• R/O
  • HTTP
  • SSH
  • HTTPS

Commit

Tags
Keine Tags

Frequently used words (click to add to your profile)

javaandroidc++linuxc#objective-ccocoa誰得qtrubybathyscaphegamephpguicwindows翻訳pythonomegattwitterframeworkbtronarduinovb.net計画中(planning stage)directxpreviewertestゲームエンジンdom

system/bt


Commit MetaInfo

Revision0b68008bad9ff8934d424610148d8b6749038eb0 (tree)
Zeit2017-10-27 16:10:32
AutorChih-Wei Huang <cwhuang@linu...>
CommiterChih-Wei Huang

Log Message

Merge remote-tracking branch 'cm/cm-14.1' into cm-x86-14.1

Ändern Zusammenfassung

Diff

--- a/bta/pan/bta_pan_act.c
+++ b/bta/pan/bta_pan_act.c
@@ -26,6 +26,8 @@
2626
2727 #if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE)
2828
29+#include <cutils/log.h>
30+
2931 #include "bta_api.h"
3032 #include "bta_sys.h"
3133 #include "bt_common.h"
@@ -176,6 +178,14 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
176178
177179 if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
178180 /* offset smaller than data structure in front of actual data */
181+ if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
182+ PAN_BUF_SIZE) {
183+ android_errorWriteLog(0x534e4554, "63146237");
184+ APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
185+ p_buf->len);
186+ osi_free(p_buf);
187+ return;
188+ }
179189 p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE);
180190 memcpy((UINT8 *)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
181191 (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len);
--- a/stack/avdt/avdt_api.c
+++ b/stack/avdt/avdt_api.c
@@ -1284,7 +1284,7 @@ UINT16 AVDT_SendReport(UINT8 handle, AVDT_REPORT_TYPE type,
12841284 /* build SR - assume fit in one packet */
12851285 p_tbl = avdt_ad_tc_tbl_by_type(AVDT_CHAN_REPORT, p_scb->p_ccb, p_scb);
12861286 if (p_tbl->state == AVDT_AD_ST_OPEN) {
1287- BT_HDR *p_pkt = (BT_HDR *)osi_malloc(p_tbl->peer_mtu);
1287+ BT_HDR *p_pkt = (BT_HDR *)osi_malloc(p_tbl->peer_mtu + sizeof(BT_HDR));
12881288
12891289 p_pkt->offset = L2CAP_MIN_OFFSET;
12901290 p = (UINT8 *)(p_pkt + 1) + p_pkt->offset;
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c
@@ -575,7 +575,8 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
575575 p_bcb->con_state != BNEP_STATE_CONNECTED &&
576576 extension_present && p && rem_len)
577577 {
578- p_bcb->p_pending_data = (BT_HDR *)osi_malloc(rem_len);
578+ osi_free(p_bcb->p_pending_data);
579+ p_bcb->p_pending_data = (BT_HDR *)osi_malloc(rem_len + sizeof(BT_HDR));
579580 memcpy((UINT8 *)(p_bcb->p_pending_data + 1), p, rem_len);
580581 p_bcb->p_pending_data->len = rem_len;
581582 p_bcb->p_pending_data->offset = 0;
--- a/stack/bnep/bnep_utils.c
+++ b/stack/bnep/bnep_utils.c
@@ -154,6 +154,7 @@ void bnepu_release_bcb (tBNEP_CONN *p_bcb)
154154
155155 /* Drop any response pointer we may be holding */
156156 p_bcb->con_state = BNEP_STATE_IDLE;
157+ osi_free(p_bcb->p_pending_data);
157158 p_bcb->p_pending_data = NULL;
158159
159160 /* Free transmit queue */
@@ -762,35 +763,53 @@ void bnep_process_setup_conn_responce (tBNEP_CONN *p_bcb, UINT8 *p_setup)
762763 UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len, BOOLEAN is_ext)
763764 {
764765 UINT8 control_type;
765- BOOLEAN bad_pkt = FALSE;
766766 UINT16 len, ext_len = 0;
767767
768+ if (p == NULL || rem_len == NULL) {
769+ if (rem_len != NULL) *rem_len = 0;
770+ BNEP_TRACE_DEBUG("%s: invalid packet: p = %p rem_len = %p", __func__, p,
771+ rem_len);
772+ return NULL;
773+ }
774+ UINT16 rem_len_orig = *rem_len;
775+
768776 if (is_ext)
769777 {
778+ if (*rem_len < 1) goto bad_packet_length;
770779 ext_len = *p++;
771780 *rem_len = *rem_len - 1;
772781 }
773782
783+ if (*rem_len < 1) goto bad_packet_length;
774784 control_type = *p++;
775785 *rem_len = *rem_len - 1;
776786
777- BNEP_TRACE_EVENT ("BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", *rem_len, is_ext, control_type);
787+ BNEP_TRACE_EVENT("%s: BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d",
788+ __func__, *rem_len, is_ext, control_type);
778789
779790 switch (control_type)
780791 {
781792 case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD:
782- BNEP_TRACE_ERROR ("BNEP Received Cmd not understood for ctl pkt type: %d", *p);
