OSDN Git Service
Chih-Wei Huang [Fri, 14 Feb 2020 03:38:38 +0000 (11:38 +0800)]
Avoid more annoying crashing
Chih-Wei Huang [Tue, 11 Feb 2020 02:03:14 +0000 (10:03 +0800)]
Merge tag 'android-9.0.0_r53' into pie-x86
Android 9.0.0 Release 53 (
6107734)
Chih-Wei Huang [Mon, 20 Jan 2020 10:51:15 +0000 (18:51 +0800)]
Merge tag 'android-9.0.0_r52' into pie-x86
Android 9.0.0 release 52
Zongheng Wang [Tue, 12 Nov 2019 20:59:44 +0000 (12:59 -0800)]
SDP: add return after SDP disconnection
A return is needed after sdp_disconnect(). It is the logic
expected and it prevents the use of p_ccb after it's freed.
Bug:
144177780
Bug:
117105007
Test: manual test
Change-Id: I7a64382b36adca37a8ff0c7e361d89ecdc8f3b55
(cherry picked from commit
30efc8c90a846460359a489e17e1461c725958b3)
(cherry picked from commit
5edd605227af9a1b9eedf4fd9f02373a47fd49fb)
Ted Wang [Tue, 26 Nov 2019 03:46:38 +0000 (11:46 +0800)]
Fix potential OOB write in btm_read_remote_ext_features_complete
Add event length check to avoid hci event sent from controller not
correct.
Add page number check to avoid page number is bigger than
HCI_EXT_FEATURES_PAGE_MAX.
Bug:
141552859
Bug:
144205318
Test: inject function
Merged-In: Iaca4db4ee9bf27362f62aba0da088727e98955d1
Change-Id: Iaca4db4ee9bf27362f62aba0da088727e98955d1
(cherry picked from commit
140d8297ace9cd54a903a9cd3a079fd805030f1e)
Venkata Jagadeesh Garaga [Thu, 18 Apr 2019 11:43:49 +0000 (17:13 +0530)]
GAP: Correct the continuous pkt length in l2cap
L2cap continuous pkt length wrongly calculated in
reassembly logic when remote sends more data
than expected.
Wrong pkt length leading to memory corruption
Hence the Correct the continuous pkt length in
l2cap reassembly logic.
Bug:
135239489
Bug:
143894715
CRs-Fixed:
2434229
Test: make and internal testing
Change-Id: I758d9e31465b99e436b9b1841320000f08186c97
Merged-In: I758d9e31465b99e436b9b1841320000f08186c97
(cherry picked from commit
337bd4579453bd6bf98ff519de3ac1019cd30d28)
(cherry picked from commit
602f4b44fe30ec8b225e1cee5f96817607d93e5a)
Alistair Strachan [Sat, 2 Mar 2019 01:45:09 +0000 (17:45 -0800)]
Fall back to CLOCK_BOOTTIME if CLOCK_BOOTTIME_ALARM fails
If the cuttlefish device does not have an rtc device (such as the crosvm
VMM) the bt osi layer can promote crashes due to it not being able to
create a CLOCK_BOOTTIME_ALARM timer. Bring back a fallback but enable it
at runtime instead of compile time.
Bug:
126955943
Test: run with cuttlefish
Change-Id: I3ab0282b3e8fde776aa7b37d5772c8f62cf957bf
Chih-Wei Huang [Thu, 30 May 2019 09:04:59 +0000 (17:04 +0800)]
Support generic USB Bluetooth adapter
Find USB Bluetooth adapter according to device class and subclass.
See https://www.usb.org/defined-class-codes#anchor_BaseClassE0h.
Chih-Wei Huang [Thu, 30 May 2019 02:50:19 +0000 (10:50 +0800)]
hciblecmds: remove unnecessary checking
This fixes Bluetooth USB dongle support.
Chih-Wei Huang [Wed, 29 May 2019 03:56:16 +0000 (11:56 +0800)]
Replace Bluetooth HAL by Intel's implementation
Linaro's implementation is buggy.
Chih-Wei Huang [Fri, 24 May 2019 07:01:27 +0000 (15:01 +0800)]
Add back libbt-vendor
Chih-Wei Huang [Tue, 12 Jun 2018 06:32:03 +0000 (14:32 +0800)]
Avoid annoying crashing on VMware
Chih-Wei Huang [Sun, 10 Jun 2018 09:46:25 +0000 (17:46 +0800)]
Remove the unused function
Chih-Wei Huang [Wed, 6 Dec 2017 09:57:21 +0000 (17:57 +0800)]
HCI: don't abort on timeout
Timeout is normal. Especially when the device is suspending.
Don't abort it stupidly.
anitha3x [Tue, 16 Oct 2018 08:52:07 +0000 (14:22 +0530)]
A work around fix for incorrect controller response.
Reason: The controller did not send correct response
for read remote extended features for "page 1" request.
Since lmp extended features ssp was not true, the sm4
was not enabled. Therefore host did not initiate
authentication request. When L2CAP AVDTP connection
was established, the controller returned disconnect
complete with authentication failed reason.
