diff options
| -rw-r--r-- | btif/src/btif_dm.cc | 77 | ||||
| -rw-r--r-- | stack/btm/ble_advertiser_hci_interface.cc | 35 | ||||
| -rw-r--r-- | stack/btm/btm_ble.cc | 7 | ||||
| -rw-r--r-- | stack/l2cap/l2c_main.cc | 54 | ||||
| -rw-r--r-- | stack/l2cap/l2c_utils.cc | 3 |
5 files changed, 146 insertions, 30 deletions
diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc index dd9b8130e..cc421d586 100644 --- a/btif/src/btif_dm.cc +++ b/btif/src/btif_dm.cc @@ -257,6 +257,11 @@ static bool is_empty_128bit(uint8_t* data) { return !memcmp(zero, data, sizeof(zero)); } +static bool is_bonding_or_sdp() { + return pairing_cb.state == BT_BOND_STATE_BONDING || + (pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts); +} + static void btif_dm_data_copy(uint16_t event, char* dst, char* src) { tBTA_DM_SEC* dst_dm_sec = (tBTA_DM_SEC*)dst; tBTA_DM_SEC* src_dm_sec = (tBTA_DM_SEC*)src; @@ -483,8 +488,6 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr, bt_bond_state_t state) { btif_stats_add_bond_event(bd_addr, BTIF_DM_FUNC_BOND_STATE_CHANGED, state); - // Send bonding state only once - based on outgoing/incoming we may receive - // duplicates if ((pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING)) { // Cross key pairing so send callback for static address if (!pairing_cb.static_bdaddr.IsEmpty()) { @@ -502,14 +505,18 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr, auto tmp = bd_addr; HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state); - if (state == BT_BOND_STATE_BONDING) { + int dev_type; + if (!btif_get_device_type(bd_addr, &dev_type)) { + dev_type = BT_DEVICE_TYPE_BREDR; + } + + if (state == BT_BOND_STATE_BONDING || + (state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts > 0)) { + // Save state for the device is bonding or SDP. pairing_cb.state = state; pairing_cb.bd_addr = bd_addr; } else { - if (!pairing_cb.sdp_attempts) - memset(&pairing_cb, 0, sizeof(pairing_cb)); - else - BTIF_TRACE_DEBUG("%s: BR-EDR service discovery active", __func__); + pairing_cb = {}; } } @@ -1135,6 +1142,10 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { /* Trigger SDP on the device */ pairing_cb.sdp_attempts = 1; + + // Report bonded to Java before start SDP + bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED); + btif_dm_get_remote_services(bd_addr); } } @@ -1392,9 +1403,9 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) { BTIF_TRACE_DEBUG("%s:(result=0x%x, services 0x%x)", __func__, p_data->disc_res.result, p_data->disc_res.services); - if ((p_data->disc_res.result != BTA_SUCCESS) && - (pairing_cb.state == BT_BOND_STATE_BONDING) && - (pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING)) { + if (p_data->disc_res.result != BTA_SUCCESS && + pairing_cb.state == BT_BOND_STATE_BONDED && + pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING) { if (pairing_cb.sdp_attempts) { BTIF_TRACE_WARNING("%s: SDP failed after bonding re-attempting", __func__); @@ -1421,21 +1432,39 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) { /* onUuidChanged requires getBondedDevices to be populated. ** bond_state_changed needs to be sent prior to remote_device_property */ - if ((pairing_cb.state == BT_BOND_STATE_BONDING) && + if (pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts && (p_data->disc_res.bd_addr == pairing_cb.bd_addr || - p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) && - pairing_cb.sdp_attempts > 0) { - BTIF_TRACE_DEBUG( - "%s Remote Service SDP done. Call bond_state_changed_cb BONDED", - __func__); + p_data->disc_res.bd_addr == pairing_cb.static_bdaddr)) { + LOG_INFO(LOG_TAG, "%s Remote Service SDP done.", __func__); pairing_cb.sdp_attempts = 0; - // If bonding occured due to cross-key pairing, send bonding callback + // If bond occured due to cross-key pairing, send bond state callback // for static address now - if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) + if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) { bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDING); - - bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED); + bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED); + } + if (pairing_cb.state == BT_BOND_STATE_BONDED) { + if (p_data->disc_res.result == BTA_SUCCESS) { + // Device is bonded and SDP completed. Clear the pairing