system/bt
Revision | 4689e9b7af19e74632d340cd0851dd0b9b824089 (tree) |
---|---|
Zeit | 2020-04-14 23:54:21 |
Autor | Gaganpreet kaur <gaganpreetx.kaur@inte...> |
Commiter | Chih-Wei Huang |
Fix for multiple com.android.bluetooth crash issues.
Issue 1: com.android.bluetooth crash was seen due to invalid/
out of bound index while creating Listening Channel for AVRCP.
Reason: AVRCP creates the listening channel using
bta_av_rc_create, this function expects RC Channel Handle to be
passed as it will fetch the index for RC handle using
tBTA_AV_SCB* p_scb = p_cb->p_scb[shdl - 1];
But we are passing 0 i.e. index for RC handle directly. Due to
which above statement will throw exception for out of bound
index and crash is observed.
Fix: Updated the bta_av_rc_create calls with RC handle value
instead of index.
Issue 2: com.android.bluetooth crash was seen due to failed
check for parameter length for vendor capabilities as:
CHECK(p_vcs_cplt_params->param_len >
Reason: We always receive param_len for vendor capabilities as
9. Also BTM_VSC_CHIP_CAPABILITY_RSP_LEN is defined as 9. But as
per the check param_len is expected to be greater than 9. As the
check fails, exception is seen and crash is observed.
Fix: Changed the CHECK on param_len for Vendor Capabilities as:
CHECK(p_vcs_cplt_params->param_len >=
Change-Id: Ic11c58e8193c0d8252e569fee2bc99d30abb7aae
Tracked-On:
Signed-off-by: Gaganpreet kaur <gaganpreetx.kaur@intel.com>
@@ -1254,7 +1254,7 @@ void bta_av_conn_chg(tBTA_AV_DATA* p_data) { | ||
1254 | 1254 | /* if the AVRCP is no longer listening, create the listening channel */ |
1255 | 1255 | if (bta_av_cb.rc_acp_handle == BTA_AV_RC_HANDLE_NONE && |
1256 | 1256 | bta_av_cb.features & BTA_AV_FEAT_RCTG) |
1257 | - bta_av_rc_create(&bta_av_cb, AVCT_ACP, 0, BTA_AV_NUM_LINKS + 1); | |
1257 | + bta_av_rc_create(&bta_av_cb, AVCT_ACP, 1, BTA_AV_NUM_LINKS + 1); | |
1258 | 1258 | } |
1259 | 1259 | |
1260 | 1260 | APPL_TRACE_DEBUG( |
@@ -1435,7 +1435,7 @@ void bta_av_sig_chg(tBTA_AV_DATA* p_data) { | ||
1435 | 1435 | p_lcb->conn_msk = 0; /* clear the connect mask */ |
1436 | 1436 | /* start listening when the signal channel is open */ |
1437 | 1437 | if (p_cb->features & BTA_AV_FEAT_RCTG) { |
1438 | - bta_av_rc_create(p_cb, AVCT_ACP, 0, p_lcb->lidx); | |
1438 | + bta_av_rc_create(p_cb, AVCT_ACP, 1, p_lcb->lidx); | |
1439 | 1439 | } |
1440 | 1440 | /* this entry is not used yet. */ |
1441 | 1441 | p_cb->conn_lcb |= mask; /* mark it as used */ |
@@ -1969,7 +1969,7 @@ void bta_av_rc_closed(tBTA_AV_DATA* p_data) { | ||
1969 | 1969 | (*p_cb->p_cback)(BTA_AV_RC_CLOSE_EVT, &bta_av_data); |
1970 | 1970 | if (bta_av_cb.rc_acp_handle == BTA_AV_RC_HANDLE_NONE |
1971 | 1971 | && bta_av_cb.features & BTA_AV_FEAT_RCTG) |
1972 | - bta_av_rc_create(&bta_av_cb, AVCT_ACP, 0, BTA_AV_NUM_LINKS + 1); | |
1972 | + bta_av_rc_create(&bta_av_cb, AVCT_ACP, 1, BTA_AV_NUM_LINKS + 1); | |
1973 | 1973 | } |
1974 | 1974 | |
1975 | 1975 | /******************************************************************************* |
@@ -679,7 +679,7 @@ static void bta_av_api_register(tBTA_AV_DATA* p_data) { | ||
679 | 679 | } |
680 | 680 | /* start listening when A2DP is registered */ |
681 | 681 | if (bta_av_cb.features & BTA_AV_FEAT_RCTG) |
682 | - bta_av_rc_create(&bta_av_cb, AVCT_ACP, 0, BTA_AV_NUM_LINKS + 1); | |
682 | + bta_av_rc_create(&bta_av_cb, AVCT_ACP, 1, BTA_AV_NUM_LINKS + 1); | |
683 | 683 | |
684 | 684 | /* if the AV and AVK are both supported, it cannot support the CT role |
685 | 685 | */ |
@@ -696,7 +696,7 @@ static void bta_av_api_register(tBTA_AV_DATA* p_data) { | ||
696 | 696 | BTA_ID_AV); |
697 | 697 | #endif |
698 | 698 | #endif |
699 | - bta_av_rc_create(&bta_av_cb, AVCT_ACP, 0, BTA_AV_NUM_LINKS + 1); | |
699 | + bta_av_rc_create(&bta_av_cb, AVCT_ACP, 1, BTA_AV_NUM_LINKS + 1); | |
700 | 700 | } |
701 | 701 | #if (BTA_AR_INCLUDED == TRUE) |
702 | 702 | /* create an SDP record as AVRC CT. We create 1.3 for SOURCE |
@@ -498,14 +498,17 @@ static void btm_ble_vendor_capability_vsc_cmpl_cback( | ||
498 | 498 | BTM_TRACE_DEBUG("%s: Status = 0x%02x (0 is success)", __func__, status); |
499 | 499 | return; |
500 | 500 | } |
501 | - CHECK(p_vcs_cplt_params->param_len > BTM_VSC_CHIP_CAPABILITY_RSP_LEN); | |
502 | - STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.adv_inst_max, p); | |
503 | - STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.rpa_offloading, p); | |
504 | - STREAM_TO_UINT16(btm_cb.cmn_ble_vsc_cb.tot_scan_results_strg, p); | |
505 | - STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.max_irk_list_sz, p); | |
506 | - STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.filter_support, p); | |
507 | - STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.max_filter, p); | |
508 | - STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.energy_support, p); | |
501 | + | |
502 | + if (p_vcs_cplt_params->param_len >= BTM_VSC_CHIP_CAPABILITY_RSP_LEN) { | |
503 | + CHECK(p_vcs_cplt_params->param_len >= BTM_VSC_CHIP_CAPABILITY_RSP_LEN); | |
504 | + STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.adv_inst_max, p); | |
505 | + STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.rpa_offloading, p); | |
506 | + STREAM_TO_UINT16(btm_cb.cmn_ble_vsc_cb.tot_scan_results_strg, p); | |
507 | + STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.max_irk_list_sz, p); | |
508 | + STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.filter_support, p); | |
509 | + STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.max_filter, p); | |
510 | + STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.energy_support, p); | |
511 | + } | |
509 | 512 | |
510 | 513 | if (p_vcs_cplt_params->param_len > |
511 | 514 | BTM_VSC_CHIP_CAPABILITY_RSP_LEN_L_RELEASE) { |