Fix: Provided a retry of read remote extended features
request from host, when response for 'page 1' was
incorrect. This enabled authentication from host and
hence L2CAP AVDTP connection was successful.
Revert the changes, once contoller fix is available
Tracked-On: OAM-69566
Signed-off-by: anitha3x <anithax.h.chandrasekar@intel.com>
Jeevaka Prabu Badrappan [Mon, 27 Aug 2018 17:13:22 +0000 (22:43 +0530)]
Fix for Bluetooth device name reset to default name after reboot
Reason: When the BT device name is updated is getting saved
to the config data pointer but not to the persistent data
(i.e. bt_config.conf). So, when the reboot is happening it
is not able to get the updated device name from the persistent
data (i.e. bt_config.conf) as during reboot bt_config_flush is
not called. It is only called on the BT Enable Event.
Fix: Saving the BT Device name to persistent data using
btif_config_flush once it is set.
Tracked-On: OAM-67917
Signed-off-by: Gaganpreet kaur <gaganpreetx.kaur@intel.com>
Signed-off-by: Aiswarya Cyriac <aiswarya.cyriac@intel.com>
Aiswarya Cyriac [Mon, 26 Feb 2018 04:27:11 +0000 (09:57 +0530)]
Fix for BLE pairing failure in slave role
Pairing fails due to DHkey mismatch and this fix address the
mismatch
Change-Id: Ie09f6c4ef3e70cce3f3b57858b6e8945eb65e63c
Tracked-On:https://jira01.devtools.intel.com/browse/OAM-57377
Signed-Off-by: Aiswarya Cyriac <aiswarya.cyriac@intel.com>
Nick Desaulniers [Thu, 10 Oct 2019 21:04:47 +0000 (14:04 -0700)]
[system][bt] fix -Wdangling-gsl
BtAddrString() returns a std::string. It's not safe to chain a call to
c_str() as otherwise the returned std::string is a temporary, and the
expression evaluates to an immediately dangling pointer.
Bug:
139945549
Bug:
142558228
Test: mm
Change-Id: I30972458abcc563b24ee0d80b289c3efd6c3e04d
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
(cherry picked from commit
20ed45d6339079645ef9fe576b894e9497684c93)
Martin Brabham [Thu, 20 Jun 2019 15:59:24 +0000 (08:59 -0700)]
JustWorks: Auto-accept only incoming temporary pairing.
Bug:
110433804
Bug:
134461862
Test: Manual; atest net_test_bluetooth
Change-Id: I4e3f39bc08e9d9493734a21ea29d76e43aeb50c8
Merged-In: I4e3f39bc08e9d9493734a21ea29d76e43aeb50c8
(cherry picked from commit
650206874470dae8fac8e31174e98b3b6f65eebd)
Jakub Pawlowski [Wed, 2 Oct 2019 13:04:38 +0000 (15:04 +0200)]
Fix read out of bounds in BtifAvEvent::DeepCopy
Bug:
140768453
Change-Id: Ia05e12382ef78a3e07228d09bcf9347f9976bffd
(cherry picked from commit
8ac773aa5b2ace322a52e27a2231ac63688219de)
Martin Brabham [Sat, 8 Jun 2019 04:58:52 +0000 (04:58 +0000)]
Revert "DO NOT MERGE: btif: require pairing dialog for JustWorks SSP"
This reverts commit
26ba26be830f04e6fd9c77b075bcae48677d4cce.
Reason for revert: breaks tv UX
Bug:
110433804
Change-Id: I2c644ed62619f34494be0a0c7c75078cec0ebdd3
(cherry picked from commit
caff42bd3c5bc2f7120b94235c3c578a1b2b407d)
Zongheng Wang [Wed, 21 Aug 2019 00:56:04 +0000 (17:56 -0700)]
SDP: Disconnect when there is a bad length
Handle the case when SDP_RAW_DATA_INCLUDED is FALSE.
Related to: I9f0df8b2de28970e7d69b737ce5d363785183bf3
Bug:
137239831
Bug:
117105007
Test: manual test
Change-Id: I354494565005f2ca9093486546fc54c145066413
Merged-In: I354494565005f2ca9093486546fc54c145066413
(cherry picked from commit
e45fe0a8ec678c73c57967b69c2fd485eef92927)
(cherry picked from commit
7f555a1a9b641a8e4892a4e7a7cc1ff294d8f2b7)
Rahul Sabnis [Fri, 30 Aug 2019 01:23:37 +0000 (18:23 -0700)]
Use memcpy instead of casting to convert device_class to int
Bug:
140152619
Test: atest net_test_btcoreclear
Change-Id: Iee71ce35576e438317841d41a81fda6a87e1984a
Merged-In: Iee71ce35576e438317841d41a81fda6a87e1984a
(cherry picked from commit
ec75f1efb6b9be4933225a4b724e7a3ef5e3d70b)
(cherry picked from commit
969ebed816c5d709128acadb1cbc8a04a6705d1e)
Zongheng Wang [Mon, 5 Aug 2019 19:45:35 +0000 (12:45 -0700)]
SDP: disconnect if sdp_copy_raw_data fails
Our partners met with the problem with sdp_copy_raw_data updated in
CVE-2019-2116. When peer device responds with a wrong size,
sdp_copy_raw_data will not complete and won't trigger
disconnection. This CL enables the disconnection when a wrong size is
received.
