OSDN Git Service

android-x86/system-bt.git
3 months agoMerge tag 'android-7.1.2_r39' into nougat-x86 nougat-x86 android-x86-7.1-r3
Chih-Wei Huang [Wed, 16 Oct 2019 14:30:17 +0000 (22:30 +0800)]
Merge tag 'android-7.1.2_r39' into nougat-x86

Android 7.1.2 Release 39 (5787804)

Conflicts:
bta/pan/bta_pan_act.c
stack/bnep/bnep_utils.c

3 months agoFall back to CLOCK_BOOTTIME if CLOCK_BOOTTIME_ALARM fails
Alistair Strachan [Sat, 2 Mar 2019 01:45:09 +0000 (17:45 -0800)]
Fall back to CLOCK_BOOTTIME if CLOCK_BOOTTIME_ALARM fails

If the cuttlefish device does not have an rtc device (such as the crosvm
VMM) the bt osi layer can promote crashes due to it not being able to
create a CLOCK_BOOTTIME_ALARM timer. Bring back a fallback but enable it
at runtime instead of compile time.

Bug: 126955943
Test: run with cuttlefish
Change-Id: I3ab0282b3e8fde776aa7b37d5772c8f62cf957bf

6 months agoRevert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"
Arjun Garg [Mon, 15 Jul 2019 19:43:34 +0000 (12:43 -0700)]
Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"

This reverts commit 669c21e17874a11394668b2a927b04d03850d237.

7 months agoDO NOT MERGE Fix for Bluetooth connection being dropped after HCI Read Encryption...
Jakub Pawlowski [Thu, 6 Jun 2019 11:54:55 +0000 (13:54 +0200)]
DO NOT MERGE Fix for Bluetooth connection being dropped after HCI Read Encryption Key Size

If remote device stop the encryption before we call "Read Encryption Key Size",
we might receive Insufficient Security, which means that link is no longer
encrypted.

In such cases we should stay connected, rather than disconnecting the
link.

Test: Connect to device that stop encryption right after encryption is
complete, i.e. to change roles.
Bug: 124301137
Bug: 132626699

Change-Id: Iab0fd9f357d18a6b048b971d0393fbb47fd4d793
Merged-In: Iab0fd9f357d18a6b048b971d0393fbb47fd4d793
(cherry picked from commit c5aa5feebf558df160772fefaf271a6f3251e261)

7 months agoDO NOT MERGE Separate SDP procedure from bonding state (1/2)
Ugo Yu [Thu, 23 May 2019 13:05:49 +0000 (21:05 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)

- Do not stay in bonding state if the device is paried but still
  discovering service.
- Report BOND_BONDED to Java after authentication for a classic
  Bluetooth device is completed.
- Send BONDING event to Java when static identity address is
  first obtained during crosskey pairing
- Send BONDING event to Java for the initial random address
  before send BONDED event
- Do not send bond event for static identity address when SDP is done.
- Make sure pairing control block always get cleaned up when both SDP
  and pairing are done
- Send empty UUIDs to Java layer to unblock bonding intent broadcast
  when SDP fails

Bug: 79703832
Test: runtest bluetooth, regression test
Change-Id: Ia50c42bbd7614ea13c7dd90dcfc7224f4681f479
(cherry picked from commit 553eb90719404652046698c9191e995c86743129)

7 months agoDO NOT MERGE Send HCI Read Encryption Key properly
Jakub Pawlowski [Fri, 24 May 2019 20:01:09 +0000 (22:01 +0200)]
DO NOT MERGE Send HCI Read Encryption Key properly

This patch fixes bad HCI command being send instead of Read Encryption
Key Size.

Bug: 124301137
Test: pair and connect with Bluetooth headset
Change-Id: If325ef2771ca1546ae58df7c684f66ae537b8573
(cherry picked from commit a3cc7575f9ce644a3dfceee61ab7b4b206a3982e)

8 months agoDO NOT MERGE Fix potential OOB read in sdpu_get_len_from_type
Ted Wang [Mon, 29 Apr 2019 02:11:04 +0000 (10:11 +0800)]
DO NOT MERGE Fix potential OOB read in sdpu_get_len_from_type

Add boundary check in sdpu_get_len_from_type to prevent potential OOB read.

Bug: 117105007
Test: Manul
Merged-In: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
Change-Id: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
(cherry picked from commit 08202bdcbe5e6cf826926d0995790fcfa309bca8)

8 months agoDO NOT MERGE Don't persist bonds using sample LTK
Jakub Pawlowski [Mon, 11 Mar 2019 18:22:01 +0000 (19:22 +0100)]
DO NOT MERGE Don't persist bonds using sample LTK

Test: compilation, manual testing
Bug: 128843052
Change-Id: I52fd484d42bf87e96dbc9e6456090f231ed48111
(cherry picked from commit c0fb2a25f92848f4d78f72d31e9705e29e6f5ca8)

8 months agoDO NOT MERGE Drop Bluetooth connection with weak encryption key
Jakub Pawlowski [Thu, 14 Feb 2019 11:44:06 +0000 (12:44 +0100)]
DO NOT MERGE Drop Bluetooth connection with weak encryption key

This patch requires Bluetooth chip to support HCI Read Encryption Key Size
command and will cause Bluetooth to crash if this command is not supported
on a device. Such device should not take this patch and should look for
alternative solution to drop Bluetooth connection with weak encryption key.

Bug: 124301137
Change-Id: Id4b6b4e765628397a79e6806f45c2cd27acebd5b
(cherry picked from commit 027532b3678e3d50ed41270d747df5eb06bc6a8d)

10 months agoRevert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"
JP Sugarbroad [Tue, 19 Mar 2019 21:44:11 +0000 (14:44 -0700)]
Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"

This reverts commit 5cd6a9f1a8d4b6e8fca2b69dbdaaa8faed27c072.

