diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2017-07-26 23:19:00 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-07-26 23:19:00 +0000 |
commit | e860a0f01437b0aa90e89c45e3d25e6a32c64b93 (patch) | |
tree | a1b1dd0d1528fda1ac5d61246b9528695bc926a6 | |
parent | bf4089328e505eb4dcef63303a8f5e803445f95f (diff) | |
parent | 2767f9548b2dfbf9f40ec14806f03fe0af3288cf (diff) | |
download | bt-nougat-mr1-flounder-release.tar.gz |
Merge cherrypicks of [2604297, 2604299, 2604519, 2606195, 2605695, 2604520, 2606196, 2604521, 2604522, 2606197, 2604523, 2605696, 2605697, 2605698, 2606198, 2604524, 2604525, 2604526, 2604300, 2604527, 2606199, 2604528, 2604529, 2604301, 2606200, 2604302, 2606410, 2606201, 2606411, 2606202, 2606413, 2606203, 2606414, 2604303, 2604304, 2606204, 2604305, 2606206, 2606207, 2604306, 2606415, 2606208, 2606209, 2606416] into nyc-mr1-volantis-releaseandroid-7.1.1_r58android-7.1.1_r53nougat-mr1-volantis-releasenougat-mr1-flounder-release
Change-Id: I83e46a672c194789d6d8263bd369a9eb5b09eb00
-rw-r--r-- | bta/pan/bta_pan_act.c | 10 | ||||
-rw-r--r-- | stack/avdt/avdt_api.c | 2 | ||||
-rw-r--r-- | stack/bnep/bnep_main.c | 3 | ||||
-rw-r--r-- | stack/bnep/bnep_utils.c | 89 | ||||
-rw-r--r-- | stack/l2cap/l2cap_client.c | 6 | ||||
-rw-r--r-- | stack/mcap/mca_cact.c | 4 | ||||
-rw-r--r-- | stack/pan/pan_main.c | 33 | ||||
-rw-r--r-- | stack/sdp/sdp_server.c | 2 |
8 files changed, 118 insertions, 31 deletions
diff --git a/bta/pan/bta_pan_act.c b/bta/pan/bta_pan_act.c index 199547817..f80dca1f8 100644 --- a/bta/pan/bta_pan_act.c +++ b/bta/pan/bta_pan_act.c @@ -26,6 +26,8 @@ #if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE) +#include <cutils/log.h> + #include "bta_api.h" #include "bta_sys.h" #include "bt_common.h" @@ -176,6 +178,14 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) { /* offset smaller than data structure in front of actual data */ + if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > + PAN_BUF_SIZE) { + android_errorWriteLog(0x534e4554, "63146237"); + APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, + p_buf->len); + osi_free(p_buf); + return; + } p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE); memcpy((UINT8 *)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS), (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len); diff --git a/stack/avdt/avdt_api.c b/stack/avdt/avdt_api.c index 98ef5f755..52010541d 100644 --- a/stack/avdt/avdt_api.c +++ b/stack/avdt/avdt_api.c @@ -1208,7 +1208,7 @@ UINT16 AVDT_SendReport(UINT8 handle, AVDT_REPORT_TYPE type, /* build SR - assume fit in one packet */ p_tbl = avdt_ad_tc_tbl_by_type(AVDT_CHAN_REPORT, p_scb->p_ccb, p_scb); if (p_tbl->state == AVDT_AD_ST_OPEN) { - BT_HDR *p_pkt = (BT_HDR *)osi_malloc(p_tbl->peer_mtu); + BT_HDR *p_pkt = (BT_HDR *)osi_malloc(p_tbl->peer_mtu + sizeof(BT_HDR)); p_pkt->offset = L2CAP_MIN_OFFSET; p = (UINT8 *)(p_pkt + 1) + p_pkt->offset; diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c index 078a72ebd..36b76a1e0 100644 --- a/stack/bnep/bnep_main.c +++ b/stack/bnep/bnep_main.c @@ -575,7 +575,8 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) p_bcb->con_state != BNEP_STATE_CONNECTED && extension_present && p && rem_len) { - p_bcb->p_pending_data = (BT_HDR *)osi_malloc(rem_len); + osi_free(p_bcb->p_pending_data); + p_bcb->p_pending_data = (BT_HDR *)osi_malloc(rem_len + sizeof(BT_HDR)); memcpy((UINT8 *)(p_bcb->p_pending_data + 1), p, rem_len); p_bcb->p_pending_data->len = rem_len; p_bcb->p_pending_data->offset = 0; diff --git a/stack/bnep/bnep_utils.c b/stack/bnep/bnep_utils.c index 13fb189e7..e16ffcad0 100644 --- a/stack/bnep/bnep_utils.c +++ b/stack/bnep/bnep_utils.c @@ -154,6 +154,7 @@ void bnepu_release_bcb (tBNEP_CONN *p_bcb) /* Drop any response pointer we may be holding */ p_bcb->con_state = BNEP_STATE_IDLE; + osi_free(p_bcb->p_pending_data); p_bcb->p_pending_data = NULL; /* Free transmit queue */ @@ -762,35 +763,53 @@ void bnep_process_setup_conn_responce (tBNEP_CONN *p_bcb, UINT8 *p_setup) UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len, BOOLEAN is_ext) { UINT8 control_type; - BOOLEAN bad_pkt = FALSE; UINT16 len, ext_len = 0; + if (p == NULL || rem_len == NULL) { + if (rem_len != NULL) *rem_len = 0; + BNEP_TRACE_DEBUG("%s: invalid packet: p = %p rem_len = %p", __func__, p, + rem_len); + return NULL; + } + UINT16 rem_len_orig = *rem_len; + if (is_ext) { + if (*rem_len < 1) goto bad_packet_length; ext_len = *p++; *rem_len = *rem_len - 1; } + if (*rem_len < 1) goto bad_packet_length; control_type = *p++; *rem_len = *rem_len - 1; - BNEP_TRACE_EVENT ("BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", *rem_len, is_ext, control_type); + BNEP_TRACE_EVENT("%s: BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", + __func__, *rem_len, is_ext, control_type); switch (control_type) { case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD: - BNEP_TRACE_ERROR ("BNEP Received Cmd not understood for ctl pkt type: %d", *p); + if (*rem_len < 1) { + BNEP_TRACE_ERROR( + "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD with bad length", + __func__); + goto bad_packet_length; + } + BNEP_TRACE_ERROR( + "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD for pkt type: %d", + __func__, *p); p++; *rem_len = *rem_len - 1; break; case BNEP_SETUP_CONNECTION_REQUEST_MSG: len = *p++; - if (*rem_len < ((2 * len) + 1)) - { - bad_pkt = TRUE; - BNEP_TRACE_ERROR ("BNEP Received Setup message with bad length"); - break; + if (*rem_len < ((2 * len) + 1)) { + BNEP_TRACE_ERROR( + "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", + __func__); + goto bad_packet_length; } if (!is_ext) bnep_process_setup_conn_req (p_bcb, p, (UINT8)len); @@ -799,6 +818,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; case BNEP_SETUP_CONNECTION_RESPONSE_MSG: + if (*rem_len < 2) { + BNEP_TRACE_ERROR( + "%s: Received BNEP_SETUP_CONNECTION_RESPONSE_MSG with bad length", + __func__); + goto bad_packet_length; + } if (!is_ext) bnep_process_setup_conn_responce (p_bcb, p); p += 2; @@ -809,9 +834,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len BE_STREAM_TO_UINT16 (len, p); if (*rem_len < (len + 2)) { - bad_pkt = TRUE; - BNEP_TRACE_ERROR ("BNEP Received Filter set message with bad length"); - break; + BNEP_TRACE_ERROR( + "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length", + __func__); + goto bad_packet_length; } bnepu_process_peer_filter_set (p_bcb, p, len); p += len; @@ -819,6 +845,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; case BNEP_FILTER_NET_TYPE_RESPONSE_MSG: + if (*rem_len < 2) { + BNEP_TRACE_ERROR( + "%s: Received BNEP_FILTER_NET_TYPE_RESPONSE_MSG with bad length", + __func__); + goto bad_packet_length; + } bnepu_process_peer_filter_rsp (p_bcb, p); p += 2; *rem_len = *rem_len - 2; @@ -828,9 +860,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len BE_STREAM_TO_UINT16 (len, p); if (*rem_len < (len + 2)) { - bad_pkt = TRUE; - BNEP_TRACE_ERROR ("BNEP Received Multicast Filter Set message with bad length"); - break; + BNEP_TRACE_ERROR( + "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length", + __func__); + goto bad_packet_length; } bnepu_process_peer_multicast_filter_set (p_bcb, p, len); p += len; @@ -838,30 +871,38 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG: + if (*rem_len < 2) { + BNEP_TRACE_ERROR( + "%s: Received BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG with bad length", + __func__); + goto bad_packet_length; + } bnepu_process_multicast_filter_rsp (p_bcb, p); p += 2; *rem_len = *rem_len - 2; break; default : - BNEP_TRACE_ERROR ("BNEP - bad ctl pkt type: %d", control_type); + BNEP_TRACE_ERROR("%s: BNEP - bad ctl pkt type: %d", __func__, + control_type); bnep_send_command_not_understood (p_bcb, control_type); - if (is_ext) + if (is_ext && (ext_len > 0)) { + if (*rem_len < (ext_len - 1)) { + goto bad_packet_length; + } p += (ext_len - 1); *rem_len -= (ext_len - 1); } break; } - - if (bad_pkt) - { - BNEP_TRACE_ERROR ("BNEP - bad ctl pkt length: %d", *rem_len); - *rem_len = 0; - return NULL; - } - return