Bug:
137239831
Bug:
117105007
Test: manual test
Change-Id: I9f0df8b2de28970e7d69b737ce5d363785183bf3
Merged-In: I9f0df8b2de28970e7d69b737ce5d363785183bf3
(cherry picked from commit
bc9df3451dad17c1ab1002fdbc85d60e57d4f0af)
(cherry picked from commit
41939a2b5a8e3584c5a99dfe264a47df79e3091f)
Martin Brabham [Fri, 24 May 2019 22:13:38 +0000 (15:13 -0700)]
DO NOT MERGE: btif: require pairing dialog for JustWorks SSP
Bug:
110433804
Test: Manual; atest net_test_bluetooth
Change-Id: If65a8d53ff368ba3ddddb47cfc0072469090b46a
(cherry picked from commit
ddae6274742e241c03526c7659dca7b3446b9f8d)
(cherry picked from commit
26ba26be830f04e6fd9c77b075bcae48677d4cce)
Ugo Yu [Thu, 11 Jul 2019 12:12:42 +0000 (20:12 +0800)]
DO NOT MERGE Store BLE keys using the address from the ble_auth_cmpl_evt
Reading the peer address from btif_dm_ble_auth_cmpl_evt, instead
of using the value from the pairing control block in
btif_dm_save_ble_bonding_keys, ensures that BLE keys are stored with
the correct address.
Bug:
133234174
Bug:
79703832
Test: 1. Initiate crosskey pairing from BLE
2. Check whether BLE keys are stored correctly
Change-Id: I18b4a1d8e2cdcd6dd4a300f1dc9e6d3892a3baff
(cherry picked from commit
0d95651e8b22b1012f1ee103e4a0b8665a0c17d4)
(cherry picked from commit
b2334f05895e9926666904c41f13821210cbd6e9)
Ugo Yu [Thu, 23 May 2019 11:06:56 +0000 (19:06 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)
- Do not stay in bonding state if the device is paried but still
discovering service.
- Report BOND_BONDED to Java after authentication for a classic
Bluetooth device is completed.
- Send BONDING event to Java when static identity address is
first obtained during crosskey pairing
- Send BONDING event to Java for the initial random address
before send BONDED event
- Do not send bond event for static identity address when SDP is done.
- Make sure pairing control block always get cleaned up when both SDP
and pairing are done
- Send empty UUIDs to Java layer to unblock bonding intent broadcast
when SDP fails
Bug:
79703832
Test: runtest bluetooth, regression test
Change-Id: Ic33ca045b996c02a7c98e458f791a1747a8ea6d5
(cherry picked from commit
6628beb969f3f8e58972d2c2eb8b4bc053a11109)
Arjun Garg [Mon, 15 Jul 2019 20:00:08 +0000 (13:00 -0700)]
Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"
This reverts commit
12df1a2282e6d591bd0e1db75f0c38067a31ef40.
Jakub Pawlowski [Thu, 6 Jun 2019 11:54:55 +0000 (13:54 +0200)]
DO NOT MERGE Fix for Bluetooth connection being dropped after HCI Read Encryption Key Size
If remote device stop the encryption before we call "Read Encryption Key Size",
we might receive Insufficient Security, which means that link is no longer
encrypted.
In such cases we should stay connected, rather than disconnecting the
link.
Test: Connect to device that stop encryption right after encryption is
complete, i.e. to change roles.
Bug:
124301137
Bug:
132626699
Change-Id: Iab0fd9f357d18a6b048b971d0393fbb47fd4d793
Merged-In: Iab0fd9f357d18a6b048b971d0393fbb47fd4d793
(cherry picked from commit
c978f86b506f31567b5991c91cdbe4c142ca8edd)
Ugo Yu [Thu, 23 May 2019 11:06:56 +0000 (19:06 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)
- Do not stay in bonding state if the device is paried but still
discovering service.
- Report BOND_BONDED to Java after authentication for a classic
Bluetooth device is completed.
- Send BONDING event to Java when static identity address is
first obtained during crosskey pairing
- Send BONDING event to Java for the initial random address
before send BONDED event
- Do not send bond event for static identity address when SDP is done.
- Make sure pairing control block always get cleaned up when both SDP
and pairing are done
- Send empty UUIDs to Java layer to unblock bonding intent broadcast
when SDP fails
Bug:
79703832
Test: runtest bluetooth, regression test
Change-Id: Ic33ca045b996c02a7c98e458f791a1747a8ea6d5
(cherry picked from commit
6628beb969f3f8e58972d2c2eb8b4bc053a11109)
Martin Brabham [Thu, 4 Apr 2019 21:57:41 +0000 (14:57 -0700)]
DO NOT MERGE: osi: Offload mutex pointer to local scope
Create a shared_ptr for the callback_mutex in the alarm struct.
When performing the callback, make a local shared_ptr reference.
lock_guard on the local shared_ptr reference.