10 months agoDO NOT MERGE Fix length for L2CAP config type EXT FLOW
Hansong Zhang [Thu, 7 Mar 2019 18:50:04 +0000 (10:50 -0800)]
DO NOT MERGE Fix length for L2CAP config type EXT FLOW

Bug: 119870451
Test: POC
Change-Id: I11041dd03caad5569e930ff36b50fc9c2719c57f
(cherry picked from commit 1fa0f29dbe4f833049697b551f237bf0cd234ddc)

11 months agoDO NOT MERGE btm_proc_smp_cback: Don't access p_dev_rec if freed
Hansong Zhang [Tue, 22 Jan 2019 21:46:47 +0000 (13:46 -0800)]
DO NOT MERGE btm_proc_smp_cback: Don't access p_dev_rec if freed

In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free

Bug: 120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: I09aa1cf1d1c835146b62d0f4989aeedfb885d95b
(cherry picked from commit 74c6d501ce55e7bbce4129fae26bd0b5f802a7fc)

11 months agoDO NOT MERGE process_l2cap_cmd: Fix OOB
Hansong Zhang [Fri, 18 Jan 2019 19:51:00 +0000 (11:51 -0800)]
DO NOT MERGE process_l2cap_cmd: Fix OOB

Bug: 119870451
Test: POC
Change-Id: Ieef322a3ad4cebcaf40e5388584d3a04a4761d2e
(cherry picked from commit 38f07a3c93143ca31229f0caa5b1a270dc1f5401)

11 months agoDO NOT MERGE Separate SDP procedure from bonding state (1/2)
Ugo Yu [Tue, 30 Oct 2018 07:10:35 +0000 (15:10 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)

- Do not stay in bonding state if the device is paried but still
  discovering service.
- Report BOND_BONDED to Java after authentication is completed.
- Report empty UUID to Java if a classic Bluetooth device SDP
  failed while pairing.
- Hold BOND_BONDED intent util SDP is findished.
- Only accept profile connection for the device is at bonded
  state. Any attempt to connect while bonding would potentially
  lead to an unauthorized connection.

Bug: 79703832
Test: runtest bluetooth, regression test.
Change-Id: I023713e07308bfc0e5bb8d67f386bcc50f6a0f85
(cherry picked from commit 122e115b87fe98ca5e5e65b9765c146f9e52b65e)
(cherry picked from commit edd7e731edad067fe08b0623be6b2745bf81a445)

12 months agoDO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu
Stanley Tng [Tue, 11 Dec 2018 22:45:13 +0000 (14:45 -0800)]
DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu

Add check to make sure that data buffer is big enough to read the 2
bytes for length.

Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.

Bug: 120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit fcb1994de1f6ee34b8dc6804a2b32e20bf138073)
(cherry picked from commit 1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit 6b2739f309f7719086eb8201b3e1a35ba60035f4)
(cherry picked from commit c1fcbd5508a75ae3eaf5f311d706d026fee2fe48)

13 months agoFix buffer overflow in btif_dm_data_copy
Jakub Pawlowski [Tue, 27 Nov 2018 16:59:57 +0000 (17:59 +0100)]
Fix buffer overflow in btif_dm_data_copy

When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.

Bug: 110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
(cherry picked from commit d1179759041eb66baf1b5cd398d69ce58849d848)

13 months agoFix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
Jakub Pawlowski [Tue, 20 Nov 2018 21:31:31 +0000 (22:31 +0100)]
Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm

Bug: 116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
Merged-In: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit 78508d2c2cf93b4dd5c7aa630b90f5c6283fe53c)

14 months agoDO NOT MERGE HFP: Check AT command buffer boundary during parsing
Chienyuan [Thu, 11 Oct 2018 02:36:57 +0000 (10:36 +0800)]
DO NOT MERGE HFP: Check AT command buffer boundary during parsing

* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
  and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
  bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac

Bug: 112860487
Test: manual
Change-Id: Idbfa2b8bd4c1a0aeeacfe34349851b3bc8de7c69
(cherry picked from commit 5b1ef1038e3f4e4371c3d6718bf0f684be65eb2b)
(cherry picked from commit aea10aec7f7e97e9c02f57adf455bdba9e13f210)

14 months agoDO NOT MERGE: SDP: Check p_end in save_attr_seq and add_attr
Myles Watson [Thu, 25 Oct 2018 00:05:12 +0000 (17:05 -0700)]
DO NOT MERGE: SDP: Check p_end in save_attr_seq and add_attr

Bug: 115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit 2091fe75013ded87e105b6c405573681fbf0698f)

14 months agoDO NOT MERGE: MCAP: Check response length in mca_ccb_hdl_rsp
Myles Watson [Thu, 25 Oct 2018 22:27:03 +0000 (15:27 -0700)]
DO NOT MERGE: MCAP: Check response length in mca_ccb_hdl_rsp

Bug: 116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit 840f70ca1e75bd7311b48ae80dea1c04b8b947e4)

14 months agoDO NOT MERGE: HH: Check parameter length in bta_hh_ctrl_dat_act
Myles Watson [Thu, 25 Oct 2018 21:33:33 +0000 (14:33 -0700)]
DO NOT MERGE: HH: Check parameter length in bta_hh_ctrl_dat_act

Bug: 116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit a4a11e198164027f86e74e10aa68b9327df5b589)

14 months agoDO NOT MERGE: Fix possible OOB when AVDT data channel recive ACL data
Ugo Yu [Mon, 29 Oct 2018 17:57:06 +0000 (01:57 +0800)]
DO NOT MERGE: Fix possible OOB when AVDT data channel recive ACL data

Bug: 111450156

Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit ad4098c340b52acdb0f48fd3e2612d810e71f4c4)

15 months agoFix possible OOB read in process_service_search_rsp
Jakub Pawlowski [Wed, 10 Oct 2018 18:07:12 +0000 (20:07 +0200)]
Fix possible OOB read in process_service_search_rsp

Bug: 74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
Merged-In: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit b6fa6e4fffe439abc97904b15088af88f983ca0d)

15 months agoDO NOT MERGE - Check SDU lower bound before allocate p_data
Ugo Yu [Tue, 18 Sep 2018 12:49:22 +0000 (20:49 +0800)]
DO NOT MERGE - Check SDU lower bound before allocate p_data

Bug: 112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit 87bcda81b8209a71b32351b54cedaad48a7a56b4)

16 months agoDO NOT MERGE - Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()
Pavlin Radoslavov [Thu, 6 Sep 2018 22:41:27 +0000 (15:41 -0700)]
DO NOT MERGE - Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()

Bug: 111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit 2692408d05bf16738284b61833649cee5d2a2233)
(cherry picked from commit b4cf8416bfd7922be02a246f50059c1309d6afc4)