793+ if (*rem_len < 1) {
794+ BNEP_TRACE_ERROR(
795+ "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD with bad length",
796+ __func__);
797+ goto bad_packet_length;
798+ }
799+ BNEP_TRACE_ERROR(
800+ "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD for pkt type: %d",
801+ __func__, *p);
783802 p++;
784803 *rem_len = *rem_len - 1;
785804 break;
786805
787806 case BNEP_SETUP_CONNECTION_REQUEST_MSG:
788807 len = *p++;
789- if (*rem_len < ((2 * len) + 1))
790- {
791- bad_pkt = TRUE;
792- BNEP_TRACE_ERROR ("BNEP Received Setup message with bad length");
793- break;
808+ if (*rem_len < ((2 * len) + 1)) {
809+ BNEP_TRACE_ERROR(
810+ "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
811+ __func__);
812+ goto bad_packet_length;
794813 }
795814 if (!is_ext)
796815 bnep_process_setup_conn_req (p_bcb, p, (UINT8)len);
@@ -799,6 +818,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
799818 break;
800819
801820 case BNEP_SETUP_CONNECTION_RESPONSE_MSG:
821+ if (*rem_len < 2) {
822+ BNEP_TRACE_ERROR(
823+ "%s: Received BNEP_SETUP_CONNECTION_RESPONSE_MSG with bad length",
824+ __func__);
825+ goto bad_packet_length;
826+ }
802827 if (!is_ext)
803828 bnep_process_setup_conn_responce (p_bcb, p);
804829 p += 2;
@@ -809,9 +834,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
809834 BE_STREAM_TO_UINT16 (len, p);
810835 if (*rem_len < (len + 2))
811836 {
812- bad_pkt = TRUE;
813- BNEP_TRACE_ERROR ("BNEP Received Filter set message with bad length");
814- break;
837+ BNEP_TRACE_ERROR(
838+ "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",
839+ __func__);
840+ goto bad_packet_length;
815841 }
816842 bnepu_process_peer_filter_set (p_bcb, p, len);
817843 p += len;
@@ -819,6 +845,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
819845 break;
820846
821847 case BNEP_FILTER_NET_TYPE_RESPONSE_MSG:
848+ if (*rem_len < 2) {
849+ BNEP_TRACE_ERROR(
850+ "%s: Received BNEP_FILTER_NET_TYPE_RESPONSE_MSG with bad length",
851+ __func__);
852+ goto bad_packet_length;
853+ }
822854 bnepu_process_peer_filter_rsp (p_bcb, p);
823855 p += 2;
824856 *rem_len = *rem_len - 2;
@@ -828,9 +860,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
828860 BE_STREAM_TO_UINT16 (len, p);
829861 if (*rem_len < (len + 2))
830862 {
831- bad_pkt = TRUE;
832- BNEP_TRACE_ERROR ("BNEP Received Multicast Filter Set message with bad length");
833- break;
863+ BNEP_TRACE_ERROR(
864+ "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",
865+ __func__);
866+ goto bad_packet_length;
834867 }
835868 bnepu_process_peer_multicast_filter_set (p_bcb, p, len);
836869 p += len;
@@ -838,30 +871,38 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
838871 break;
839872
840873 case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG:
874+ if (*rem_len < 2) {
875+ BNEP_TRACE_ERROR(
876+ "%s: Received BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG with bad length",
877+ __func__);
878+ goto bad_packet_length;
879+ }
841880 bnepu_process_multicast_filter_rsp (p_bcb, p);
842881 p += 2;
843882 *rem_len = *rem_len - 2;
844883 break;
845884
846885 default :
847- BNEP_TRACE_ERROR ("BNEP - bad ctl pkt type: %d", control_type);
886+ BNEP_TRACE_ERROR("%s: BNEP - bad ctl pkt type: %d", __func__,
887+ control_type);
848888 bnep_send_command_not_understood (p_bcb, control_type);
849- if (is_ext)
889+ if (is_ext && (ext_len > 0))
850890 {
891+ if (*rem_len < (ext_len - 1)) {
892+ goto bad_packet_length;
893+ }
851894 p += (ext_len - 1);
852895 *rem_len -= (ext_len - 1);
853896 }
854897 break;
855898 }
856-
857- if (bad_pkt)
858- {
859- BNEP_TRACE_ERROR ("BNEP - bad ctl pkt length: %d", *rem_len);
860- *rem_len = 0;
861- return NULL;
862- }
863-
864899 return p;
900+
901+bad_packet_length:
902+ BNEP_TRACE_ERROR("%s: bad control packet length: original=%d remaining=%d",
903+ __func__, rem_len_orig, *rem_len);
904+ *rem_len = 0;
905+ return NULL;
865906 }
866907
867908
--- a/stack/l2cap/l2cap_client.c
+++ b/stack/l2cap/l2cap_client.c
@@ -374,7 +374,8 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet) {
374374 assert(packet != NULL);
375375
376376 // TODO(sharvil): eliminate copy into BT_HDR.