Bug:
117997080
Test: atest net_test_bluetooth
Change-Id: Iab800f720f4ccc4735e4d494e0d458eb97b40a4a
(cherry picked from commit
947c58718f93629f2fba6e16d5163b6da07d0056)
Ted Wang [Mon, 29 Apr 2019 02:11:04 +0000 (10:11 +0800)]
Fix potential OOB read in sdpu_get_len_from_type
Add boundary check in sdpu_get_len_from_type to prevent potential OOB read.
Bug:
117105007
Test: Manul
Merged-In: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
Change-Id: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
(cherry picked from commit
1243f8da338dadfe2a3c281a08297b431402d41c)
(cherry picked from commit
4d8e1d63e1a2116c47702d38d858f5a742e8292f)
Jakub Pawlowski [Mon, 11 Mar 2019 18:22:01 +0000 (19:22 +0100)]
DO NOT MERGE Don't persist bonds using sample LTK
Test: compilation, manual testing
Bug:
128843052
Change-Id: I52fd484d42bf87e96dbc9e6456090f231ed48111
(cherry picked from commit
250529d6f1110c5b6117508dc8f200eaaeedaae5)
Jack He [Thu, 21 Mar 2019 00:51:09 +0000 (17:51 -0700)]
DO NOT MERGE Log encryption key size
* Log result from HCI_READ_ENCR_KEY_SIZE command
Bug:
124301137
Test: test drive with statsd
Change-Id: I776a3c357fcd75623fba241f150d1afb58aa23fb
(cherry picked from commit
7e8dbcd40b97c731d797c8967a6d44db856bca15)
Jakub Pawlowski [Thu, 14 Feb 2019 11:44:06 +0000 (12:44 +0100)]
DO NOT MERGE Drop Bluetooth connection with weak encryption key
This patch requires Bluetooth chip to support HCI Read Encryption Key Size
command and will cause Bluetooth to crash if this command is not supported
on a device. Such device should not take this patch and should look for
alternative solution to drop Bluetooth connection with weak encryption key.
Bug:
124301137
Change-Id: Id4b6b4e765628397a79e6806f45c2cd27acebd5b
(cherry picked from commit
398473b74ebab9a47bf6f0615460f3c44ca09269)
Ajay Panicker [Fri, 14 Dec 2018 22:55:02 +0000 (14:55 -0800)]
DO NOT MERGE: Use a weak pointer to deliver updates to AVRCP devices.
If a device disconnects right before a update message gets queued, the
device becomes null and there is a crash when the callback for the
update executes on the disconnected device. This patch switches the
device reference from being Unretained to using a weak pointer so that
the callback just doesn't execute if the device is disconnected.
Bug:
120431125
Bug:
120445479
Test: Use the same test as b/
120477414 as that bug causes a disconnect
at the same time as a media update.
Change-Id: I1dcc08e5c9866106e7ec0dad52505e34b42da600
(cherry picked from commit
f083d1e076ea97e6feaa363f03dab3656bd03ee0)
JP Sugarbroad [Tue, 19 Mar 2019 21:58:40 +0000 (14:58 -0700)]
Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"
This reverts commit
583a7016e4f4167df2efe4e25dc80b6c4aa1f834.
Hansong Zhang [Sat, 2 Feb 2019 01:45:30 +0000 (17:45 -0800)]
resolve merge conflicts of
ec78d74706c3e81f91eee53e3d9f959f66e5d77f to pi-dev
Bug: None
Test: I solemnly swear I tested this conflict resolution.
Change-Id: Id658b3485fdc0025bc44850be9f23bb2d2146d9b
(cherry picked from commit
6c0f22f324ed0bdf9dea3e803e5ee6176d03fdb4)
Ugo Yu [Tue, 16 Oct 2018 06:53:35 +0000 (14:53 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)
- Do not stay in bonding state if the device is paried but still
discovering service.
- Report BOND_BONDED to Java after authentication is completed.
- Report empty UUID to Java if a classic Bluetooth device SDP
failed while pairing.
- Hold BOND_BONDED intent util SDP is findished.
- Only accept profile connection for the device is at bonded
state. Any attempt to connect while bonding would potentially
lead to an unauthorized connection.
Bug:
79703832
Test: runtest bluetooth, regression test
Change-Id: I023713e07308bfc0e5bb8d67f386bcc50f6a0f85
(cherry picked from commit
122e115b87fe98ca5e5e65b9765c146f9e52b65e)
(cherry picked from commit
dc14eb8ba01ee20dc44bcba7b3c0a17550e756fa)
Hansong Zhang [Thu, 10 Jan 2019 02:18:17 +0000 (18:18 -0800)]
btm_proc_smp_cback: Don't access p_dev_rec if freed
In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free
Bug:
120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
(cherry picked from commit
953dd279502980b1d8d30656eb78c6445a6e31f7)
Hansong Zhang [Wed, 16 Jan 2019 20:33:26 +0000 (12:33 -0800)]
btm_ble_multi_adv: Check data length in HCI interface
For BleAdvertiserVscHciInterfaceImpl and
BleAdvertiserLegacyHciInterfaceImpl, the maximum size of scan response
and advertising packet data length should be BTM_BLE_AD_DATA_LEN (31).