16 months agoDO NOT MERGE - Check data length when parsing AVRCP vendor specific command responses
Pavlin Radoslavov [Thu, 6 Sep 2018 01:21:31 +0000 (18:21 -0700)]
DO NOT MERGE - Check data length when parsing AVRCP vendor specific command responses

Bug: 111450531
Bug: 111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit 7439ea940354f65a147c4ecfce3bada49c688047)
(cherry picked from commit 8148397ca29a4795dffdd6daadc33af43aa9694f)

17 months agoDO NOT MERGE Check remaining frame length in rfc_process_mx_message
Hansong Zhang [Wed, 8 Aug 2018 18:38:30 +0000 (11:38 -0700)]
DO NOT MERGE Check remaining frame length in rfc_process_mx_message

Bug: 111936792
Bug: 80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
(cherry picked from commit 53e8b941fd918b6f03667e1bdd38fc73ac84396b)

17 months agoDO NOT MERGE Fix a wrong check in rfc_parse_data
Hansong Zhang [Fri, 13 Jul 2018 20:43:27 +0000 (13:43 -0700)]
DO NOT MERGE Fix a wrong check in rfc_parse_data

Bug: 78288018
Bug: 111436796
Test: manual
Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a
(cherry picked from commit 4cea9389422b1936ebdc2fcd78a0b71f419c6497)

17 months agoDO NOT MERGE Add bound check for rfc_parse_data
Hansong Zhang [Thu, 7 Jun 2018 23:11:27 +0000 (16:11 -0700)]
DO NOT MERGE Add bound check for rfc_parse_data

Bug: 78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
Merged-In: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit 1b9a465eea85e86984bb1e53be69880159e59c69)
(cherry picked from commit ee82a400c41fd7b141098e3f8659c44efa449e72)

17 months agoDO NOT MERGE Add packet length check in smp_proc_master_id
Ugo Yu [Wed, 8 Aug 2018 08:18:08 +0000 (16:18 +0800)]
DO NOT MERGE Add packet length check in smp_proc_master_id

Bug: 111937027
Test: manual
Change-Id: I2009b6be38f9733931e625379b035e84371fdcaf
(cherry picked from commit 36bbbbf8db31aaea5e03fb50c8b64f5773d5c1e0)

17 months agoChecks the SMP length to fix OOB read
Cheney Ni [Wed, 8 Aug 2018 14:40:27 +0000 (22:40 +0800)]
Checks the SMP length to fix OOB read

Bug: 111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit 353faee793b4f0ce349ef2c950902be561b64827)

17 months agoFix copy length calculation in sdp_copy_raw_data
Jakub Pawlowski [Mon, 16 Jul 2018 13:40:35 +0000 (06:40 -0700)]
Fix copy length calculation in sdp_copy_raw_data

Test: compilation
Bug: 110216176
Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
Merged-In: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
(cherry picked from commit 1a0571a4aca9d597a8f79665aa220decf0d45ce1)

17 months agoDO NOT MERGE: Add missing AVRCP message length checks inside avrc_msg_cback
Pavlin Radoslavov [Thu, 9 Aug 2018 20:40:54 +0000 (13:40 -0700)]
DO NOT MERGE: Add missing AVRCP message length checks inside avrc_msg_cback

Explicitly check the length of the received message before
accessing the data.

Bug: 111803925
Bug: 79883824
Test: POC scripts
Change-Id: I50d1d1f7dd7038ffcd5f0d5975ab1db43178067f
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit b78d265f362dab7df559883617dd766bcc60ad43)

17 months agoDO NOT MERGE: Add packet length checks in mca_ccb_hdl_req
Cheney Ni [Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)]
DO NOT MERGE: Add packet length checks in mca_ccb_hdl_req

Bug: 110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
(cherry picked from commit fb5115a9f8782cc27b2ba860f9855d3fe882e0fc)

17 months agoDO NOT MERGE Check packet length in bta_av_proc_meta_cmd
Chienyuan [Wed, 8 Aug 2018 08:15:21 +0000 (16:15 +0800)]
DO NOT MERGE Check packet length in bta_av_proc_meta_cmd

Bug: 111893951
Test: manual
Change-Id: Ie562c393e949c275203617972d43bb005190b32b
(cherry picked from commit 82815f4498d35dcf8798ed6834e3a7f7212016d7)

17 months agoDO NOT MERGE Fix OOB read before buffer length check
Ugo Yu [Wed, 8 Aug 2018 06:57:25 +0000 (14:57 +0800)]
DO NOT MERGE Fix OOB read before buffer length check

Bug: 111936834
Test: manual
Change-Id: I60c500651f130876934a7b80889f4e021055fe73
(cherry picked from commit e64b4a38b049853b8e6e2f8e16dd15765e290f42)

17 months agoDO NOT MERGE Fix OOB read in avrc_ctrl_pars_vendor_rsp
Hansong Zhang [Mon, 6 Aug 2018 21:36:41 +0000 (14:36 -0700)]
DO NOT MERGE Fix OOB read in avrc_ctrl_pars_vendor_rsp

Bug: 78526423
Test: manual
Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91
(cherry picked from commit 082353ad14082babaf8bcb1fba000b3cf1450c11)

18 months agoDO NOT MERGE: SDP: Recalculate param_len after max_list_len
Myles Watson [Tue, 29 May 2018 23:55:58 +0000 (16:55 -0700)]
DO NOT MERGE: SDP: Recalculate param_len after max_list_len

Bug: 78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit ef7dddabbd70222fa0fafc97e8562d977f550d26)
(cherry picked from commit ca8a83ba76685d164baf0825a82f8d95c677bd3c)

18 months agoDO NOT MERGE SDP: Fix the param_len recalculation
Hansong Zhang [Fri, 20 Jul 2018 17:16:14 +0000 (10:16 -0700)]
DO NOT MERGE SDP: Fix the param_len recalculation

Bug: 78136869
Test: manual connection to an A2DP device
Change-Id: If32b848696180ab2fd33f514de89cb8c3d202e39
(cherry picked from commit 51b656f12b82e47130c4a5b1d976ec1e2ab8e72b)

18 months agoDon't use Address after it was deleted
Jakub Pawlowski [Wed, 11 Jul 2018 09:57:07 +0000 (02:57 -0700)]
Don't use Address after it was deleted

