• R/O
  • HTTP
  • SSH
  • HTTPS

Commit

Tags
Keine Tags

Frequently used words (click to add to your profile)

javaandroidc++linuxc#objective-ccocoa誰得qtrubybathyscaphegamephpguicwindows翻訳pythonomegattwitterframeworkbtronarduinovb.net計画中(planning stage)directxpreviewertestゲームエンジンdom

system/bt


Commit MetaInfo

Revision491ce6e711feba11ffec6a9204290eca9aecc5f9 (tree)
Zeit2017-08-25 09:54:41
Autorandroid-build-team Robot <android-build-team-robot@goog...>
Commiterandroid-build-team Robot

Log Message

release-request-2c066723-15d1-45c9-8fff-fdeca41661a9-for-git_oc-r6-release-4286358 snap-temp-L42700000096612204

Change-Id: I76758ebf52a405548b1636d64e5d8156c67eccc5

Ändern Zusammenfassung

Diff

--- a/bta/pan/bta_pan_act.cc
+++ b/bta/pan/bta_pan_act.cc
@@ -28,6 +28,8 @@
2828
2929 #include <string.h>
3030
31+#include <cutils/log.h>
32+
3133 #include "bt_common.h"
3234 #include "bta_api.h"
3335 #include "bta_pan_api.h"
@@ -174,6 +176,14 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, BD_ADDR src,
174176
175177 if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
176178 /* offset smaller than data structure in front of actual data */
179+ if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
180+ PAN_BUF_SIZE) {
181+ android_errorWriteLog(0x534e4554, "63146237");
182+ APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
183+ p_buf->len);
184+ osi_free(p_buf);
185+ return;
186+ }
177187 p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE);
178188 memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
179189 (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
--- a/stack/avdt/avdt_api.cc
+++ b/stack/avdt/avdt_api.cc
@@ -1042,7 +1042,7 @@ uint16_t AVDT_SendReport(uint8_t handle, AVDT_REPORT_TYPE type,
10421042 /* build SR - assume fit in one packet */
10431043 p_tbl = avdt_ad_tc_tbl_by_type(AVDT_CHAN_REPORT, p_scb->p_ccb, p_scb);
10441044 if (p_tbl->state == AVDT_AD_ST_OPEN) {
1045- BT_HDR* p_pkt = (BT_HDR*)osi_malloc(p_tbl->peer_mtu);
1045+ BT_HDR* p_pkt = (BT_HDR*)osi_malloc(p_tbl->peer_mtu + sizeof(BT_HDR));
10461046
10471047 p_pkt->offset = L2CAP_MIN_OFFSET;
10481048 p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
--- a/stack/bnep/bnep_main.cc
+++ b/stack/bnep/bnep_main.cc
@@ -525,7 +525,8 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) {
525525 if (ctrl_type == BNEP_SETUP_CONNECTION_REQUEST_MSG &&
526526 p_bcb->con_state != BNEP_STATE_CONNECTED && extension_present && p &&
527527 rem_len) {
528- p_bcb->p_pending_data = (BT_HDR*)osi_malloc(rem_len);
528+ osi_free(p_bcb->p_pending_data);
529+ p_bcb->p_pending_data = (BT_HDR*)osi_malloc(rem_len + sizeof(BT_HDR));
529530 memcpy((uint8_t*)(p_bcb->p_pending_data + 1), p, rem_len);
530531 p_bcb->p_pending_data->len = rem_len;
531532 p_bcb->p_pending_data->offset = 0;
--- a/stack/bnep/bnep_utils.cc
+++ b/stack/bnep/bnep_utils.cc
@@ -144,7 +144,7 @@ void bnepu_release_bcb(tBNEP_CONN* p_bcb) {
144144
145145 /* Drop any response pointer we may be holding */
146146 p_bcb->con_state = BNEP_STATE_IDLE;
147- p_bcb->p_pending_data = NULL;
147+ osi_free_and_reset((void**)&p_bcb->p_pending_data);
148148
149149 /* Free transmit queue */
150150 while (!fixed_queue_is_empty(p_bcb->xmit_q)) {