Bug:
121145627
Test: POC
Change-Id: I7653a6c186b7313ef2b1547bca120b9d41c90140
(cherry picked from commit
a99fe8a175a6d209e741871544ae3f857c8a7cbb)
Stanley Tng [Tue, 11 Dec 2018 22:45:13 +0000 (14:45 -0800)]
DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu
Add check to make sure that data buffer is big enough to read the 2
bytes for length.
Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.
Bug:
120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit
fcb1994de1f6ee34b8dc6804a2b32e20bf138073)
(cherry picked from commit
1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit
c117a1c951c65033987ed51d53407b359204c187)
Ugo Yu [Tue, 13 Nov 2018 12:03:28 +0000 (20:03 +0800)]
Add OOB check in avrc_pars_browse_rsp
Bug:
111451066
Test: Manully
Change-Id: I068d218b8957bb8f053148d252a9119a8def28cc
(cherry picked from commit
f44cbb20e7658116472981bac0ffb0305f4a2c04)
Jakub Pawlowski [Tue, 27 Nov 2018 17:22:22 +0000 (18:22 +0100)]
Fix buffer overflow in btif_dm_data_copy
When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.
Bug:
110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
(cherry picked from commit
ea90417d9965aec1c475418ca8f8f305af12de2d)
Jakub Pawlowski [Tue, 20 Nov 2018 21:31:31 +0000 (22:31 +0100)]
Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
Bug:
116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit
889efd5b9165ed7641fcd75eabbbef56be2ef5df)
JP Sugarbroad [Thu, 10 Jan 2019 22:54:49 +0000 (14:54 -0800)]
Revert "Fix OOB in avrc_pars_browse_rsp"
This reverts commit
751fa58a13ce428de93bdb667e964510a13310da.
Myles Watson [Thu, 25 Oct 2018 00:05:12 +0000 (17:05 -0700)]
SDP: Check p_end in save_attr_seq and add_attr
Bug:
115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit
b8a5081b00fc9730092d8392786f3f4e659cb602)
Ugo Yu [Fri, 26 Oct 2018 10:15:17 +0000 (18:15 +0800)]
Fix OOB in avrc_pars_browse_rsp
- Check packet length before assign bytes to the pointer.
Bug:
111451066
Test: PoC test
Change-Id: I8ce4f4678a043fc16b0beeea2345253e7542b506
(cherry picked from commit
32a33dc12d4a9b21306510a98bcd039ca3be1dd3)
Ugo Yu [Mon, 29 Oct 2018 16:47:04 +0000 (00:47 +0800)]
Fix possible OOB when AVDT data channel recive ACL data
Bug:
111450156
Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit
baa9bf5bfe4a6f3e52ac927aaf4463f37f81294e)
Chienyuan [Tue, 18 Sep 2018 09:13:16 +0000 (17:13 +0800)]
HFP: Check AT command buffer boundary during parsing
* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac
Bug:
112860487
Test: testplans/details/218593/3975
Change-Id: I6bbbc2ba29ad025c7d3ba023d8191af6a11c4aa9
(cherry picked from commit
28ddbe904bd15c9636063f5431a9360d8e9df8b9)
Myles Watson [Thu, 25 Oct 2018 22:27:03 +0000 (15:27 -0700)]
MCAP: Check response length in mca_ccb_hdl_rsp
Bug:
116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit
0ab53ca2af26f70126d6d9d6600d090a720758fa)
Myles Watson [Thu, 25 Oct 2018 21:33:33 +0000 (14:33 -0700)]
HH: Check parameter length in bta_hh_ctrl_dat_act
Bug:
116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit
b8fbe73f0d32686e8393bfe07a84b6f0e8829caf)
Jakub Pawlowski [Wed, 10 Oct 2018 17:35:37 +0000 (19:35 +0200)]
Fix possible OOB read
Bug:
74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit
6e6c347e798bf8195a9a02457edf871a97b1cfad)
Hansong Zhang [Tue, 2 Oct 2018 23:26:38 +0000 (16:26 -0700)]
HIDD: Check descriptor length and increase buffer
Since maximum descriptor length is 2048, we need to assign 2054 bytes of
buffer for another 6 bytes of data. Also added a const for maximum
descriptor length.