Bug: 110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
Merged-In: Id3364cf53153eafed478546d7347ed1673217e91
(cherry picked from commit 228712652abbd605023849f60d603e96c6948816)

18 months agoAdd packet length checks in l2cble_process_sig_cmd
Jakub Pawlowski [Fri, 22 Jun 2018 05:56:11 +0000 (22:56 -0700)]
Add packet length checks in l2cble_process_sig_cmd

Bug: 80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
Merged-In: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit 329b7cfb446ed34a2b67e31267ff61ce12f1d70c)

18 months agoDO NOT MERGE Fix OOB read in process_l2cap_cmd
Hansong Zhang [Thu, 12 Jul 2018 18:00:53 +0000 (11:00 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd

Test: manual
Bug: 79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
(cherry picked from commit 55afdafb272737a54bc629dbe4fdd4111ebb08f5)

18 months agoSDP: return error on offset bigger than atribute length
Jakub Pawlowski [Fri, 22 Jun 2018 11:46:39 +0000 (04:46 -0700)]
SDP: return error on offset bigger than atribute length

Test: none
Bug: 79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
Merged-In: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit 3565eaf72d810688bf91f75002da1f25039996df)

18 months agoDO NOT MERGE HFP: Fix out of bound access in phone number processing
Jack He [Wed, 27 Jun 2018 00:53:24 +0000 (17:53 -0700)]
DO NOT MERGE HFP: Fix out of bound access in phone number processing

* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
  method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
  PhoneStateChange method

Bug: 79431031
Bug: 79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df
(cherry picked from commit 82371c1204cc0b48941ec1d41c516c4b40093879)

18 months agoDO NOT MERGE HID Host: Check L2CAP packet data length
Hansong Zhang [Thu, 7 Jun 2018 21:18:22 +0000 (14:18 -0700)]
DO NOT MERGE HID Host: Check L2CAP packet data length

Bug: 80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit 4344cfb76ad4c1c660d00a7b306acccde9bdef77)

18 months agoRevert "DO NOT MERGE: SDP: Recalculate param_len after max_list_len"
Max Spector [Fri, 20 Jul 2018 20:53:12 +0000 (13:53 -0700)]
Revert "DO NOT MERGE: SDP: Recalculate param_len after max_list_len"

This reverts commit 0f2114c7943106a566abd1064a5719ad0335bf0b.

19 months agoDO NOT MERGE: Don't reuse buffer when building response
Ajay Panicker [Wed, 6 Jun 2018 21:58:54 +0000 (14:58 -0700)]
DO NOT MERGE: Don't reuse buffer when building response

Bug: 79541338
Test: Compile and connect to remote headset
Change-Id: I5e059615db589e165630f39d631a922006c2d70f
(cherry picked from commit ecef51ee8fc216ef654fd73bdc5e2802b2cf9a7e)

19 months agoAdd checks whether the AVDTP element data length is valid
Pavlin Radoslavov [Thu, 31 May 2018 17:23:02 +0000 (10:23 -0700)]
Add checks whether the AVDTP element data length is valid

Bug: 78288378
Test: Manual: Python script and extra logging
Change-Id: I576d798d8b566946a3f2d973cb9d4e8dbd22d09e
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit e192c988cbe6c0593f23e6d8e2701b459e8d895c)

19 months agoDO NOT MERGE BNEP: Fix build breakage by using osi_free instead of GKI_freebuf
Jack He [Tue, 5 Jun 2018 00:40:42 +0000 (17:40 -0700)]
DO NOT MERGE BNEP: Fix build breakage by using osi_free instead of GKI_freebuf

Bug: 79164722
Bug: 78286118
Test: make
Change-Id: I04fc994d9bca80aa4711118d3c5be02f2b809a48
(cherry picked from commit 6245466d55c4abb8047b4c167fced0804a9f217e)

19 months agoBNEP: Fix OOB access in bnep_data_ind
Jack He [Fri, 1 Jun 2018 21:00:42 +0000 (14:00 -0700)]
BNEP: Fix OOB access in bnep_data_ind

* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
  the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
  is most likely triggered

Bug: 78286118
Bug: 79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
      BNEP_EXTENSION_CONTROL packet
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit 3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit 0bd01271c4d888453ba375d9442ac27cd66961c9)

19 months agoDecrease length after reading from array in process_service_attr_req
Jakub Pawlowski [Tue, 29 May 2018 23:25:56 +0000 (16:25 -0700)]
Decrease length after reading from array in process_service_attr_req

Test: compilation
Bug: 78136677
Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0
Merged-In: I4807a350e2b4764a93f104ce88f23a957a7e85c0
(cherry picked from commit 76e962892ea1419f69e3c7e26a09fa77948c46e6)

19 months agoDO NOT MERGE: SDP: Recalculate param_len after max_list_len
Myles Watson [Tue, 29 May 2018 23:55:58 +0000 (16:55 -0700)]
DO NOT MERGE: SDP: Recalculate param_len after max_list_len

Bug: 78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit ef7dddabbd70222fa0fafc97e8562d977f550d26)
(cherry picked from commit ca8a83ba76685d164baf0825a82f8d95c677bd3c)

19 months agoDO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_event
Hansong Zhang [Wed, 30 May 2018 00:35:01 +0000 (17:35 -0700)]
DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_event

Bug: 80145946
Test: manual
Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53
(cherry picked from commit 078756d8071e0c122b2c75d416ebc22f77ed54e4)

19 months agoGATT: Handle too short Error Response PDU
Jakub Pawlowski [Wed, 23 May 2018 17:30:19 +0000 (10:30 -0700)]
GATT: Handle too short Error Response PDU

Since the spec is not clear what to do in this case, use one of
reserved error codes as a failure reason, and pass it to upper layers.

