diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2024-01-23 09:25:21 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2024-01-23 09:25:21 +0000 |
commit | df6e765c7441cac7cf01ac494b08bf0edbf9dc4c (patch) | |
tree | 0a32b05b1b0272d97e29cc52f01917391f7a2dc9 | |
parent | f46de0afc4aa3ae1c75b75ee8c936cb07ff6b25b (diff) | |
parent | cc0f605be27e948153bbe4e0738fbd3d08dffe74 (diff) | |
download | bt-android-platform-12.1.0_r26.tar.gz |
Merge cherrypicks of ['googleplex-android-review.googlesource.com/25493876', 'googleplex-android-review.googlesource.com/25532305', 'googleplex-android-review.googlesource.com/25658058', 'googleplex-android-review.googlesource.com/25677226', 'googleplex-android-review.googlesource.com/25842506'] into sc-v2-platform-release.android-platform-12.1.0_r27android-platform-12.1.0_r26android-platform-12.1.0_r25android12L-platform-release
Change-Id: Ic342797d2002714c56bcf369a5681617a4206a90
-rw-r--r-- | stack/btm/btm_sec.cc | 3 | ||||
-rw-r--r-- | stack/gatt/att_protocol.cc | 56 | ||||
-rw-r--r-- | stack/smp/smp_act.cc | 7 |
3 files changed, 53 insertions, 13 deletions
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc index bfb045c5a..e53a91497 100644 --- a/stack/btm/btm_sec.cc +++ b/stack/btm/btm_sec.cc @@ -218,8 +218,7 @@ static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_r bool locally_initiated, uint16_t security_req) { return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && - btm_dev_authenticated(p_dev_rec) && - p_dev_rec->is_bond_type_temporary(); + p_dev_rec->is_bond_type_temporary(); } /******************************************************************************* diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc index e7d22c508..ddb9ad681 100644 --- a/stack/gatt/att_protocol.cc +++ b/stack/gatt/att_protocol.cc @@ -281,46 +281,80 @@ static BT_HDR* attp_build_opcode_cmd(uint8_t op_code) { static BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code, uint16_t handle, uint16_t offset, uint16_t len, uint8_t* p_data) { - uint8_t *p, *pp, pair_len, *p_pair_len; + uint8_t *p, *pp, *p_pair_len; + size_t pair_len; + size_t size_now = 1; + +#define CHECK_SIZE() \ + do { \ + if (size_now > payload_size) { \ + LOG_ERROR("payload size too small"); \ + osi_free(p_buf); \ + return nullptr; \ + } \ + } while (false) + BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); p = pp = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; + + CHECK_SIZE(); UINT8_TO_STREAM(p, op_code); p_buf->offset = L2CAP_MIN_OFFSET; - p_buf->len = 1; if (op_code == GATT_RSP_READ_BY_TYPE) { - p_pair_len = p; + p_pair_len = p++; pair_len = len + 2; - UINT8_TO_STREAM(p, pair_len); - p_buf->len += 1; + size_now += 1; + CHECK_SIZE(); + // this field will be backfilled in the end of this function } + if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) { + size_now += 2; + CHECK_SIZE(); UINT16_TO_STREAM(p, handle); - p_buf->len += 2; } if (op_code == GATT_REQ_PREPARE_WRITE || op_code == GATT_RSP_PREPARE_WRITE) { + size_now += 2; + CHECK_SIZE(); UINT16_TO_STREAM(p, offset); - p_buf->len += 2; } if (len > 0 && p_data != NULL) { /* ensure data not exceed MTU size */ - if (payload_size - p_buf->len < len) { - len = payload_size - p_buf->len; + if (payload_size - size_now < len) { + len = payload_size - size_now; /* update handle value pair length */ - if (op_code == GATT_RSP_READ_BY_TYPE) *p_pair_len = (len + 2); + if (op_code == GATT_RSP_READ_BY_TYPE) { + pair_len = (len + 2); + } LOG(WARNING) << StringPrintf( "attribute value too long, to be truncated to %d", len); } + size_now += len; + CHECK_SIZE(); ARRAY_TO_STREAM(p, p_data, len); - p_buf->len += len; } + // backfill pair len field + if (op_code == GATT_RSP_READ_BY_TYPE) { + if (pair_len > UINT8_MAX) { + LOG_ERROR("pair_len greater than %d", UINT8_MAX); + osi_free(p_buf); + return nullptr; + } + + *p_pair_len = (uint8_t)pair_len; + } + +#undef CHECK_SIZE + + p_buf->len = (uint16_t)size_now; return p_buf; } diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc index 24f3d8a0c..1863fdf51 100644 --- a/stack/smp/smp_act.cc +++ b/stack/smp/smp_act.cc @@ -432,6 +432,13 @@ void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { * Description process security request. ******************************************************************************/ void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + if (smp_command_has_invalid_length(p_cb)) { + tSMP_INT_DATA smp_int_data; + smp_int_data.status = SMP_INVALID_PARAMETERS; + smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); + return; + } + tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data; tBTM_BLE_SEC_REQ_ACT sec_req_act; |