Bug:
113572366
Test: manual
Change-Id: Ie2b25c9e1a9f2019cbc7e6fbecbb08b643c87946
Merged-In: Ie2b25c9e1a9f2019cbc7e6fbecbb08b643c87946
(cherry picked from commit
c0530b211e8a5b43e556c6d47d424b231afb8e99)
Ugo Yu [Mon, 17 Sep 2018 07:59:30 +0000 (15:59 +0800)]
Check SDU lower bound before allocate p_data
Bug:
112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit
785e12ed58d020a0df075163c1831021c0cde218)
Myles Watson [Thu, 6 Sep 2018 17:57:47 +0000 (10:57 -0700)]
bta: Pass the correct UUID array size in bta_ag_do_disc
Bug:
113164621
Test: Connect HSP from a device to the phone
Change-Id: Iec875cd165ad1cea64c307602bb00b623967c7c7
(cherry picked from commit
9645b5dd62c8166f10798335768aa2a6c3e05e4c)
Pavlin Radoslavov [Thu, 6 Sep 2018 22:41:27 +0000 (15:41 -0700)]
Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()
Bug:
111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit
1c14e10cac53d5a5724dcf34c5679ad8819f9442)
(cherry picked from commit
f779ebe368d245c0d9ac954cf7b2b102e7da56be)
Hansong Zhang [Wed, 5 Sep 2018 23:39:16 +0000 (16:39 -0700)]
HID Device: Fix OOB in register_app
Bug:
113037220
Bug:
113111784
Test: manual
Change-Id: I91bcd5032959458b926c479160c7e391b8de313b
(cherry picked from commit
6aa2d0a5fab28c8829aab4099da0ad450e451c1e)
Pavlin Radoslavov [Thu, 6 Sep 2018 01:21:31 +0000 (18:21 -0700)]
Check data length when parsing AVRCP vendor specific command responses
Bug:
111450531
Bug:
111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit
7439ea940354f65a147c4ecfce3bada49c688047)
Hansong Zhang [Wed, 8 Aug 2018 18:31:28 +0000 (11:31 -0700)]
Check remaining frame length in rfc_process_mx_message
Bug:
111936792
Bug:
80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
(cherry picked from commit
0471355c8b035aaa2ce07a33eecad60ad49c5ad0)
Hansong Zhang [Fri, 13 Jul 2018 20:45:46 +0000 (13:45 -0700)]
Fix a wrong check in rfc_parse_data
Bug:
78288018
Bug:
111436796
Test: manual
Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a
(cherry picked from commit
d1ced302cd1066087588c891027b1756be31db46)
Hansong Zhang [Thu, 7 Jun 2018 23:18:52 +0000 (16:18 -0700)]
Add bound check for rfc_parse_data
Bug:
78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit
6039cb7225733195192b396ad19c528800feb735)
Cheney Ni [Wed, 8 Aug 2018 14:20:08 +0000 (22:20 +0800)]
Checks the SMP length to fix OOB read
Bug:
111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit
fceb753bda651c4135f3f93a510e5fcb4c7542b8)
Ugo Yu [Wed, 8 Aug 2018 08:09:58 +0000 (16:09 +0800)]
Add packet length check in smp_proc_master_id
Bug:
111937027
Test: manual
Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075
(cherry picked from commit
c8294662d07a98e9b8b1cab1ab681ec0805ce4e8)
Pavlin Radoslavov [Thu, 9 Aug 2018 20:07:48 +0000 (13:07 -0700)]
Add missing AVRCP message length checks inside avrc_msg_cback
Explicitly check the length of the received message before
accessing the data.
Bug:
111803925
Bug:
79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit
282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit
007868d05f4b761842c7345161aeda6fd40dd245)
Cheney Ni [Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)]
Add packet length checks in mca_ccb_hdl_req
Bug:
110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
(cherry picked from commit
4de7ccdd914b7a178df9180d15f675b257ea6e02)
Chienyuan [Wed, 8 Aug 2018 03:21:28 +0000 (11:21 +0800)]
Check packet length in bta_av_proc_meta_cmd
Bug:
111893951
Test: manual - connect A2DP
Change-Id: Ibbf347863dfd29ea3385312e9dde1082bc90d2f3
(cherry picked from commit
ed51887f921263219bcd2fbf6650ead5ec8d334e)
Hansong Zhang [Mon, 6 Aug 2018 21:40:37 +0000 (14:40 -0700)]
Fix OOB read in avrc_ctrl_pars_vendor_rsp
Bug:
78526423
Test: manual
Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91
(cherry picked from commit
d945ada503ed9c9ea24e092df51faba57f5d589a)
Jakub Pawlowski [Mon, 16 Jul 2018 13:40:35 +0000 (06:40 -0700)]
Fix copy length calculation in sdp_copy_raw_data
Test: compilation
Bug:
110216176
Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
(cherry picked from commit
23aa15743397b345f3d948289fe90efa2a2e2b3e)
Hansong Zhang [Thu, 12 Jul 2018 17:44:29 +0000 (10:44 -0700)]
Fix OOB read in process_l2cap_cmd
Test: manual
Bug:
79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