Bug: 79591688
Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
(cherry picked from commit 03881d1055cf98b15ced06300e03a947b5300878)

19 months agoAdd PDU size checks in process_service_search_attr_rsp
Jakub Pawlowski [Thu, 24 May 2018 15:59:34 +0000 (08:59 -0700)]
Add PDU size checks in process_service_search_attr_rsp

Bug: 79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit 3181bdee7d207c9894dd1dfca02fad71cb2430e8)

19 months agoRESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)
akirilov [Fri, 27 Apr 2018 22:12:59 +0000 (15:12 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)

Bug: 74075873
Test: manual
Change-Id: I76058b11c90dc40b78f26fb64b74d609f3473f5d
(cherry picked from commit 23918433c1f4970ae04c09a9fe096bf87cd83d76)

19 months agoRESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
akirilov [Fri, 27 Apr 2018 20:08:05 +0000 (13:08 -0700)]
RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)

Bug: 74075873
Test: manual test (poc in bug)
Change-Id: I18e652f7e10ba42db6f2553083d2a2eec10e2998
(cherry picked from commit 4375ef17844b4d338754d517400ddd029d0882d3)

19 months agoDO NOT MERGE: Check number of attributes before writing to a buffer
Ajay Panicker [Fri, 11 May 2018 18:47:31 +0000 (11:47 -0700)]
DO NOT MERGE: Check number of attributes before writing to a buffer

Bug: 73824150
Test: Compile
Change-Id: Ie38ba177d6599afe28b5c6684bd951a75fa8a805
(cherry picked from commit d28e985241e4efdf6f3ce7d665fe50f48be13dae)

19 months agoDO NOT MERGE AVRC: Add bound check for AVRC_EVT_APP_SETTING_CHANGE
Hansong Zhang [Fri, 11 May 2018 18:40:44 +0000 (11:40 -0700)]
DO NOT MERGE AVRC: Add bound check for AVRC_EVT_APP_SETTING_CHANGE

Test: manual
Bug: 73782082
Change-Id: I4e384a2f8c0d8c4af03bd5865b2e907321419c86
(cherry picked from commit 9ca83201006bf938b9f2fad7fce121c26dc77028)

19 months agoDO NOT MERGE Prevent stack overflow in btif_storage
Hansong Zhang [Thu, 26 Apr 2018 22:45:28 +0000 (15:45 -0700)]
DO NOT MERGE Prevent stack overflow in btif_storage

Bug: 73963551
Test: manual
Change-Id: I5f7a583aad150ebf9e3d492181d80ca935c8aa3f
(cherry picked from commit 1d200be95816e6e82f3876ec03091a1b07a827a7)

19 months agoDO NOT MERGE: Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
Ajay Panicker [Thu, 12 Apr 2018 23:50:06 +0000 (16:50 -0700)]
DO NOT MERGE: Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ

Bug: 74121659
Test: Compiles
Change-Id: Ib29dd50cee9decda2d73bb79b84215ea4c6ead75
(cherry picked from commit a75ccdc7ee6c6f60baaf78717926faa9504f9f3f)

20 months agoDO NOT MERGE Fix unexpected behavior in smp_sm_event
Hansong Zhang [Fri, 30 Mar 2018 23:55:49 +0000 (16:55 -0700)]
DO NOT MERGE Fix unexpected behavior in smp_sm_event

Bug: 74121126
Test: manual
Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53
(cherry picked from commit 61c9430c58544b4bd4846ed0d5e6de0ae5150414)

21 months agoDO NOT MERGE SMP: Validate remote elliptic curve points
Andre Eisenbach [Wed, 4 Apr 2018 20:38:38 +0000 (13:38 -0700)]
DO NOT MERGE SMP: Validate remote elliptic curve points

Fixes: 72377774
Test: net_test_stack_smp (where applicable)
Change-Id: Iefcf97364493467075fadefd77d12716f71cd4f6
(cherry picked from commit 9181ec28da94705a763edbe60bd2a87e5f882beb)
(cherry picked from commit 4f9ed8f66eb57142f4bedd667230b55bbf8da366)

21 months agoDO NOT MERGE Fix OOB read in process_l2cap_cmd
Hansong Zhang [Thu, 12 Apr 2018 23:01:19 +0000 (16:01 -0700)]
DO NOT MERGE Fix OOB read in process_l2cap_cmd

Bug: 74202041
Bug: 74196706
Bug: 74201143
Test: manual
Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d
(cherry picked from commit 1bbea25a24004a371f4aed1c69b976fd23407d73)

21 months agoDO NOT MERGE Add bounds check for BNEP_Write
Hansong Zhang [Thu, 12 Apr 2018 19:23:36 +0000 (12:23 -0700)]
DO NOT MERGE Add bounds check for BNEP_Write

Bug: 74947856
Test: manual
Change-Id: I19d9dee53b9cac800c66becef4861e4ad9602bdf
(cherry picked from commit 769aeaaf444e08bad9d4e902242a3b8a1765202d)

21 months agoDO NOT MERGE Handle bad packet length in gatts_process_read_req
Stanley Tng [Thu, 5 Apr 2018 16:54:13 +0000 (09:54 -0700)]
DO NOT MERGE Handle bad packet length in gatts_process_read_req

Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.

Bug: 73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit 810e669d7ae55dd50ec1ea159cd87c3f1cdf5695)

21 months agoDO NOT MERGE Drop LE CoC fragments when frame size is too big
Stanley Tng [Wed, 4 Apr 2018 23:38:22 +0000 (16:38 -0700)]
DO NOT MERGE Drop LE CoC fragments when frame size is too big

Drop the LE CoC data fragments when the received fragment size is too
big.

Test: Runs LE CoC SL4A test, BleCocTest.
Bug: 75298652
Merged-In: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
Change-Id: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
(cherry picked from commit 235eab9efd27469ac0dd82f63d198421f0e0f400)

21 months agoDO NOT MERGE: PAN: Always allocate in bta_pan_data_buf_ind_cback
Myles Watson [Wed, 21 Mar 2018 23:45:32 +0000 (16:45 -0700)]
DO NOT MERGE: PAN: Always allocate in bta_pan_data_buf_ind_cback

Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free.  Move the free call to pan_data_buf_ind_cb().

Free the buffer before every return in pan_data_buf_ind_cb.