377- BT_HDR *bt_packet = osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET);
377+ BT_HDR *bt_packet = osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET +
378+ sizeof(BT_HDR));
378379 bt_packet->offset = L2CAP_MIN_OFFSET;
379380 bt_packet->len = buffer_length(packet);
380381 memcpy(bt_packet->data + bt_packet->offset, buffer_ptr(packet), buffer_length(packet));
@@ -388,7 +389,8 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet) {
388389 break;
389390 }
390391
391- BT_HDR *fragment = osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET);
392+ BT_HDR *fragment = osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET +
393+ sizeof(BT_HDR));
392394 fragment->offset = L2CAP_MIN_OFFSET;
393395 fragment->len = client->remote_mtu;
394396 memcpy(fragment->data + fragment->offset, bt_packet->data + bt_packet->offset, client->remote_mtu);
--- a/stack/mcap/mca_cact.c
+++ b/stack/mcap/mca_cact.c
@@ -125,7 +125,7 @@ void mca_ccb_snd_req(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data)
125125 p_ccb->p_tx_req = p_msg;
126126 if (!p_ccb->cong)
127127 {
128- BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU);
128+ BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
129129
130130 p_pkt->offset = L2CAP_MIN_OFFSET;
131131 p = p_start = (UINT8*)(p_pkt + 1) + L2CAP_MIN_OFFSET;
@@ -167,7 +167,7 @@ void mca_ccb_snd_rsp(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data)
167167 tMCA_CCB_MSG *p_msg = (tMCA_CCB_MSG *)p_data;
168168 UINT8 *p, *p_start;
169169 BOOLEAN chk_mdl = FALSE;
170- BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU);
170+ BT_HDR *p_pkt = (BT_HDR *)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
171171
172172 MCA_TRACE_DEBUG("%s cong=%d req=%d", __func__, p_ccb->cong, p_msg->op_code);
173173 /* assume that API functions verified the parameters */
@@ -410,7 +410,7 @@ void mca_ccb_hdl_req(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data)
410410
411411 if (((reject_code != MCA_RSP_SUCCESS) && (evt_data.hdr.op_code != MCA_OP_SYNC_INFO_IND))
412412 || send_rsp) {
413- BT_HDR *p_buf = (BT_HDR *)osi_malloc(MCA_CTRL_MTU);
413+ BT_HDR *p_buf = (BT_HDR *)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
414414 p_buf->offset = L2CAP_MIN_OFFSET;
415415 p = p_start = (UINT8*)(p_buf + 1) + L2CAP_MIN_OFFSET;
416416 *p++ = reject_opcode;
--- a/stack/pan/pan_main.c
+++ b/stack/pan/pan_main.c
@@ -222,6 +222,39 @@ void pan_conn_ind_cb (UINT16 handle,
222222 return;
223223 }
224224
225+ /* Check for valid interactions between the three PAN profile roles */
226+ /*
227+ * For reference, see Table 1 in PAN Profile v1.0 spec.
228+ * Note: the remote is the initiator.
229+ */
230+ BOOLEAN is_valid_interaction = FALSE;
231+ switch (remote_uuid->uu.uuid16) {
232+ case UUID_SERVCLASS_NAP:
233+ case UUID_SERVCLASS_GN:
234+ if (local_uuid->uu.uuid16 == UUID_SERVCLASS_PANU)
235+ is_valid_interaction = TRUE;
236+ break;
237+ case UUID_SERVCLASS_PANU:
238+ is_valid_interaction = TRUE;
239+ break;
240+ }
241+ /*
242+ * Explicitly disable connections to the local PANU if the remote is
243+ * not PANU.
244+ */
245+ if ((local_uuid->uu.uuid16 == UUID_SERVCLASS_PANU) &&
246+ (remote_uuid->uu.uuid16 != UUID_SERVCLASS_PANU)) {
247+ is_valid_interaction = FALSE;
248+ }
249+ if (!is_valid_interaction) {
250+ PAN_TRACE_ERROR(
251+ "PAN Connection failed because of invalid PAN profile roles "
252+ "interaction: Remote UUID 0x%x Local UUID 0x%x",
253+ remote_uuid->uu.uuid16, local_uuid->uu.uuid16);
254+ BNEP_ConnectResp(handle, BNEP_CONN_FAILED_SRC_UUID);
255+ return;
256+ }
257+
225258 /* Requested destination role is */
226259 if (local_uuid->uu.uuid16 == UUID_SERVCLASS_PANU)
227260 req_role = PAN_ROLE_CLIENT;
--- a/stack/sdp/sdp_server.c
+++ b/stack/sdp/sdp_server.c
@@ -491,7 +491,7 @@ static void process_service_search (tCONN_CB *p_ccb, UINT16 trans_num,
491491 }
492492 BE_STREAM_TO_UINT16 (cont_offset, p_req);
493493
494- if (cont_offset != p_ccb->cont_offset)
494+ if (cont_offset != p_ccb->cont_offset || num_rsp_handles < cont_offset)
495495 {
496496 sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE,
497497 SDP_TEXT_BAD_CONT_INX);