diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2021-04-12 23:44:47 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2021-04-12 23:44:47 +0000 |
commit | 868aa8d17ae7ce0d6e812912732675836df73faf (patch) | |
tree | 0b229945ef1bb1965cb4234dbe79628119f50cd7 | |
parent | 2dc290d917a1fe4c94a9691f90236762c13b0f4d (diff) | |
parent | d0a72022c32cbfc8b39603c735d365b8dfc1f4da (diff) | |
download | bt-android11-mainline-documentsui-release.tar.gz |
Snap for 7277594 from d0a72022c32cbfc8b39603c735d365b8dfc1f4da to mainline-documentsui-releaseandroid-mainline-11.0.0_r38android11-mainline-documentsui-release
Change-Id: I0d75e7cc561c216df2a19b84f4a89f0f41b0ceab
-rw-r--r-- | profile/avrcp/connection_handler.cc | 2 | ||||
-rw-r--r-- | profile/avrcp/connection_handler.h | 2 | ||||
-rw-r--r-- | stack/avrc/avrc_pars_ct.cc | 7 | ||||
-rw-r--r-- | stack/avrc/avrc_pars_tg.cc | 6 | ||||
-rw-r--r-- | stack/test/stack_avrcp_test.cc | 47 |
5 files changed, 62 insertions, 2 deletions
diff --git a/profile/avrcp/connection_handler.cc b/profile/avrcp/connection_handler.cc index af8fb578c..06c61b3ba 100644 --- a/profile/avrcp/connection_handler.cc +++ b/profile/avrcp/connection_handler.cc @@ -406,7 +406,7 @@ void ConnectionHandler::MessageCb(uint8_t handle, uint8_t label, uint8_t opcode, device_map_[handle]->MessageReceived(label, Packet::Parse(pkt)); } -void ConnectionHandler::SdpCb(const RawAddress& bdaddr, SdpCallback cb, +void ConnectionHandler::SdpCb(RawAddress bdaddr, SdpCallback cb, tSDP_DISCOVERY_DB* disc_db, bool retry, uint16_t status) { LOG(INFO) << __PRETTY_FUNCTION__ << ": SDP lookup callback received"; diff --git a/profile/avrcp/connection_handler.h b/profile/avrcp/connection_handler.h index d5f0a2725..a5029cfc9 100644 --- a/profile/avrcp/connection_handler.h +++ b/profile/avrcp/connection_handler.h @@ -136,7 +136,7 @@ class ConnectionHandler { using SdpCallback = base::Callback<void(uint16_t status, uint16_t version, uint16_t features)>; virtual bool SdpLookup(const RawAddress& bdaddr, SdpCallback cb, bool retry); - void SdpCb(const RawAddress& bdaddr, SdpCallback cb, + void SdpCb(RawAddress bdaddr, SdpCallback cb, tSDP_DISCOVERY_DB* disc_db, bool retry, uint16_t status); virtual bool AvrcpConnect(bool initiator, const RawAddress& bdaddr); diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc index 7b64b86e3..619aace9a 100644 --- a/stack/avrc/avrc_pars_ct.cc +++ b/stack/avrc/avrc_pars_ct.cc @@ -428,12 +428,19 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, case AVRC_PDU_GET_ITEM_ATTRIBUTES: { tAVRC_GET_ATTRS_RSP* get_attr_rsp = &(p_rsp->get_attrs); get_attr_rsp->pdu = pdu; + min_len += 2; + if (pkt_len < min_len) { + android_errorWriteLog(0x534e4554, "179162665"); + goto browse_length_error; + } BE_STREAM_TO_UINT8(get_attr_rsp->status, p) BE_STREAM_TO_UINT8(get_attr_rsp->num_attrs, p); get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_malloc( get_attr_rsp->num_attrs * sizeof(tAVRC_ATTR_ENTRY)); for (int i = 0; i < get_attr_rsp->num_attrs; i++) { tAVRC_ATTR_ENTRY* attr_entry = &(get_attr_rsp->p_attrs[i]); + min_len += 8; + if (pkt_len < min_len) goto browse_length_error; BE_STREAM_TO_UINT32(attr_entry->attr_id, p); BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p); BE_STREAM_TO_UINT16(attr_entry->name.str_len, p); diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc index 5a81d0d8a..190a88d75 100644 --- a/stack/avrc/avrc_pars_tg.cc +++ b/stack/avrc/avrc_pars_tg.cc @@ -75,6 +75,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg, BE_STREAM_TO_UINT8(p_result->reg_notif.event_id, p); BE_STREAM_TO_UINT32(p_result->reg_notif.param, p); + + if (p_result->reg_notif.event_id == 0 || + p_result->reg_notif.event_id > AVRC_NUM_NOTIF_EVENTS) { + android_errorWriteLog(0x534e4554, "181860042"); + status = AVRC_STS_BAD_PARAM; + } break; default: status = AVRC_STS_BAD_CMD; diff --git a/stack/test/stack_avrcp_test.cc b/stack/test/stack_avrcp_test.cc index ad1cc9e72..72ec45f29 100644 --- a/stack/test/stack_avrcp_test.cc +++ b/stack/test/stack_avrcp_test.cc @@ -14,6 +14,7 @@ * limitations under the License. */ +#include <arpa/inet.h> // htons #include <dlfcn.h> #include <gtest/gtest.h> @@ -110,3 +111,49 @@ TEST_F(StackAvrcpTest, test_avrcp_parse_browse_cmd) { EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)), AVRC_STS_NO_ERROR); } + +TEST_F(StackAvrcpTest, test_avrcp_pdu_register_notification) { + ASSERT_EQ(htons(0x500), 5); + + struct { + uint8_t pdu; + uint8_t reserved; + uint16_t len; + struct { + uint8_t event_id; + uint32_t param; + } payload; + } data = { + AVRC_PDU_REGISTER_NOTIFICATION, + 0, // reserved + htons(sizeof(data.payload)), + .payload = + { + .event_id = 0, + .param = 0x1234, + }, + }; + + tAVRC_MSG msg = { + .vendor = + { + .hdr = + { + .ctype = AVRC_CMD_NOTIF, + .opcode = AVRC_OP_VENDOR, + }, + .p_vendor_data = (uint8_t*)&data, + .vendor_len = sizeof(data), + }, + }; + tAVRC_COMMAND result{}; + + // Run through all possible event ids + uint8_t id = 0; + do { + data.payload.event_id = id; + ASSERT_EQ((id == 0 || id > AVRC_NUM_NOTIF_EVENTS) ? AVRC_STS_BAD_PARAM + : AVRC_STS_NO_ERROR, + AVRC_Ctrl_ParsCommand(&msg, &result)); + } while (++id != 0); +} |