Bug: 74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit 2e0deb1d135805b37697f0e02a55269c6cc500fe)
(cherry picked from commit e04c8be75d115e5d241afe95148e0093ef8c72eb)

21 months agoDO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result
Hansong Zhang [Mon, 2 Apr 2018 16:29:49 +0000 (09:29 -0700)]
DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result

Check the number of UUIDs from remote device

Bug: 74016921
Test: manual
Change-Id: I7e1fd420c96bdb4d8b1bb129eb85045f9e3da443
(cherry picked from commit f55b3093f1c5659da16c3df2670edd9089844526)

23 months agoDO NOT MERGE: AVRCP: Check number of text attribute values in response
Ajay Panicker [Fri, 2 Feb 2018 09:11:37 +0000 (01:11 -0800)]
DO NOT MERGE: AVRCP: Check number of text attribute values in response

Test: Build
Bug: 71603410
Change-Id: I6f822b0bc7fc2fb042a70b64cff61583a86b36e2
(cherry picked from commit 8a6fb368847794adb2365f91aa60a36a61d02607)

23 months agoDO NOT MERGE Truncate new line characters when adding string to config
Hansong Zhang [Fri, 9 Feb 2018 23:23:07 +0000 (15:23 -0800)]
DO NOT MERGE Truncate new line characters when adding string to config

Bug: 70808273
Test: test with a device with newline character in name
Change-Id: Ie7e0b5d93047bc12a9cb84cc15f7f68f38f36441
(cherry picked from commit 01facbcf9762e93010744edfa9bd04a46f95be6e)

23 months agoDO NOT MERGE: AVRCP: Check number of text attributes in response
Ajay Panicker [Fri, 2 Feb 2018 08:56:43 +0000 (00:56 -0800)]
DO NOT MERGE: AVRCP: Check number of text attributes in response

Test: Build
Bug: 71603315
Change-Id: Ieda5e410057062533ae09bd977bfe7f758a55140
(cherry picked from commit 07900311fbd68eba44c46ed491368597a63ae770)

23 months agoDO NOT MERGE: AVRCP: Initialize buffer for attribute values to be written to
Ajay Panicker [Fri, 2 Feb 2018 09:26:34 +0000 (01:26 -0800)]
DO NOT MERGE: AVRCP: Initialize buffer for attribute values to be written to

Test: Build
Bug: 71603553
Change-Id: I978270605cfaa3b833d6c19f1b1d2cd5a82ac079
(cherry picked from commit aeff2c709c34a56058f3a67a86acf96733bd6061)

23 months agoDO NOT MERGE: SDP: Check p_req_end before reading from p_req
Myles Watson [Fri, 12 Jan 2018 01:43:40 +0000 (17:43 -0800)]
DO NOT MERGE: SDP: Check p_req_end before reading from p_req

Bug: 69384124
Test: Connect a headset
Change-Id: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
(cherry picked from commit d321b13feaebb6ce83d4c449b3ef500ddbbef716)

23 months agoAvoid crash for Broadcom 2070 Bluetooth android-x86-7.1-r1 android-x86-7.1-r2
xiezhongtian [Fri, 2 Feb 2018 11:14:19 +0000 (19:14 +0800)]
Avoid crash for Broadcom 2070 Bluetooth

2 years agoPAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
Myles Watson [Wed, 10 Jan 2018 17:51:28 +0000 (09:51 -0800)]
PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback

Patch from b/67078939

Test: build
Bug: 67110692
Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a
Merged-In: I63b857d031c55d3a0754e4101e330843eb422b2a
(cherry picked from commit bcad4b57fa67826fa254e987959b2666616fd6e9)

2 years agoBNEP: Check received frame type
Myles Watson [Thu, 11 Jan 2018 22:20:26 +0000 (14:20 -0800)]
BNEP: Check received frame type

Bug: 68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
Merged-In: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
(cherry picked from commit c1778018189498da0ecb35e9356d11c9dc315353)

2 years agoSDP: Pass the bounds to process_service_*_rsp
Myles Watson [Thu, 11 Jan 2018 00:32:59 +0000 (16:32 -0800)]
SDP: Pass the bounds to process_service_*_rsp

Test: build
Bug: 68161546
Change-Id: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
Merged-In: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
(cherry picked from commit 88beb384eb3ab97d3da2902e3477e68e44345bd2)

2 years agoAllocate/free the SDP connection timers only during stack startup/shutdown
Pavlin Radoslavov [Fri, 12 Jan 2018 01:28:16 +0000 (17:28 -0800)]
Allocate/free the SDP connection timers only during stack startup/shutdown

This avoids freeing the sdp_conn_timer within the alarm callback itself.

Bug: 67110137
Test: Manual
Change-Id: I775b4b532cd42cf207258c53c6052a167a124627
Merged-In: I775b4b532cd42cf207258c53c6052a167a124627
(cherry picked from commit ef6a4a0c9d9220a7d909863349d7a0c0b967d54c)
(cherry picked from commit 486d27733fd3db14575370985ae50a02cbb193d4)

2 years agoDO NOT MERGE Fix unexpected behavior in reading BNEP packets
Hansong Zhang [Thu, 11 Jan 2018 00:59:48 +0000 (16:59 -0800)]
DO NOT MERGE Fix unexpected behavior in reading BNEP packets

Bug: 67863755
Bug: 69177251
Bug: 69177292
Bug: 69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
(cherry picked from commit 1ba7a489f57252de63d95d0374fccc002fe3d35a)

2 years agoDO NOT MERGE Remove memory reference to invalid mem in error log
Stanley Tng [Wed, 10 Jan 2018 21:13:15 +0000 (13:13 -0800)]
DO NOT MERGE Remove memory reference to invalid mem in error log

Remove the memory reference to an invalid memory inside an error log
message.

Test: Edit code to force the error condition and make sure the new error
log does not crashed.
Bug: 67058064
Merged-In: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
Change-Id: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
(cherry picked from commit 11cd7277a1d0da9013a8381cddbfc096e9adaed6)
(cherry picked from commit c779dc72e098a65fea6774d7ffdd036086ef7cd2)

2 years agoDO NOT MERGE: AVRCP: Check the number of text value attributes requested
Ajay Panicker [Thu, 11 Jan 2018 04:50:20 +0000 (20:50 -0800)]
DO NOT MERGE: AVRCP: Check the number of text value attributes requested

Test: Builds
Bug: 69479009
Change-Id: Ibd6a448eda65f857ddfacc1ee7ad1ead3b46fb8d
(cherry picked from commit 03ffdc94b07ad40d99b298137877aa9b5ebecb58)

2 years agoDO NOT MERGE: AVRCP: Check the number of text attributes requested
Ajay Panicker [Thu, 11 Jan 2018 00:34:50 +0000 (16:34 -0800)]
DO NOT MERGE: AVRCP: Check the number of text attributes requested

Test: Build
Bug: 69478941
Change-Id: Ic7e2632e5dab9031703b2bf8747e27f90f92f0e4
(cherry picked from commit 1661401e3a7b535f4c7eccfc15e4f228bf385eea)

2 years agoDO NOT MERGE Fix unexpected behavior in SDP
Hansong Zhang [Wed, 10 Jan 2018 03:43:20 +0000 (19:43 -0800)]
DO NOT MERGE Fix unexpected behavior in SDP

Bug: 68776054
Bug: 68817966
Test: Bluetooth SDP still works
Change-Id: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
Merged-In: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
(cherry picked from commit 968df7a80cc1901fb63ec0eb7a5080f64da3819e)

2 years agoRemoved alarm callback execution statistics
Pavlin Radoslavov [Mon, 8 Jan 2018 19:37:05 +0000 (11:37 -0800)]
Removed alarm callback execution statistics

Updating the alarm state after the callback returns can be problematic
in case the callback itself deleted the alarm.

