [Wed, 8 Aug 2018 14:40:27 +0000 (22:40 +0800)]
Checks the SMP length to fix OOB read
Bug:
111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit
4978acce4af0c3975ffde9386b7da38f88bb1711)
Ugo Yu [Wed, 8 Aug 2018 08:09:58 +0000 (16:09 +0800)]
Add packet length check in smp_proc_master_id
Bug:
111937027
Test: manual
Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075
(cherry picked from commit
c8294662d07a98e9b8b1cab1ab681ec0805ce4e8)
Pavlin Radoslavov [Thu, 9 Aug 2018 20:07:48 +0000 (13:07 -0700)]
Add missing AVRCP message length checks inside avrc_msg_cback
Explicitly check the length of the received message before
accessing the data.
Bug:
111803925
Bug:
79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit
282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit
007868d05f4b761842c7345161aeda6fd40dd245)
Ugo Yu [Wed, 8 Aug 2018 06:46:42 +0000 (14:46 +0800)]
DO NOT MERGE Fix OOB read before buffer length check
Bug:
111936834
Test: manual
Change-Id: Ib98528fb62db0d724ebd9112d071e367f78e369d
(cherry picked from commit
4548f34c90803c6544f6bed03399f2eabeab2a8e)
Chienyuan [Wed, 8 Aug 2018 03:21:28 +0000 (11:21 +0800)]
Check packet length in bta_av_proc_meta_cmd
Bug:
111893951
Test: manual - connect A2DP
Change-Id: Ibbf347863dfd29ea3385312e9dde1082bc90d2f3
(cherry picked from commit
ed51887f921263219bcd2fbf6650ead5ec8d334e)
Hansong Zhang [Mon, 6 Aug 2018 21:40:37 +0000 (14:40 -0700)]
Fix OOB read in avrc_ctrl_pars_vendor_rsp
Bug:
78526423
Test: manual
Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91
(cherry picked from commit
d945ada503ed9c9ea24e092df51faba57f5d589a)
Hansong Zhang [Wed, 8 Aug 2018 18:31:28 +0000 (11:31 -0700)]
Check remaining frame length in rfc_process_mx_message
Bug:
111936792
Bug:
80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
(cherry picked from commit
0471355c8b035aaa2ce07a33eecad60ad49c5ad0)
Jakub Pawlowski [Mon, 16 Jul 2018 13:40:35 +0000 (06:40 -0700)]
Fix copy length calculation in sdp_copy_raw_data
Test: compilation
Bug:
110216176
Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
(cherry picked from commit
23aa15743397b345f3d948289fe90efa2a2e2b3e)
Hansong Zhang [Thu, 14 Jun 2018 00:33:23 +0000 (17:33 -0700)]
DO NOT MERGE AVRC: Copy browse.p_browse_data in btif_av_event_deep_copy
p_msg_src->browse.p_browse_data is not copied, but used after the
original pointer is freed
Bug:
109699112
Test: manual
Change-Id: I1d014eb9a8911da6913173a9b11218bf1c89e16e
(cherry picked from commit
1d9a58768e6573899c7e80c2b3f52e22f2d8f58b)
android-build-team Robot [Fri, 10 Aug 2018 20:32:57 +0000 (20:32 +0000)]
Merge cherrypicks of [
4741663,
4741664,
4741665,
4741666,
4743080,
4743081,
4743082,
4743083,
4741262,
4741263,
4741264,
4741265,
4741266,
4741667,
4743084,
4741242,
4741243,
4741741,
4741742,
4741743,
4741744,
4741822,
4743085,
4741668,
4741338,
4743055,
4743056,
4743070,
4743073,
4743075,
4743076,
4743078,
4743079,
4743161,
4743162,
4743164,
4743165,
4743167,
4743168,
4743169,
4743170,
4741681,
4741682,
4741683,
4741684,
4741685,
4741686,
4741687,
4741688,
4741689,
4741690,
4741691,
4741692,
4741693,
4741694,
4741695,
4741696,
4741697,
4741698,
4741699,
4743240,
4743241,
4743242,
4743243,
4741745,
4741823,
4741824,
4741825,
4741267,
4741268,
4743244,
4743280,
4743281,
4743224,
4743203,
4743204,
4743205,
4741746,
4741747,
4743245,
4741826,
4741827,
4741828,
4741829,
4741748,
4741749,
4741750,
4743233,
4743282,
4741244,
4741245,
4741246,
4741247,
4743206,
4743207,
4743208,
4743209,
4743210,
4743211,
4743212,
4743213,
4743214,
4743215,
4743216,
4743217,
4743218,
4743219,
4743360,
4743361,
4743362,
4743363,
4743364,
4743365,
4743366,
4743367,
4743368,
4743369,
4743370,
4743371,
4743372,
4743373,
4743374,
4743375,
4743376,
4743377,
4743283,
4743284,
4741830,
4742501,
4743246,
4743086,
4743087,
4743378,
4743379,
4741751] into sparse-
4749909-L04200000199131547
Change-Id: I00e16e086aeb1e49834b5a7c98174418f934cc81
Hansong Zhang [Thu, 7 Jun 2018 21:25:09 +0000 (14:25 -0700)]
HID Host: Check L2CAP packet data length
Bug:
80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit
ca47a05acb66218ff2123f8d4642961f7f2eb5e2)
Hansong Zhang [Thu, 12 Jul 2018 17:51:30 +0000 (10:51 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Test: manual
Bug:
79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
(cherry picked from commit
54c6a9dfd52ac6711d6f2101d233b276b2e3bb53)
Jakub Pawlowski [Fri, 22 Jun 2018 05:56:11 +0000 (22:56 -0700)]
Add packet length checks in l2cble_process_sig_cmd
Bug:
80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit
02f47a752c818277b31852e3ff940764d5c7f9c7)
Jakub Pawlowski [Wed, 11 Jul 2018 09:57:07 +0000 (02:57 -0700)]
Don't use Address after it was deleted
Bug:
110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
(cherry picked from commit
9930f6f4e14e64966869b119994126283d645fd0)
Hansong Zhang [Wed, 27 Jun 2018 21:26:40 +0000 (14:26 -0700)]
HFP: Fix out of bound access in phone number processing
* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
PhoneStateChange method
Bug:
79431031
Bug:
79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df
(cherry picked from commit
820b4327b1359fb1b389e07fc0f8c5e1304a7bfa)
Jakub Pawlowski [Fri, 22 Jun 2018 11:46:39 +0000 (04:46 -0700)]
SDP: return error on offset bigger than atribute length
Test: none
Bug:
79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit
0a74ffa44cbe48f674387cc951e6011c28ca003c)
Hansong Zhang [Thu, 21 Jun 2018 23:53:41 +0000 (16:53 -0700)]
HIDD: Prevent integer underflow in bta_hd_act
Bug:
109757435
Bug:
109757168
Bug:
110846194
Bug:
109757986
Test: manual
Change-Id: I80a6f3f931ac7512f1ba801cc5d8de6ac04f3422
(cherry picked from commit
74a6392875166698b64b624d12b6d2e404b75d72)
Ajay Panicker [Tue, 5 Jun 2018 23:08:06 +0000 (16:08 -0700)]
DO NOT MERGE: Don't reuse buffer when building response
Bug:
79541338
Test: Compile and connect to remote headset
Change-Id: I2d808f941d3c71fcb6306c733717624be10478e0
(cherry picked from commit
9bbce8603846159dec0d506ba867b7616557a303)
Pavlin Radoslavov [Thu, 31 May 2018 18:04:54 +0000 (11:04 -0700)]
Add BT_HDR length check for received AVCTP packets
Bug:
79944113
Test: Code compilation
Change-Id: I02c76ab8fad61669394062bf34656ea32f465b6a
Merged-In: I02c76ab8fad61669394062bf34656ea32f465b6a
(cherry picked from commit
4262b932e487b19d578d79e0120cf03291f44efc)
(cherry picked from commit
fa538540a7f147b8440ac49735a8dc596ce8dfc7)
Pavlin Radoslavov [Thu, 31 May 2018 02:26:16 +0000 (19:26 -0700)]
Add packet length check for received AVCTP packets
Bug:
79944113
Test: Manual: Custom test program and extra logging
Change-Id: Icde465fed723bf876ce3885d11099fddcb92de81
Merged-In: Icde465fed723bf876ce3885d11099fddcb92de81
(cherry picked from commit
2a934acf498a6b715cc7c634123aa403a70fe9e6)
(cherry picked from commit
d6fb21d8d8ae20addfc51246d840151fc86d8572)
Pavlin Radoslavov [Thu, 31 May 2018 00:56:14 +0000 (17:56 -0700)]
Add checks whether the AVDTP element data length is valid
Bug:
78288378
Test: Manual: Python script and extra logging
Change-Id: I715b5977c833d33ff798f008fbf244effa13ea1f
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit
9b3f96f50287d8789aff6d6895d7ae02ca6ac619)
(cherry picked from commit
ee30c88a8d49b30860d35b34a57c3037a4045678)
Jack He [Fri, 1 Jun 2018 21:00:42 +0000 (14:00 -0700)]
BNEP: Fix OOB access in bnep_data_ind
* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
is most likely triggered
Bug:
78286118
Bug:
79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
BNEP_EXTENSION_CONTROL packet
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit
3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit
0416340ffa61337dbaa2f6602ef85a1c32563ec2)
akirilov [Mon, 21 May 2018 18:45:55 +0000 (11:45 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)
Bug:
74075873
Test: manual
Change-Id: I9a7035a74aca3256c5712ea67a7435627b139c37
(cherry picked from commit
9d647b201b64949e04eade9b594af76c764dbb96)
akirilov [Mon, 21 May 2018 19:56:17 +0000 (12:56 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
Bug:
74075873
Test: manual test (poc in bug)