p; + +bad_packet_length: + BNEP_TRACE_ERROR("%s: bad control packet length: original=%d remaining=%d", + __func__, rem_len_orig, *rem_len); + *rem_len = 0; + return NULL; } diff --git a/stack/l2cap/l2cap_client.c b/stack/l2cap/l2cap_client.c index 7e8b3cb6f..cd7edfe1f 100644 --- a/stack/l2cap/l2cap_client.c +++ b/stack/l2cap/l2cap_client.c @@ -370,7 +370,8 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet) { assert(packet != NULL); // TODO(sharvil): eliminate copy into BT_HDR. - BT_HDR *bt_packet = osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET); + BT_HDR *bt_packet = osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET + + sizeof(BT_HDR)); bt_packet->offset = L2CAP_MIN_OFFSET; bt_packet->len = buffer_length(packet); memcpy(bt_packet->data + bt_packet->offset, buffer_ptr(packet), buffer_length(packet)); @@ -384,7 +385,8 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet) { break; } - BT_HDR *fragment = osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET); + BT_HDR *fragment = osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET + + sizeof(BT_HDR)); fragment->offset = L2CAP_MIN_OFFSET; fragment->len = client->remote_mtu; memcpy(fragment->data + fragment->offset, bt_packet->data + bt_packet->offset, client->remote_mtu); diff --git a/stack/mcap/mca_cact.c b/stack/mcap/mca_cact.c index 583a34215..483169ad6 100644 --- a/stack/mcap/mca_cact.c +++ b/stack/mcap/mca_cact.c @@ -122,7 +122,7 @@ void mca_ccb_snd_req(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data) p_ccb->p_tx_req = p_msg; if (!p_ccb->cong) { - BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU); + BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR)); p_pkt->offset = L2CAP_MIN_OFFSET; p = p_start = (UINT8*)(p_pkt + 1) + L2CAP_MIN_OFFSET; @@ -164,7 +164,7 @@ void mca_ccb_snd_rsp(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data) tMCA_CCB_MSG *p_msg = (tMCA_CCB_MSG *)p_data; UINT8 *p, *p_start; BOOLEAN chk_mdl = FALSE; - BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU); + BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR)); MCA_TRACE_DEBUG("%s cong=%d req=%d", __func__, p_ccb->cong, p_msg->op_code); /* assume that API functions verified the parameters */ diff --git a/stack/pan/pan_main.c b/stack/pan/pan_main.c index 5c3a36739..74a75ecd4 100644 --- a/stack/pan/pan_main.c +++ b/stack/pan/pan_main.c @@ -222,6 +222,39 @@ void pan_conn_ind_cb (UINT16 handle, return; } + /* Check for valid interactions between the three PAN profile roles */ + /* + * For reference, see Table 1 in PAN Profile v1.0 spec. + * Note: the remote is the initiator. + */ + BOOLEAN is_valid_interaction = FALSE; + switch (remote_uuid->uu.uuid16) { + case UUID_SERVCLASS_NAP: + case UUID_SERVCLASS_GN: + if (local_uuid->uu.uuid16 == UUID_SERVCLASS_PANU) + is_valid_interaction = TRUE; + break; + case UUID_SERVCLASS_PANU: + is_valid_interaction = TRUE; + break; + } + /* + * Explicitly disable connections to the local PANU if the remote is + * not PANU. + */ + if ((local_uuid->uu.uuid16 == UUID_SERVCLASS_PANU) && + (remote_uuid->uu.uuid16 != UUID_SERVCLASS_PANU)) { + is_valid_interaction = FALSE; + } + if (!is_valid_interaction) { + PAN_TRACE_ERROR( + "PAN Connection failed because of invalid PAN profile roles " + "interaction: Remote UUID 0x%x Local UUID 0x%x", + remote_uuid->uu.uuid16, local_uuid->uu.uuid16); + BNEP_ConnectResp(handle, BNEP_CONN_FAILED_SRC_UUID); + return; + } + /* Requested destination role is */ if (local_uuid->uu.uuid16 == UUID_SERVCLASS_PANU) req_role = PAN_ROLE_CLIENT; diff --git a/stack/sdp/sdp_server.c b/stack/sdp/sdp_server.c index 627f4cf18..5b0bde438 100644 --- a/stack/sdp/sdp_server.c +++ b/stack/sdp/sdp_server.c @@ -230,7 +230,7 @@ static void process_service_search (tCONN_CB *p_ccb, UINT16 trans_num, } BE_STREAM_TO_UINT16 (cont_offset, p_req); - if (cont_offset != p_ccb->cont_offset) + if (cont_offset != p_ccb->cont_offset || num_rsp_handles < cont_offset) { sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE, SDP_TEXT_BAD_CONT_INX); |