Merge cherrypicks of ['googleplex-android-review.googlesource.com/25493876', 'googleplex-android-review.googlesource.com/25532305', 'googleplex-android-review.googlesource.com/25658058', 'googleplex-android-review.googlesource.com/25677226', 'googleplex-android-review.googlesource.com/25842506'] into security-aosp-sc-release.android-security-12.0.0_r58 android-security-12.0.0_r57 android12-security-release

Change-Id: I77e6fffc4b200d3682b455766a302beb92aa8a0a
author: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2024-01-11 04:47:33 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2024-01-11 04:47:33 +0000
commit: 6dd06d53acc5e96f08f017d4cf352e19509aced7 (patch)
tree: 784228e7c6a92c4aeb08973a396e2cc5b278851b
parent: 60d7a154875032b93bfba1bbed714974131a467c (diff)
parent: 55fe7f05819ff1ef946bdec429b64e72cea834cc (diff)
download: bt-android12-security-release.tar.gz
3 files changed, 53 insertions, 13 deletions
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index bfb045c5a..e53a91497 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -218,8 +218,7 @@ static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_r
                                                  bool locally_initiated,
                                                  uint16_t security_req) {
   return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
-    btm_dev_authenticated(p_dev_rec) &&
-    p_dev_rec->is_bond_type_temporary();
+         p_dev_rec->is_bond_type_temporary();
 }
 
 /*******************************************************************************
diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
index e7d22c508..ddb9ad681 100644
--- a/stack/gatt/att_protocol.cc
+++ b/stack/gatt/att_protocol.cc
@@ -281,46 +281,80 @@ static BT_HDR* attp_build_opcode_cmd(uint8_t op_code) {
 static BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code,
                                     uint16_t handle, uint16_t offset,
                                     uint16_t len, uint8_t* p_data) {
-  uint8_t *p, *pp, pair_len, *p_pair_len;
+  uint8_t *p, *pp, *p_pair_len;
+  size_t pair_len;
+  size_t size_now = 1;
+
+#define CHECK_SIZE()                       \
+  do {                                     \
+    if (size_now > payload_size) {         \
+      LOG_ERROR("payload size too small"); \
+      osi_free(p_buf);                     \
+      return nullptr;                      \
+    }                                      \
+  } while (false)
+
   BT_HDR* p_buf =
       (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
 
   p = pp = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
+
+  CHECK_SIZE();
   UINT8_TO_STREAM(p, op_code);
   p_buf->offset = L2CAP_MIN_OFFSET;
-  p_buf->len = 1;
 
   if (op_code == GATT_RSP_READ_BY_TYPE) {
-    p_pair_len = p;
+    p_pair_len = p++;
     pair_len = len + 2;
-    UINT8_TO_STREAM(p, pair_len);
-    p_buf->len += 1;
+    size_now += 1;
+    CHECK_SIZE();
+    // this field will be backfilled in the end of this function
   }
+
   if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) {
+    size_now += 2;
+    CHECK_SIZE();
     UINT16_TO_STREAM(p, handle);
-    p_buf->len += 2;
   }
 
   if (op_code == GATT_REQ_PREPARE_WRITE || op_code == GATT_RSP_PREPARE_WRITE) {
+    size_now += 2;
+    CHECK_SIZE();
     UINT16_TO_STREAM(p, offset);
-    p_buf->len += 2;
   }
 
   if (len > 0 && p_data != NULL) {
     /* ensure data not exceed MTU size */
-    if (payload_size - p_buf->len < len) {
-      len = payload_size - p_buf->len;
+    if (payload_size - size_now < len) {
+      len = payload_size - size_now;
       /* update handle value pair length */
-      if (op_code == GATT_RSP_READ_BY_TYPE) *p_pair_len = (len + 2);
+      if (op_code == GATT_RSP_READ_BY_TYPE) {
+        pair_len = (len + 2);
+      }
 
       LOG(WARNING) << StringPrintf(
           "attribute value too long, to be truncated to %d", len);
     }
 
+    size_now += len;
+    CHECK_SIZE();
     ARRAY_TO_STREAM(p, p_data, len);
-    p_buf->len += len;
   }
 
+  // backfill pair len field
+  if (op_code == GATT_RSP_READ_BY_TYPE) {
+    if (pair_len > UINT8_MAX) {
+      LOG_ERROR("pair_len greater than %d", UINT8_MAX);
+      osi_free(p_buf);
+      return nullptr;
+    }
+
+    *p_pair_len = (uint8_t)pair_len;
+  }
+
+#undef CHECK_SIZE
+
+  p_buf->len = (uint16_t)size_now;
   return p_buf;
 }
 
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index 3afae8b18..84bb82360 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -432,6 +432,13 @@ void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
  * Description  process security request.
  ******************************************************************************/
 void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+  if (smp_command_has_invalid_length(p_cb)) {
+    tSMP_INT_DATA smp_int_data;
+    smp_int_data.status = SMP_INVALID_PARAMETERS;
+    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+    return;
+  }
+
   tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data;
   tBTM_BLE_SEC_REQ_ACT sec_req_act;
author	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2024-01-11 04:47:33 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2024-01-11 04:47:33 +0000
commit	6dd06d53acc5e96f08f017d4cf352e19509aced7 (patch)
tree	784228e7c6a92c4aeb08973a396e2cc5b278851b
parent	60d7a154875032b93bfba1bbed714974131a467c (diff)
parent	55fe7f05819ff1ef946bdec429b64e72cea834cc (diff)
download	bt-android12-security-release.tar.gz