Change-Id: I56e87cfdf8731acca00cefac98abb2ba06f6e7ed
(cherry picked from commit
3575ba8ca36dccf7dcdb2dbf16ed170d549911d3)
Myles Watson [Tue, 29 May 2018 23:55:58 +0000 (16:55 -0700)]
DO NOT MERGE: SDP: Recalculate param_len after max_list_len
Bug:
78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit
9cc9eea21c7868034242b7ab8be750c565e46bfd)
Jakub Pawlowski [Tue, 29 May 2018 23:17:32 +0000 (16:17 -0700)]
Decrease length after reading from array in process_service_attr_req
Test: compilation
Bug:
78136677
Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0
(cherry picked from commit
6cd2e8bf6e5707e8e77e7aca6519c58200ee58db)
Hansong Zhang [Wed, 30 May 2018 00:38:39 +0000 (17:38 -0700)]
DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_event
Bug:
80145946
Test: manual
Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53
(cherry picked from commit
519b61392a96fbd45bdcc0bfddc881167c20cc23)
Jakub Pawlowski [Wed, 23 May 2018 17:19:53 +0000 (10:19 -0700)]
GATT: Handle too short Error Response PDU
Since the spec is not clear what to do in this case, use one of
reserved error codes as a failure reason, and pass it to upper layers.
Bug:
79591688
Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
(cherry picked from commit
f63c4b652b3231c2b4907bffd13410c6eb2aa760)
Jakub Pawlowski [Thu, 24 May 2018 15:59:34 +0000 (08:59 -0700)]
Add PDU size checks in process_service_search_attr_rsp
Bug:
79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit
980f6427b183e013958acd6b70e91f58177408a6)
Ajay Panicker [Fri, 13 Apr 2018 00:03:09 +0000 (17:03 -0700)]
Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
Bug:
74121659
Test: Compiles
Change-Id: Idf58e7b25b41ae1bd43cdd51de424b18e03cc7e8
(cherry picked from commit
ca4f8a18bce9331360144f1dbc51db1e2525bcc3)
Ajay Panicker [Fri, 11 May 2018 19:03:07 +0000 (12:03 -0700)]
DO NOT MERGE: Check number of attributes before writing to a buffer
Bug:
73824150
Test: Compile
Change-Id: I2a28a503cd74758e707d1e591b55c278d2299f45
(cherry picked from commit
f6db54f071f6974e18b10bb0c2cfcf397cd4c980)
Hansong Zhang [Fri, 11 May 2018 18:36:29 +0000 (11:36 -0700)]
DO NOT MERGE AVRC: Add bound check for AVRC_EVT_APP_SETTING_CHANGE
Test: manual
Bug:
73782082
Change-Id: I4e384a2f8c0d8c4af03bd5865b2e907321419c86
(cherry picked from commit
0061dd6ae30ebcebce695c212c8bc0ceb276710e)
Hansong Zhang [Thu, 26 Apr 2018 22:50:53 +0000 (15:50 -0700)]
DO NOT MERGE Prevent stack overflow in btif_storage
Bug:
73963551
Test: manual
Change-Id: I5f7a583aad150ebf9e3d492181d80ca935c8aa3f
(cherry picked from commit
e8d311224277e9db5dc94cb94929125992f546f3)
Andre Eisenbach [Thu, 1 Mar 2018 21:27:01 +0000 (13:27 -0800)]
DO NOT MERGE SMP: Validate remote elliptic curve points
Fixes:
72377774
Test: net_test_stack_smp (where applicable)
Change-Id: Iefcf97364493467075fadefd77d12716f71cd4f6
(cherry picked from commit
9181ec28da94705a763edbe60bd2a87e5f882beb)
(cherry picked from commit
e11ebfc21963ae905d58c034310efeca0e7cd2ee)
Hansong Zhang [Wed, 11 Apr 2018 23:04:51 +0000 (16:04 -0700)]
DO NOT MERGE Add bounds check for BNEP_Write
Bug:
74947856
Test: manual
Change-Id: If5db8c6b6e509a330ae74808fc3f0ffac137af14
(cherry picked from commit
ae9d06c1dc84db36c0c4a07fc56a1fbf008cd1ce)
Hansong Zhang [Thu, 12 Apr 2018 18:58:49 +0000 (11:58 -0700)]
DO NOT MERGE Initialize local variable in gatts_process_read_by_type_req
Bug:
73125709
Test: manual
Change-Id: I8b3346f605e0820385ea5ed7401bbee664fd15aa
(cherry picked from commit
0e34139d7fa338df6c99aaba13eb839a3dbc2548)
Hansong Zhang [Thu, 12 Apr 2018 22:50:28 +0000 (15:50 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Bug:
74202041
Bug:
74196706
Bug:
74201143
Test: manual
Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d
(cherry picked from commit
ff15adf5150527db1012b9f7777066522835e2db)
Myles Watson [Wed, 21 Mar 2018 23:45:32 +0000 (16:45 -0700)]
PAN: Always allocate in bta_pan_data_buf_ind_cback
Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free. Move the free call to pan_data_buf_ind_cb().