control + // block. + pairing_cb = {}; + } else { + // Report empty UUID to Java if SDP report negative result while + // pairing. + bt_property_t prop; + Uuid uuid; + + prop.type = BT_PROPERTY_UUIDS; + prop.val = &uuid; + prop.len = Uuid::kNumBytes128; + + /* Send the event to the BTIF */ + HAL_CBACK(bt_hal_cbacks, remote_device_properties_cb, + BT_STATUS_SUCCESS, &bd_addr, 1, &prop); + break; + } + } } if (p_data->disc_res.num_uuids != 0) { @@ -1630,7 +1659,7 @@ static void btif_dm_upstreams_evt(uint16_t event, char* p_param) { break; case BTA_DM_BOND_CANCEL_CMPL_EVT: - if (pairing_cb.state == BT_BOND_STATE_BONDING) { + if (is_bonding_or_sdp()) { bd_addr = pairing_cb.bd_addr; btm_set_bond_type_dev(pairing_cb.bd_addr, BOND_TYPE_UNKNOWN); bond_state_changed((bt_status_t)p_data->bond_cancel_cmpl.result, @@ -2273,7 +2302,7 @@ bt_status_t btif_dm_cancel_bond(const RawAddress* bd_addr) { ** 1. Restore scan modes ** 2. special handling for HID devices */ - if (pairing_cb.state == BT_BOND_STATE_BONDING) { + if (is_bonding_or_sdp()) { if (pairing_cb.is_ssp) { if (pairing_cb.is_le_only) { BTA_DmBleSecurityGrant(*bd_addr, BTA_DM_SEC_PAIR_NOT_SPT); @@ -2471,7 +2500,7 @@ bt_status_t btif_dm_get_remote_services(const RawAddress& remote_addr) { /******************************************************************************* * - * Function btif_dm_get_remote_services_transport + * Function btif_dm_get_remote_services_by_transport * * Description Start SDP to get remote services by transport * @@ -3168,7 +3197,7 @@ bt_status_t btif_le_test_mode(uint16_t opcode, uint8_t* buf, uint8_t len) { void btif_dm_on_disable() { /* cancel any pending pairing requests */ - if (pairing_cb.state == BT_BOND_STATE_BONDING) { + if (is_bonding_or_sdp()) { BTIF_TRACE_DEBUG("%s: Cancel pending pairing request", __func__); btif_dm_cancel_bond(&pairing_cb.bd_addr); } diff --git a/stack/btm/ble_advertiser_hci_interface.cc b/stack/btm/ble_advertiser_hci_interface.cc index 93b517d0a..574ef7111 100644 --- a/stack/btm/ble_advertiser_hci_interface.cc +++ b/stack/btm/ble_advertiser_hci_interface.cc @@ -27,6 +27,7 @@ #include "btm_int_types.h" #include "device/include/controller.h" #include "hcidefs.h" +#include "log/log.h" #define BTM_BLE_MULTI_ADV_SET_RANDOM_ADDR_LEN 8 #define BTM_BLE_MULTI_ADV_ENB_LEN 3 @@ -162,6 +163,14 @@ class BleAdvertiserVscHciInterfaceImpl : public BleAdvertiserHciInterface { uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN]; memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN); + if (data_length > BTM_BLE_AD_DATA_LEN) { + android_errorWriteLog(0x534e4554, "121145627"); + LOG(ERROR) << __func__ + << ": data_length=" << static_cast<int>(data_length) + << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN; + data_length = BTM_BLE_AD_DATA_LEN; + } + uint8_t* pp = param; UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_ADV_DATA); UINT8_TO_STREAM(pp, data_length); @@ -181,6 +190,14 @@ class BleAdvertiserVscHciInterfaceImpl : public BleAdvertiserHciInterface { uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN]; memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN); + if (scan_response_data_length > BTM_BLE_AD_DATA_LEN) { + android_errorWriteLog(0x534e4554, "121145627"); + LOG(ERROR) << __func__ << ": scan_response_data_length=" + << static_cast<int>(scan_response_data_length) + << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN; + scan_response_data_length = BTM_BLE_AD_DATA_LEN; + } + uint8_t* pp = param; UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_SCAN_RSP_DATA); UINT8_TO_STREAM(pp, scan_response_data_length); @@ -372,6 +389,15 @@ class BleAdvertiserLegacyHciInterfaceImpl : public BleAdvertiserHciInterface { uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1]; + if (data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) { + android_errorWriteLog(0x534e4554, "121145627"); + LOG(ERROR) << __func__ + << ": data_length=" << static_cast<int>(data_length) + << ", is longer than size limit " + << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; + data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; + } + uint8_t* pp = param; memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1); UINT8_TO_STREAM(pp, data_length); @@ -389,6 +415,15 @@ class BleAdvertiserLegacyHciInterfaceImpl : public BleAdvertiserHciInterface { VLOG(1) << __func__; uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1]; + if (scan_response_data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) { + android_errorWriteLog(0x534e4554, "121145627"); + LOG(ERROR) << __func__ << ": scan_response_data_length=" + << static_cast<int>(scan_response_data_length) + << ", is longer than size limit " + << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; + scan_response_data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; + } + uint8_t* pp = param; memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1); UINT8_TO_STREAM(pp, scan_response_data_length); diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc index ca93e1a5d..0c4bdd98d 100644 --- a/stack/btm/btm_ble.cc +++ b/stack/btm/btm_ble.cc @@ -39,6 +39,7 @@ #include "gap_api.h" #include "gatt_api.h" #include "hcimsgs.h" +#include "log/log.h" #include "l2c_int.h" #include "osi/include/log.h" #include "osi/include/osi.h" @@ -2086,6 +2087,12 @@ uint8_t btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr, } if (event == SMP_COMPLT_EVT) { + p_dev_rec = btm_find_dev(bd_addr); + if (p_dev_rec == NULL) { + BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__); + android_errorWriteLog(0x534e4554, "120612744"); + return 0; + } BTM_TRACE_DEBUG( "evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level, p_dev_rec->sec_flags); diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc index eae77a643..74e713525 100644 --- a/stack/l2cap/l2c_main.cc +++ b/stack/l2cap/l2c_main.cc @@ -455,19 +455,40 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { switch (cfg_code & 0x7F) { case L2CAP_CFG_TYPE_MTU: cfg_info.mtu_present = true; - if (p + 2 > p_next_cmd) return; + if (cfg_len != 2) { + android_errorWriteLog(0x534e4554, "119870451"); + return; + } + if (p + cfg_len > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(cfg_info.mtu, p); break; case L2CAP_CFG_TYPE_FLUSH_TOUT: cfg_info.flush_to_present = true; - if (p + 2 > p_next_cmd) return; + if (cfg_len != 2) { + android_errorWriteLog(0x534e4554, "119870451"); + return; + } + if (p + cfg_len > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(cfg_info.flush_to, p); break; case L2CAP_CFG_TYPE_QOS: cfg_info.qos_present = true; - if (p + 2 + 5 * 4 > p_next_cmd) return; + if (cfg_len != 2 + 5 * 4) { + android_errorWriteLog(0x534e4554, "119870451"); + return; + } + if (p + cfg_len > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_info.qos.qos_flags, p); STREAM_TO_UINT8(cfg_info.qos.service_type, p); STREAM_TO_UINT32(cfg_info.qos.token_rate, p); @@ -479,7 +500,14 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { case L2CAP_CFG_TYPE_FCR: cfg_info.fcr_present = true; - if (p + 3 + 3 * 2 > p_next_cmd) return; + if (cfg_len != 3 + 3 * 2) { + android_errorWriteLog(0x534e4554, "119870451"); + return; + } + if (p + cfg_len > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_info.fcr.mode, p); STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p); STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p); @@ -490,13 +518,27 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { case L2CAP_CFG_TYPE_FCS: cfg_info.fcs_present = true; - if (p + 1 > p_next_cmd) return; + if (cfg_len != 1) { + android_errorWriteLog(0x534e4554, "119870451"); + return; + } + if (p + cfg_len > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_info.fcs, p); break; case L2CAP_CFG_TYPE_EXT_FLOW: cfg_info.ext_flow_spec_present = true; - if (p + 2 + 2 + 3 * 4 > p_next_cmd) return; + if (cfg_len != 2 + 2 + 3 * 4) { + android_errorWriteLog(0x534e4554, "119870451"); + return; + } + if (p + cfg_len > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p); STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p); STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p); diff --git a/stack/l2cap/l2c_utils.cc b/stack/l2cap/l2c_utils.cc index 337e0764b..ced48a240 100644 --- a/stack/l2cap/l2c_utils.cc +++ b/stack/l2cap/l2c_utils.cc @@ -796,6 +796,9 @@ void l2cu_send_peer_config_rej(tL2C_CCB* p_ccb, uint8_t* p_data, case L2CAP_CFG_TYPE_MTU: case L2CAP_CFG_TYPE_FLUSH_TOUT: case L2CAP_CFG_TYPE_QOS: + case L2CAP_CFG_TYPE_FCR: + case L2CAP_CFG_TYPE_FCS: + case L2CAP_CFG_TYPE_EXT_FLOW: p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD; break; |