@@ -714,25 +714,41 @@ void bnep_process_setup_conn_responce(tBNEP_CONN* p_bcb, uint8_t* p_setup) {
714714 uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p,
715715 uint16_t* rem_len, bool is_ext) {
716716 uint8_t control_type;
717- bool bad_pkt = false;
718717 uint16_t len, ext_len = 0;
719718
719+ if (p == NULL || rem_len == NULL) {
720+ if (rem_len != NULL) *rem_len = 0;
721+ BNEP_TRACE_DEBUG("%s: invalid packet: p = %p rem_len = %p", __func__, p,
722+ rem_len);
723+ return NULL;
724+ }
725+ uint16_t rem_len_orig = *rem_len;
726+
720727 if (is_ext) {
728+ if (*rem_len < 1) goto bad_packet_length;
721729 ext_len = *p++;
722730 *rem_len = *rem_len - 1;
723731 }
724732
733+ if (*rem_len < 1) goto bad_packet_length;
725734 control_type = *p++;
726735 *rem_len = *rem_len - 1;
727736
728737 BNEP_TRACE_EVENT(
729- "BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d",
730- *rem_len, is_ext, control_type);
738+ "%s: BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d",
739+ __func__, *rem_len, is_ext, control_type);
731740
732741 switch (control_type) {
733742 case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD:
734- BNEP_TRACE_ERROR("BNEP Received Cmd not understood for ctl pkt type: %d",
735- *p);
743+ if (*rem_len < 1) {
744+ BNEP_TRACE_ERROR(
745+ "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD with bad length",
746+ __func__);
747+ goto bad_packet_length;
748+ }
749+ BNEP_TRACE_ERROR(
750+ "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD for pkt type: %d",
751+ __func__, *p);
736752 p++;
737753 *rem_len = *rem_len - 1;
738754 break;
@@ -740,9 +756,10 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p,
740756 case BNEP_SETUP_CONNECTION_REQUEST_MSG:
741757 len = *p++;
742758 if (*rem_len < ((2 * len) + 1)) {
743- bad_pkt = true;
744- BNEP_TRACE_ERROR("BNEP Received Setup message with bad length");
745- break;
759+ BNEP_TRACE_ERROR(
760+ "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
761+ __func__);
762+ goto bad_packet_length;
746763 }
747764 if (!is_ext) bnep_process_setup_conn_req(p_bcb, p, (uint8_t)len);
748765 p += (2 * len);
@@ -750,6 +767,12 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p,
750767 break;
751768
752769 case BNEP_SETUP_CONNECTION_RESPONSE_MSG:
770+ if (*rem_len < 2) {
771+ BNEP_TRACE_ERROR(
772+ "%s: Received BNEP_SETUP_CONNECTION_RESPONSE_MSG with bad length",
773+ __func__);
774+ goto bad_packet_length;
775+ }
753776 if (!is_ext) bnep_process_setup_conn_responce(p_bcb, p);
754777 p += 2;
755778 *rem_len = *rem_len - 2;
@@ -758,9 +781,10 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p,
758781 case BNEP_FILTER_NET_TYPE_SET_MSG:
759782 BE_STREAM_TO_UINT16(len, p);
760783 if (*rem_len < (len + 2)) {
761- bad_pkt = true;
762- BNEP_TRACE_ERROR("BNEP Received Filter set message with bad length");
763- break;
784+ BNEP_TRACE_ERROR(
785+ "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",
786+ __func__);
787+ goto bad_packet_length;
764788 }
765789 bnepu_process_peer_filter_set(p_bcb, p, len);
766790 p += len;
@@ -768,6 +792,12 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p,
768792 break;
769793
770794 case BNEP_FILTER_NET_TYPE_RESPONSE_MSG:
795+ if (*rem_len < 2) {
796+ BNEP_TRACE_ERROR(
797+ "%s: Received BNEP_FILTER_NET_TYPE_RESPONSE_MSG with bad length",