Free the buffer before every return in pan_data_buf_ind_cb.
Bug:
74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit
98232b084c66368234d19fafe3076bc1c0f1b578)
Stanley Tng [Thu, 5 Apr 2018 16:54:13 +0000 (09:54 -0700)]
DO NOT MERGE Handle bad packet length in gatts_process_read_req
Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.
Bug:
73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit
cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit
16f4c21be5bd0ea1968eee8a0f00648b1e326253)
Stanley Tng [Thu, 29 Mar 2018 00:12:28 +0000 (17:12 -0700)]
DO NOT MERGE Drop LE CoC fragments when frame size is too big
Drop the LE CoC data fragments when the received fragment size is too
big.
Test: Runs LE CoC SL4A test, BleCocTest.
Bug:
75298652
Merged-In: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
Change-Id: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
(cherry picked from commit
8365a2ace5e89d8b81bab468f0f9bc1137d773b4)
(cherry picked from commit
17db92e4fc3c7127c0ace625ff9735a9972eee70)
Hansong Zhang [Mon, 2 Apr 2018 17:05:56 +0000 (10:05 -0700)]
DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result
Check the number of UUIDs from remote device
Bug:
74016921
Test: manual
Change-Id: I1ca1f66bfc935f5fd219e8147511bdac7d2789ef
(cherry picked from commit
67ec216daa43f71adf103de6c4156c5a892c1460)
Hansong Zhang [Fri, 30 Mar 2018 23:27:37 +0000 (16:27 -0700)]
DO NOT MERGE Fix unexpected behavior in smp_sm_event
Bug:
74121126
Test: manual
Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53
(cherry picked from commit
652798b2f2d6c90e0fc95c00ccfb91e2870b03d4)
android-build-team Robot [Fri, 3 Aug 2018 19:21:15 +0000 (19:21 +0000)]
Merge cherrypicks of [
4691111,
4689862,
4690575,
4690576,
4690577,
4690578,
4689866,
4689868,
4689869,
4689870,
4691132,
4689456,
4689963,
4691133,
4691134,
4691156,
4691157,
4691159,
4691161,
4690581,
4689964,
4689460,
4691112,
4690582,
4690583,
4691165,
4691166,
4691167,
4691168,
4691169,
4691170,
4691211,
4691212,
4691213,
4691214,
4691215,
4691216,
4691217,
4691218,
4691219,
4691232,
4691233,
4691234,
4691235,
4691236,
4691237,
4691238,
4691239,
4691240,
4691241,
4691243,
4691245,
4691247,
4691249,
4691250,
4691291,
4691292,
4691293,
4691294,
4691295,
4691296,
4691255,
4689476,
4689477,
4689478,
4691223,
4691224,
4691136,
4689479,
4689480,
4691137,
4691225,
4691226,
4691227,
4691371,
4691228,
4691328,
4689967,
4691138,
4691139,
4691140,
4691433,
4689968,
4689969,
4691395,
4691230,
4691297,
4691298,
4691299,
4691300,
4691396,
4691397,
4691398,
4691399,
4691400,
4691401,
4691402,
4691403,
4691404,
4691405,
4691406,
4691407,
4691408,
4691409,
4691410,
4691471,
4691472,
4691473,
4691474,
4691475,
4691476,
4691477,
4691478,
4691479,
4691480,
4691481,
4691482,
4691483,
4691484,
4691485,
4691486,
4691487,
4691488,
4691143,
4691144,
4691511,
4691113,
4689482,
4691533,
4691145,
4691146,
4691147,
4691148,
4691536] into sparse-
4732991-L01200000196794104
Change-Id: I5204d6196d849176ea6dd24498f8f2a4b8f8d7c8
Hansong Zhang [Thu, 7 Jun 2018 21:25:09 +0000 (14:25 -0700)]
HID Host: Check L2CAP packet data length
Bug:
80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit
ca47a05acb66218ff2123f8d4642961f7f2eb5e2)
Hansong Zhang [Thu, 12 Jul 2018 17:51:30 +0000 (10:51 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd
Test: manual
Bug:
79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