(cherry picked from commit
5bb66307b555b17d1764e116316ce50c687c9653)
Jakub Pawlowski [Fri, 22 Jun 2018 11:46:39 +0000 (04:46 -0700)]
SDP: return error on offset bigger than atribute length
Test: none
Bug:
79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit
0a74ffa44cbe48f674387cc951e6011c28ca003c)
Jakub Pawlowski [Wed, 11 Jul 2018 09:57:07 +0000 (02:57 -0700)]
Don't use Address after it was deleted
Bug:
110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
(cherry picked from commit
9930f6f4e14e64966869b119994126283d645fd0)
Hansong Zhang [Wed, 27 Jun 2018 21:21:40 +0000 (14:21 -0700)]
HFP: Fix out of bound access in phone number processing
* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
PhoneStateChange method
Bug:
79431031
Bug:
79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
(cherry picked from commit
5c0888d42d9aa29dbecd77d3443fa066cdb4e13d)
Hansong Zhang [Thu, 21 Jun 2018 23:53:41 +0000 (16:53 -0700)]
HIDD: Prevent integer underflow in bta_hd_act
Bug:
109757435
Bug:
109757168
Bug:
110846194
Bug:
109757986
Test: manual
Change-Id: I80a6f3f931ac7512f1ba801cc5d8de6ac04f3422
(cherry picked from commit
74a6392875166698b64b624d12b6d2e404b75d72)
Jakub Pawlowski [Fri, 22 Jun 2018 05:56:11 +0000 (22:56 -0700)]
Add packet length checks in l2cble_process_sig_cmd
Bug:
80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit
02f47a752c818277b31852e3ff940764d5c7f9c7)
Hansong Zhang [Thu, 7 Jun 2018 21:25:09 +0000 (14:25 -0700)]
HID Host: Check L2CAP packet data length
Bug:
80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit
ca47a05acb66218ff2123f8d4642961f7f2eb5e2)
android-build-team Robot [Fri, 8 Jun 2018 07:21:06 +0000 (07:21 +0000)]
Snap for
4829593 from
fc56cb1c021b449878435012687272d71a6c04b7 to pi-release
Change-Id: I41b2e01f9fedf7e0be72d9e2a8ec924e2fd30498
TreeHugger Robot [Thu, 7 Jun 2018 15:08:47 +0000 (15:08 +0000)]
Merge "Don't reuse buffer when building response" into pi-dev
android-build-team Robot [Thu, 7 Jun 2018 07:23:24 +0000 (07:23 +0000)]
Snap for
4826885 from
99428a2cf3b7d7e1d7950918462cd9938e5792f2 to pi-release
Change-Id: I139ee39202fc51350a44decb0cddd01e3d01e2bf
Ajay Panicker [Thu, 7 Jun 2018 05:28:11 +0000 (22:28 -0700)]
Merge changes from topic "am-
662f3e36-36cc-485d-824b-
f28c01eea384" into oc-dev am:
0cda123801 am:
427aebe54a
am:
20b2bc080e
Change-Id: I3662266f41058a194921afe9126dfbbd0b9c8b52
Ajay Panicker [Thu, 7 Jun 2018 05:26:17 +0000 (22:26 -0700)]
Merge changes from topic "am-
7125a1ce-592b-4a1d-a4e0-
c6f472d5dc83" into oc-dev am:
086995d099 am:
352b01c987
am:
728f645ccc
Change-Id: I1e3070df2626d5c92f0afe4654da67eb107fee85
Ajay Panicker [Thu, 7 Jun 2018 05:25:47 +0000 (22:25 -0700)]
[automerger skipped] DO NOT MERGE: Don't reuse buffer when building response am:
9bbce86038 am:
2e3d8cde0e
am:
34d0e93bc6 -s ours
Change-Id: I573567707397a1aa0cb69a683156c1a5b76b7bd0
TreeHugger Robot [Thu, 7 Jun 2018 05:25:08 +0000 (05:25 +0000)]
Merge "Send ACK for A2DP_CTRL_CMD_SUSPEND even if audio was no streaming" into pi-dev
Ajay Panicker [Thu, 7 Jun 2018 04:21:58 +0000 (21:21 -0700)]
Merge changes from topic "am-
662f3e36-36cc-485d-824b-
f28c01eea384" into oc-dev am:
0cda123801
am:
427aebe54a
Change-Id: I7d0fb74f7c6f45411f72c0471a239f933e3fc101
Ajay Panicker [Thu, 7 Jun 2018 04:21:32 +0000 (21:21 -0700)]
Merge changes from topic "am-
7125a1ce-592b-4a1d-a4e0-
c6f472d5dc83" into oc-dev am:
086995d099
am:
352b01c987
Change-Id: I1753fa0854933bf75a4d8c763d2be1d29fa398af
Ajay Panicker [Thu, 7 Jun 2018 04:20:59 +0000 (21:20 -0700)]
DO NOT MERGE: Don't reuse buffer when building response am:
9bbce86038
am:
2e3d8cde0e
Change-Id: I3a59bf8a5c375be0388952a1232316bf88ae0928
Ajay Panicker [Thu, 7 Jun 2018 03:08:39 +0000 (20:08 -0700)]
Merge changes from topic "am-
662f3e36-36cc-485d-824b-
f28c01eea384" into oc-dev
am:
0cda123801
Change-Id: I439feb0e5a5ee9dc65613aab59f48f98405ac1c5
Ajay Panicker [Thu, 7 Jun 2018 03:08:06 +0000 (20:08 -0700)]
Merge changes from topic "am-
7125a1ce-592b-4a1d-a4e0-
c6f472d5dc83" into oc-dev
am:
086995d099
Change-Id: I8ba858a9bfdc2d81c487692cda8bb16e9b371356
Ajay Panicker [Thu, 7 Jun 2018 03:07:30 +0000 (20:07 -0700)]
DO NOT MERGE: Don't reuse buffer when building response
am:
9bbce86038
Change-Id: I0b7edc528c15d05e2b07c2ad5b30c40a387eb87f
TreeHugger Robot [Thu, 7 Jun 2018 01:53:54 +0000 (01:53 +0000)]