798+ __func__);
799+ goto bad_packet_length;
800+ }
771801 bnepu_process_peer_filter_rsp(p_bcb, p);
772802 p += 2;
773803 *rem_len = *rem_len - 2;
@@ -776,10 +806,10 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p,
776806 case BNEP_FILTER_MULTI_ADDR_SET_MSG:
777807 BE_STREAM_TO_UINT16(len, p);
778808 if (*rem_len < (len + 2)) {
779- bad_pkt = true;
780809 BNEP_TRACE_ERROR(
781- "BNEP Received Multicast Filter Set message with bad length");
782- break;
810+ "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",
811+ __func__);
812+ goto bad_packet_length;
783813 }
784814 bnepu_process_peer_multicast_filter_set(p_bcb, p, len);
785815 p += len;
@@ -787,28 +817,37 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p,
787817 break;
788818
789819 case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG:
820+ if (*rem_len < 2) {
821+ BNEP_TRACE_ERROR(
822+ "%s: Received BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG with bad length",
823+ __func__);
824+ goto bad_packet_length;
825+ }
790826 bnepu_process_multicast_filter_rsp(p_bcb, p);
791827 p += 2;
792828 *rem_len = *rem_len - 2;
793829 break;
794830
795831 default:
796- BNEP_TRACE_ERROR("BNEP - bad ctl pkt type: %d", control_type);
832+ BNEP_TRACE_ERROR("%s: BNEP - bad ctl pkt type: %d", __func__,
833+ control_type);
797834 bnep_send_command_not_understood(p_bcb, control_type);
798- if (is_ext) {
835+ if (is_ext && (ext_len > 0)) {
836+ if (*rem_len < (ext_len - 1)) {
837+ goto bad_packet_length;
838+ }
799839 p += (ext_len - 1);
800840 *rem_len -= (ext_len - 1);
801841 }
802842 break;
803843 }
804-
805- if (bad_pkt) {
806- BNEP_TRACE_ERROR("BNEP - bad ctl pkt length: %d", *rem_len);
807- *rem_len = 0;
808- return NULL;
809- }
810-
811844 return p;
845+
846+bad_packet_length:
847+ BNEP_TRACE_ERROR("%s: bad control packet length: original=%d remaining=%d",
848+ __func__, rem_len_orig, *rem_len);
849+ *rem_len = 0;
850+ return NULL;
812851 }
813852
814853 /*******************************************************************************
--- a/stack/l2cap/l2cap_client.cc
+++ b/stack/l2cap/l2cap_client.cc
@@ -393,7 +393,7 @@ static void fragment_packet(l2cap_client_t* client, buffer_t* packet) {
393393
394394 // TODO(sharvil): eliminate copy into BT_HDR.
395395 BT_HDR* bt_packet = static_cast<BT_HDR*>(
396- osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET));
396+ osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET + sizeof(BT_HDR)));
397397 bt_packet->offset = L2CAP_MIN_OFFSET;
398398 bt_packet->len = buffer_length(packet);
399399 memcpy(bt_packet->data + bt_packet->offset, buffer_ptr(packet),
@@ -408,8 +408,8 @@ static void fragment_packet(l2cap_client_t* client, buffer_t* packet) {
408408 break;
409409 }
410410
411- BT_HDR* fragment =
412- static_cast<BT_HDR*>(osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET));
411+ BT_HDR* fragment = static_cast<BT_HDR*>(
412+ osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET + sizeof(BT_HDR)));
413413 fragment->offset = L2CAP_MIN_OFFSET;
414414 fragment->len = client->remote_mtu;
415415 memcpy(fragment->data + fragment->offset,
--- a/stack/mcap/mca_cact.cc
+++ b/stack/mcap/mca_cact.cc
@@ -117,7 +117,7 @@ void mca_ccb_snd_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