(cherry picked from commit
54c6a9dfd52ac6711d6f2101d233b276b2e3bb53)
Jakub Pawlowski [Fri, 22 Jun 2018 05:56:11 +0000 (22:56 -0700)]
Add packet length checks in l2cble_process_sig_cmd
Bug:
80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit
02f47a752c818277b31852e3ff940764d5c7f9c7)
Jakub Pawlowski [Wed, 11 Jul 2018 09:57:07 +0000 (02:57 -0700)]
Don't use Address after it was deleted
Bug:
110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
(cherry picked from commit
9930f6f4e14e64966869b119994126283d645fd0)
Hansong Zhang [Wed, 27 Jun 2018 21:26:40 +0000 (14:26 -0700)]
HFP: Fix out of bound access in phone number processing
* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
PhoneStateChange method
Bug:
79431031
Bug:
79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df
(cherry picked from commit
820b4327b1359fb1b389e07fc0f8c5e1304a7bfa)
Jakub Pawlowski [Fri, 22 Jun 2018 11:46:39 +0000 (04:46 -0700)]
SDP: return error on offset bigger than atribute length
Test: none
Bug:
79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit
0a74ffa44cbe48f674387cc951e6011c28ca003c)
Hansong Zhang [Thu, 21 Jun 2018 23:53:41 +0000 (16:53 -0700)]
HIDD: Prevent integer underflow in bta_hd_act
Bug:
109757435
Bug:
109757168
Bug:
110846194
Bug:
109757986
Test: manual
Change-Id: I80a6f3f931ac7512f1ba801cc5d8de6ac04f3422
(cherry picked from commit
74a6392875166698b64b624d12b6d2e404b75d72)
Ajay Panicker [Tue, 5 Jun 2018 23:08:06 +0000 (16:08 -0700)]
DO NOT MERGE: Don't reuse buffer when building response
Bug:
79541338
Test: Compile and connect to remote headset
Change-Id: I2d808f941d3c71fcb6306c733717624be10478e0
(cherry picked from commit
9bbce8603846159dec0d506ba867b7616557a303)
Pavlin Radoslavov [Thu, 31 May 2018 18:04:54 +0000 (11:04 -0700)]
Add BT_HDR length check for received AVCTP packets
Bug:
79944113
Test: Code compilation
Change-Id: I02c76ab8fad61669394062bf34656ea32f465b6a
Merged-In: I02c76ab8fad61669394062bf34656ea32f465b6a
(cherry picked from commit
4262b932e487b19d578d79e0120cf03291f44efc)
(cherry picked from commit
fa538540a7f147b8440ac49735a8dc596ce8dfc7)
Pavlin Radoslavov [Thu, 31 May 2018 02:26:16 +0000 (19:26 -0700)]
Add packet length check for received AVCTP packets
Bug:
79944113
Test: Manual: Custom test program and extra logging
Change-Id: Icde465fed723bf876ce3885d11099fddcb92de81
Merged-In: Icde465fed723bf876ce3885d11099fddcb92de81
(cherry picked from commit
2a934acf498a6b715cc7c634123aa403a70fe9e6)
(cherry picked from commit
d6fb21d8d8ae20addfc51246d840151fc86d8572)
Pavlin Radoslavov [Thu, 31 May 2018 00:56:14 +0000 (17:56 -0700)]
Add checks whether the AVDTP element data length is valid
Bug:
78288378
Test: Manual: Python script and extra logging
Change-Id: I715b5977c833d33ff798f008fbf244effa13ea1f
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit
9b3f96f50287d8789aff6d6895d7ae02ca6ac619)
(cherry picked from commit
ee30c88a8d49b30860d35b34a57c3037a4045678)
Jack He [Fri, 1 Jun 2018 21:00:42 +0000 (14:00 -0700)]
BNEP: Fix OOB access in bnep_data_ind
* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
is most likely triggered
Bug:
78286118
Bug:
79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
BNEP_EXTENSION_CONTROL packet
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit
3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit
0416340ffa61337dbaa2f6602ef85a1c32563ec2)