diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2021-06-09 20:52:06 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-06-09 20:52:06 +0000 |
| commit | 2427a2ac12cae60e7ddbb8cd621810b884d198be (patch) | |
| tree | 30f0c2660fd5bdff40123878095e4baacb5f636b | |
| parent | 37fd2d8d63f54ba1fecebccaa264a7d9221e1add (diff) | |
| parent | ebf6141b4998d19b41c77ebfdf76fe53d0463eb2 (diff) | |
| download | bt-2427a2ac12cae60e7ddbb8cd621810b884d198be.tar.gz | |
Snap for 7316203 from 4da3dd85c17623ca144afa4f57a211b59de63d99 to rvc-platform-release am: ebf6141b49
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/14427788
Change-Id: Iab48338be542eaa044846dba419fa3dcc4ee6c89
| -rw-r--r-- | profile/avrcp/connection_handler.cc | 2 | ||||
| -rw-r--r-- | profile/avrcp/connection_handler.h | 2 | ||||
| -rw-r--r-- | stack/avrc/avrc_pars_ct.cc | 7 | ||||
| -rw-r--r-- | stack/avrc/avrc_pars_tg.cc | 6 | ||||
| -rw-r--r-- | stack/test/stack_avrcp_test.cc | 47 |
5 files changed, 62 insertions, 2 deletions
diff --git a/profile/avrcp/connection_handler.cc b/profile/avrcp/connection_handler.cc index af8fb578c..06c61b3ba 100644 --- a/profile/avrcp/connection_handler.cc +++ b/profile/avrcp/connection_handler.cc @@ -406,7 +406,7 @@ void ConnectionHandler::MessageCb(uint8_t handle, uint8_t label, uint8_t opcode, device_map_[handle]->MessageReceived(label, Packet::Parse(pkt)); } -void ConnectionHandler::SdpCb(const RawAddress& bdaddr, SdpCallback cb, +void ConnectionHandler::SdpCb(RawAddress bdaddr, SdpCallback cb, tSDP_DISCOVERY_DB* disc_db, bool retry, uint16_t status) { LOG(INFO) << __PRETTY_FUNCTION__ << ": SDP lookup callback received"; diff --git a/profile/avrcp/connection_handler.h b/profile/avrcp/connection_handler.h index d5f0a2725..a5029cfc9 100644 --- a/profile/avrcp/connection_handler.h +++ b/profile/avrcp/connection_handler.h @@ -136,7 +136,7 @@ class ConnectionHandler { using SdpCallback = base::Callback<void(uint16_t status, uint16_t version, uint16_t features)>; virtual bool SdpLookup(const RawAddress& bdaddr, SdpCallback cb, bool retry); - void SdpCb(const RawAddress& bdaddr, SdpCallback cb, + void SdpCb(RawAddress bdaddr, SdpCallback cb, tSDP_DISCOVERY_DB* disc_db, bool retry, uint16_t status); virtual bool AvrcpConnect(bool initiator, const RawAddress& bdaddr); diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc index 7c6367644..08ab66e72 100644 --- a/stack/avrc/avrc_pars_ct.cc +++ b/stack/avrc/avrc_pars_ct.cc @@ -428,12 +428,19 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, case AVRC_PDU_GET_ITEM_ATTRIBUTES: { tAVRC_GET_ATTRS_RSP* get_attr_rsp = &(p_rsp->get_attrs); get_attr_rsp->pdu = pdu; + min_len += 2; + if (pkt_len < min_len) { + android_errorWriteLog(0x534e4554, "179162665"); + goto browse_length_error; + } BE_STREAM_TO_UINT8(get_attr_rsp->status, p) BE_STREAM_TO_UINT8(get_attr_rsp->num_attrs, p); get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_malloc( get_attr_rsp->num_attrs * sizeof(tAVRC_ATTR_ENTRY)); for (int i = 0; i < get_attr_rsp->num_attrs; i++) { tAVRC_ATTR_ENTRY* attr_entry = &(get_attr_rsp->p_attrs[i]); + min_len += 8; + if (pkt_len < min_len) goto browse_length_error; BE_STREAM_TO_UINT32(attr_entry->attr_id, p); BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p); BE_STREAM_TO_UINT16(attr_entry->name.str_len, p); diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc index 5a81d0d8a..190a88d75 100644 --- a/stack/avrc/avrc_pars_tg.cc +++ b/stack/avrc/avrc_pars_tg.cc @@ -75,6 +75,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg, BE_STREAM_TO_UINT8(p_result->reg_notif.event_id, p); BE_STREAM_TO_UINT32(p_result->reg_notif.param, p); + + if (p_result->reg_notif.event_id == 0 || + p_result->reg_notif.event_id > AVRC_NUM_NOTIF_EVENTS) { + android_errorWriteLog(0x534e4554, "181860042"); + status = AVRC_STS_BAD_PARAM; + } break; default: status = AVRC_STS_BAD_CMD; diff --git a/stack/test/stack_avrcp_test.cc b/stack/test/stack_avrcp_test.cc index ad1cc9e72..72ec45f29 100644 --- a/stack/test/stack_avrcp_test.cc +++ b/stack/test/stack_avrcp_test.cc @@ -14,6 +14,7 @@ * limitations under the License. */ +#include <arpa/inet.h> // htons #include <dlfcn.h> #include <gtest/gtest.h> @@ -110,3 +111,49 @@ TEST_F(StackAvrcpTest, test_avrcp_parse_browse_cmd) { EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)), AVRC_STS_NO_ERROR); } + +TEST_F(StackAvrcpTest, test_avrcp_pdu_register_notification) { + ASSERT_EQ(htons(0x500), 5); + + struct { + uint8_t pdu; + uint8_t reserved; + uint16_t len; + struct { + uint8_t event_id; + uint32_t param; + } payload; + } data = { + AVRC_PDU_REGISTER_NOTIFICATION, + 0, // reserved + htons(sizeof(data.payload)), + .payload = + { + .event_id = 0, + .param = 0x1234, + }, + }; + + tAVRC_MSG msg = { + .vendor = + { + .hdr = + { + .ctype = AVRC_CMD_NOTIF, + .opcode = AVRC_OP_VENDOR, + }, + .p_vendor_data = (uint8_t*)&data, + .vendor_len = sizeof(data), + }, + }; + tAVRC_COMMAND result{}; + + // Run through all possible event ids + uint8_t id = 0; + do { + data.payload.event_id = id; + ASSERT_EQ((id == 0 || id > AVRC_NUM_NOTIF_EVENTS) ? AVRC_STS_BAD_PARAM + : AVRC_STS_NO_ERROR, + AVRC_Ctrl_ParsCommand(&msg, &result)); + } while (++id != 0); +} |