117117 if ((!p_ccb->p_tx_req) || is_abort) {
118118 p_ccb->p_tx_req = p_msg;
119119 if (!p_ccb->cong) {
120- BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU);
120+ BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
121121
122122 p_pkt->offset = L2CAP_MIN_OFFSET;
123123 p = p_start = (uint8_t*)(p_pkt + 1) + L2CAP_MIN_OFFSET;
@@ -154,7 +154,7 @@ void mca_ccb_snd_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
154154 void mca_ccb_snd_rsp(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
155155 tMCA_CCB_MSG* p_msg = (tMCA_CCB_MSG*)p_data;
156156 uint8_t *p, *p_start;
157- BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU);
157+ BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
158158
159159 MCA_TRACE_DEBUG("%s cong=%d req=%d", __func__, p_ccb->cong, p_msg->op_code);
160160 /* assume that API functions verified the parameters */
@@ -367,7 +367,7 @@ void mca_ccb_hdl_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
367367 if (((reject_code != MCA_RSP_SUCCESS) &&
368368 (evt_data.hdr.op_code != MCA_OP_SYNC_INFO_IND)) ||
369369 send_rsp) {
370- BT_HDR* p_buf = (BT_HDR*)osi_malloc(MCA_CTRL_MTU);
370+ BT_HDR* p_buf = (BT_HDR*)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
371371 p_buf->offset = L2CAP_MIN_OFFSET;
372372 p = p_start = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
373373 *p++ = reject_opcode;
--- a/stack/pan/pan_main.cc
+++ b/stack/pan/pan_main.cc
@@ -214,6 +214,39 @@ void pan_conn_ind_cb(uint16_t handle, BD_ADDR p_bda, tBT_UUID* remote_uuid,
214214 return;
215215 }
216216
217+ /* Check for valid interactions between the three PAN profile roles */
218+ /*
219+ * For reference, see Table 1 in PAN Profile v1.0 spec.
220+ * Note: the remote is the initiator.
221+ */
222+ bool is_valid_interaction = false;
223+ switch (remote_uuid->uu.uuid16) {
224+ case UUID_SERVCLASS_NAP:
225+ case UUID_SERVCLASS_GN:
226+ if (local_uuid->uu.uuid16 == UUID_SERVCLASS_PANU)
227+ is_valid_interaction = true;
228+ break;
229+ case UUID_SERVCLASS_PANU:
230+ is_valid_interaction = true;
231+ break;
232+ }
233+ /*
234+ * Explicitly disable connections to the local PANU if the remote is
235+ * not PANU.
236+ */
237+ if ((local_uuid->uu.uuid16 == UUID_SERVCLASS_PANU) &&
238+ (remote_uuid->uu.uuid16 != UUID_SERVCLASS_PANU)) {
239+ is_valid_interaction = false;
240+ }
241+ if (!is_valid_interaction) {
242+ PAN_TRACE_ERROR(
243+ "PAN Connection failed because of invalid PAN profile roles "
244+ "interaction: Remote UUID 0x%x Local UUID 0x%x",
245+ remote_uuid->uu.uuid16, local_uuid->uu.uuid16);
246+ BNEP_ConnectResp(handle, BNEP_CONN_FAILED_SRC_UUID);
247+ return;
248+ }
249+
217250 /* Requested destination role is */
218251 if (local_uuid->uu.uuid16 == UUID_SERVCLASS_PANU)
219252 req_role = PAN_ROLE_CLIENT;
--- a/stack/sdp/sdp_server.cc
+++ b/stack/sdp/sdp_server.cc
@@ -218,7 +218,7 @@ static void process_service_search(tCONN_CB* p_ccb, uint16_t trans_num,
218218 }
219219 BE_STREAM_TO_UINT16(cont_offset, p_req);
220220
221- if (cont_offset != p_ccb->cont_offset) {
221+ if (cont_offset != p_ccb->cont_offset || num_rsp_handles < cont_offset) {
222222 sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
223223 SDP_TEXT_BAD_CONT_INX);
224224 return;