Bug: 67110137
Test: Manual
Change-Id: Id4de06eebedb792cadd63d09efb68672e9bddc69
Merged-In: Id4de06eebedb792cadd63d09efb68672e9bddc69
(cherry picked from commit 04574e1cde3b0d46b59b4b6ebab935ac60af9f97)
(cherry picked from commit b9ebb4ab26e27d0701d43faee775c1b1975d0191)

2 years agoMerge tag 'android-7.1.2_r36' into nougat-x86
Chih-Wei Huang [Thu, 4 Jan 2018 08:43:21 +0000 (16:43 +0800)]
Merge tag 'android-7.1.2_r36' into nougat-x86

Android 7.1.2 Release 36 (N2G48H)

2 years agoMerge cherrypicks of [3166006, 3165952, 3164925, 3164926, 3164927, 3164928, 3167313...
android-build-team Robot [Fri, 3 Nov 2017 19:55:59 +0000 (19:55 +0000)]
Merge cherrypicks of [316600631659523164925316492631649273164928316731331673143167315316731631673173167318316731931673203167321316732231663183166319316632031663213166322316632331663243167333316733431673733165112316632531652293165230] into nyc-mr2-release

Change-Id: I021f1a3719f16c3ea2e9b47d3a5c039f5a83a1ca

2 years agoRead the correct amount of attributes
Scott Bauer [Fri, 7 Apr 2017 00:35:40 +0000 (18:35 -0600)]
Read the correct amount of attributes

bta_gattc_cache_load currently attempts to read 0xFF attributes into an
allocation sized to num_attr attributes, which can be smaller than 0xFF.

There aren't more than num_attr bytes in correct data, but this breaks
with dynamic buffer overflow checking in CopperheadOS for the read
system call since fread ends up calling read, which obtains the size of
the allocation from the malloc implementation and then aborts due to the
(potential) overflow.

This would also fail with the default enabled _FORTIFY_SOURCE=2 feature
in the Android Open Source Project if osi_malloc was marked with the
alloc_size attribute. The way it wraps malloc loses that information so
fortify checks aren't done for calls like this.

Bug: 37160362
Change-Id: I68bd170d5378c9d9d21cbda376083bc0b857e15c
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
[migrated to C++ file, added 0xFFFF limit and wrote commit message]
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
(cherry picked from commit 8eb6493ad56ed4fd8310bf96042cc54eb5b450dd)

2 years agoRead the correct amount of attributes
Scott Bauer [Fri, 7 Apr 2017 00:35:40 +0000 (18:35 -0600)]
Read the correct amount of attributes

bta_gattc_cache_load currently attempts to read 0xFF attributes into an
allocation sized to num_attr attributes, which can be smaller than 0xFF.

There aren't more than num_attr bytes in correct data, but this breaks
with dynamic buffer overflow checking in CopperheadOS for the read
system call since fread ends up calling read, which obtains the size of
the allocation from the malloc implementation and then aborts due to the
(potential) overflow.

This would also fail with the default enabled _FORTIFY_SOURCE=2 feature
in the Android Open Source Project if osi_malloc was marked with the
alloc_size attribute. The way it wraps malloc loses that information so
fortify checks aren't done for calls like this.

Bug: 37160362
Change-Id: I68bd170d5378c9d9d21cbda376083bc0b857e15c
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
[migrated to C++ file, added 0xFFFF limit and wrote commit message]
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
(cherry picked from commit 8eb6493ad56ed4fd8310bf96042cc54eb5b450dd)

2 years agoMerge cherrypicks of [2973982, 2974657, 2974658, 2973983, 2973984, 2974689, 2974690...
android-build-team Robot [Thu, 28 Sep 2017 17:17:11 +0000 (17:17 +0000)]
Merge cherrypicks of [2973982297465729746582973983297398429746892974690297469129746922974710297471129747132974714297421529742162974217297421829742192974220297472929747302974731297473229747332974734297473529747362974737297473829747392974740297474129747422974749297475029747512974752297475329746472974744297469329746942974648297451329746652974746] into nyc-mr2-release

Change-Id: I1343a6e044021a57cb32927982ac6a2582d330a1

2 years agoSDP: Bounds check 'id' parameter for free_sdp_slot()
Andre Eisenbach [Tue, 8 Aug 2017 22:41:21 +0000 (15:41 -0700)]
SDP: Bounds check 'id' parameter for free_sdp_slot()

Merged-In: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7

Test: manual
Fixes: 37502513
Change-Id: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7
(cherry picked from commit b413f1b1365af4273647727e497848f95312d0ec)
(cherry picked from commit 82e4754aaafe820619a51f8eeaa858db8735d9c1)

2 years agoSDP: Bounds check 'id' parameter for free_sdp_slot()
Andre Eisenbach [Tue, 8 Aug 2017 22:41:21 +0000 (15:41 -0700)]
SDP: Bounds check 'id' parameter for free_sdp_slot()

Merged-In: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7

Test: manual
Fixes: 37502513
Change-Id: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7
(cherry picked from commit b413f1b1365af4273647727e497848f95312d0ec)
(cherry picked from commit 82e4754aaafe820619a51f8eeaa858db8735d9c1)

2 years agoMerge cherrypicks of [2607234, 2607235, 2606313, 2607236, 2607238, 2607239, 2606314...
android-build-team Robot [Thu, 27 Jul 2017 00:30:23 +0000 (00:30 +0000)]
Merge cherrypicks of [260723426072352606313260723626072382607239260631426063152607240260631626063172607241260724226072432607244260737026073712607245260724626072472607248260724926073722607390260739126073922607393260737326073942607397260739826073752607401260737626074022607377260740326074042607378260740526073792607380260738126074062607382260740726074082607409] into nyc-mr2-release