Merge changes from topic "am-
662f3e36-36cc-485d-824b-
f28c01eea384" into oc-dev
* changes:
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
ecef51ee8f am:
cf7d3de311 am:
3a9eca8d4c am:
2f532ef9b0 skipped:
052add83b4
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
ecef51ee8f am:
cf7d3de311 am:
3a9eca8d4c am:
2f532ef9b0
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
ecef51ee8f am:
cf7d3de311 am:
3a9eca8d4c
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
ecef51ee8f am:
cf7d3de311
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
ecef51ee8f
DO NOT MERGE: Don't reuse buffer when building response
TreeHugger Robot [Thu, 7 Jun 2018 01:36:28 +0000 (01:36 +0000)]
Merge changes from topic "am-
7125a1ce-592b-4a1d-a4e0-
c6f472d5dc83" into oc-dev
* changes:
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
5b27fef4d8 am:
4d07934351 am:
690cc6b25d skipped:
c4d802659d am:
f294bdbb98 am:
54ef7ee930 am:
ce6884eb30 am:
5d335dfb7b skipped:
66c6a114a6
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
5b27fef4d8 am:
4d07934351 am:
690cc6b25d skipped:
c4d802659d am:
f294bdbb98 am:
54ef7ee930 am:
ce6884eb30 am:
5d335dfb7b
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
5b27fef4d8 am:
4d07934351 am:
690cc6b25d skipped:
c4d802659d am:
f294bdbb98 am:
54ef7ee930 am:
ce6884eb30
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
5b27fef4d8 am:
4d07934351 am:
690cc6b25d skipped:
c4d802659d am:
f294bdbb98 am:
54ef7ee930
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
5b27fef4d8 am:
4d07934351 am:
690cc6b25d skipped:
c4d802659d am:
f294bdbb98
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
5b27fef4d8 am:
4d07934351 am:
690cc6b25d skipped:
c4d802659d
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
5b27fef4d8 am:
4d07934351 am:
690cc6b25d
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
5b27fef4d8 am:
4d07934351
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
5b27fef4d8
DO NOT MERGE: Don't reuse buffer when building response
Android Build Merger (Role) [Thu, 7 Jun 2018 00:46:48 +0000 (00:46 +0000)]
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
ecef51ee8f am:
cf7d3de311 am:
3a9eca8d4c am:
2f532ef9b0 skipped:
052add83b4
Change-Id: Id3ae5582793f9deabc23e530380f0aa565b64b8e
Android Build Merger (Role) [Thu, 7 Jun 2018 00:46:46 +0000 (00:46 +0000)]
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
ecef51ee8f am:
cf7d3de311 am:
3a9eca8d4c am:
2f532ef9b0
Change-Id: I39f72d38038768d9207455399184cccde2ccba4b
Android Build Merger (Role) [Thu, 7 Jun 2018 00:46:44 +0000 (00:46 +0000)]
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
ecef51ee8f am:
cf7d3de311 am:
3a9eca8d4c
Change-Id: Ib332da78669cd9e8b6c1d3f25d54cc8df23b444a
Android Build Merger (Role) [Thu, 7 Jun 2018 00:46:41 +0000 (00:46 +0000)]
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
ecef51ee8f am:
cf7d3de311
Change-Id: Idf12259570aae1cf15a4f4805df093a8d0dabf43
Android Build Merger (Role) [Thu, 7 Jun 2018 00:46:38 +0000 (00:46 +0000)]
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
ecef51ee8f
Change-Id: I4911528515373e3dfc0763d5f793df29fb64d4e8
Ajay Panicker [Wed, 6 Jun 2018 21:58:54 +0000 (14:58 -0700)]
DO NOT MERGE: Don't reuse buffer when building response
Bug:
79541338
Test: Compile and connect to remote headset
Change-Id: I5e059615db589e165630f39d631a922006c2d70f
Android Build Merger (Role) [Thu, 7 Jun 2018 00:44:15 +0000 (00:44 +0000)]
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
5b27fef4d8 am:
4d07934351 am:
690cc6b25d skipped:
c4d802659d am:
f294bdbb98 am:
54ef7ee930 am:
ce6884eb30 am:
5d335dfb7b skipped:
66c6a114a6
Change-Id: I1c26c4fed03c9e6b6e0ae80ab330eb15dfee9072
Android Build Merger (Role) [Thu, 7 Jun 2018 00:43:57 +0000 (00:43 +0000)]
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
5b27fef4d8 am:
4d07934351 am:
690cc6b25d skipped:
c4d802659d am:
f294bdbb98 am:
54ef7ee930 am:
ce6884eb30 am:
5d335dfb7b
Change-Id: I1cd26eb9ac7ddcb7797b8011119156403c7920fb
Android Build Merger (Role) [Thu, 7 Jun 2018 00:43:34 +0000 (00:43 +0000)]
[automerger] DO NOT MERGE: Don't reuse buffer when building response am:
5b27fef4d8 am:
4d07934351 am:
690cc6b25d skipped:
c4d802659d am:
f294bdbb98 am:
54ef7ee930 am:
ce6884eb30
Change-Id: Ic43b38cb648059daff18c044d45d154b1700a632