Change-Id: Ia2067c24c334563afb1f54dca60a79a350d568f0

2 years agoAdd missing extension length check while parsing BNEP control packets
Pavlin Radoslavov [Tue, 18 Jul 2017 01:12:10 +0000 (18:12 -0700)]
Add missing extension length check while parsing BNEP control packets

Bug: 63146237
Test: External script
Change-Id: I4e519cec1c7dffb8bd42add00bd891e0969a3d9f
(cherry picked from commit 9ab89b7dbe5735b796799f65144efa48595d0230)
(cherry picked from commit dc7700a43189d2a8607b69ae19a6d646f11ddf51)
(cherry picked from commit c7874f25a0557ca4413d8db80bab8da842fc389a)
(cherry picked from commit 187bd8aec0aae63c6328981041e5ec7764ece6a9)
(cherry picked from commit 01f46e0aff705dab350cda7f648fb94976ea3988)
(cherry picked from commit e07d37969e654fd6be308232b15c1ed716205543)

2 years agoFree p_pending_data from tBNEP_CONN to avoid potential memory leaks
Pavlin Radoslavov [Tue, 18 Jul 2017 00:21:16 +0000 (17:21 -0700)]
Free p_pending_data from tBNEP_CONN to avoid potential memory leaks

Bug: 63146105
Test: External script
Change-Id: I1281779ccf38d1d2dfb1a6dc0e45c0e533cabbca
Merged-In: I1281779ccf38d1d2dfb1a6dc0e45c0e533cabbca
(cherry picked from commit 4982eb5df30cbcbee5c8b8807be95fdc6dfa63c5)
(cherry picked from commit a654681c5558904a8abfa1bbab8eafb651c13231)
(cherry picked from commit 64a12d3b6e71d9161837f28ce18c34d924c2bafc)
(cherry picked from commit 8f18afd26c02ae3d46bf14d6e36017965dee0394)
(cherry picked from commit f8fc7f7d112d5ff2064aaaa3c7fceb077169183e)

2 years agoAdd a missing check for PAN buffer size before copying data
Pavlin Radoslavov [Thu, 13 Jul 2017 00:33:42 +0000 (17:33 -0700)]
Add a missing check for PAN buffer size before copying data

Bug: 63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
(cherry picked from commit 1d909399cb4259243dac2e531e3ce6ca1afa77e7)
(cherry picked from commit aa486ad8b5ad6eaef732e5fa7f151495c8c3faf2)
(cherry picked from commit a8a6a17fdfc8d930ba4ad18f92cf4453cc1a219e)
(cherry picked from commit d1145e0af3507e37d4bd25f1833e22c5c716f0ac)
(cherry picked from commit 23642dc32ce8704067882cfb37745b62c2b3562a)

2 years agoAdd missing packet length checks while parsing BNEP control packets
Pavlin Radoslavov [Thu, 13 Jul 2017 02:10:12 +0000 (19:10 -0700)]
Add missing packet length checks while parsing BNEP control packets

Bug: 63146237
Test: External script
Change-Id: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
Merged-In: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
(cherry picked from commit 7feaeb006941a1494d7cdc0a2ffc4bb1004b38b4)
(cherry picked from commit 6d415839da570b94b0763f6ab444f0dd1321fc33)
(cherry picked from commit c68554feb3ddfd31cdec6d81a4b73a959c1b2a09)
(cherry picked from commit 3775b3c49e5d62349fd1f3dfb743fabadb43ea75)
(cherry picked from commit f31afd3836184edccdfc8393dc4d168b0cfd912b)

2 years agoAdd missing continuation offset check for SDP continuation requests
Pavlin Radoslavov [Thu, 13 Jul 2017 01:56:03 +0000 (18:56 -0700)]
Add missing continuation offset check for SDP continuation requests

Bug: 63146698
Test: External script
Change-Id: Iea52f1689dc12bfe0d4b57996f17db4bc3bd5983
Merged-In: Iea52f1689dc12bfe0d4b57996f17db4bc3bd5983
(cherry picked from commit e776c834768bedd043ace7e5714390b61c96a248)
(cherry picked from commit 10ce685cb025f6854be4ecc5329f2f684fd9ea5d)
(cherry picked from commit 3488364721ec066a03af14076bd312d27173115d)

2 years agoDisable PAN Reverse Tethering when connection originated by the Remote
Pavlin Radoslavov [Thu, 13 Jul 2017 01:39:31 +0000 (18:39 -0700)]
Disable PAN Reverse Tethering when connection originated by the Remote

* Check for valid interactions between the three PAN profile roles per
  Table 1 in PAN Profile v1.0 spec.
* Explicitly disable connections to the local PANU if the remote is
  not PANU.

Bug: 63145701
Test: External script
Change-Id: I29a7e404ba7e4453b6a7c59148a2b3eb7395303a
Merged-In: I29a7e404ba7e4453b6a7c59148a2b3eb7395303a
(cherry picked from commit 9aea2c2f92dd5245f6b35d564ce8e471fec2b4ec)
(cherry picked from commit 3f2ee5b546b65b5b021779588316249276ed3827)
(cherry picked from commit 40c7cefb12ac1a70bf7b1c770c1ab21a5b3f229e)
(cherry picked from commit f7a7f7a948e38195e8ca897785ac5d489082f0cc)
(cherry picked from commit b40497b27a0dce81d11f0dca09af6d81abf4bd92)

2 years agoAllocate buffers of the right size when BT_HDR is included
Pavlin Radoslavov [Thu, 6 Jul 2017 20:39:02 +0000 (13:39 -0700)]
Allocate buffers of the right size when BT_HDR is included

Bug: 63146105
Test: External script
Change-Id: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
Merged-In: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
(cherry picked from commit d88838a7237cd672d87b6b9cc8d56fff625fd1d5)
(cherry picked from commit b648c7dfe45c57842d58576f558fdf8edff10bec)
(cherry picked from commit 338e0485940ab278e6a2dc12285ba0798b79cfa4)
(cherry picked from commit 510697a0d79ac9816c0e2717c357c3330d89645a)