system/bt
| Revision | 7f4f039eacd819e74746258252233b4fe0c18c4b (tree) |
|---|---|
| Zeit | 2020-02-11 11:03:14 |
| Autor | Chih-Wei Huang <cwhuang@linu...> |
| Commiter | Chih-Wei Huang |
Merge tag 'android-9.0.0_r53' into pie-x86
Android 9.0.0 Release 53 (6107734)
hci/src/packet_fragmenter.cc (diff) stack/btm/btm_acl.cc (diff)
stack/btm/btm_int.h (diff) stack/btu/btu_hcif.cc (diff) stack/include/hcidefs.h (diff) stack/sdp/sdp_discovery.cc (diff)| @@ -216,7 +216,8 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) { | ||
| 216 | 216 | "%s got packet which would exceed expected length of %d. " |
| 217 | 217 | "Truncating.", |
| 218 | 218 | __func__, partial_packet->len); |
| 219 | - packet->len = partial_packet->len - partial_packet->offset; | |
| 219 | + packet->len = | |
| 220 | + (partial_packet->len - partial_packet->offset) + packet->offset; | |
| 220 | 221 | projected_offset = partial_packet->len; |
| 221 | 222 | } |
| 222 | 223 |
| @@ -1089,7 +1089,7 @@ void btm_read_remote_features_complete(uint8_t* p) { | ||
| 1089 | 1089 | * Returns void |
| 1090 | 1090 | * |
| 1091 | 1091 | ******************************************************************************/ |
| 1092 | -void btm_read_remote_ext_features_complete(uint8_t* p) { | |
| 1092 | +void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | |
| 1093 | 1093 | tACL_CONN* p_acl_cb; |
| 1094 | 1094 | uint8_t page_num, max_page; |
| 1095 | 1095 | uint16_t handle; |
| @@ -1097,6 +1097,14 @@ void btm_read_remote_ext_features_complete(uint8_t* p) { | ||
| 1097 | 1097 | |
| 1098 | 1098 | BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete"); |
| 1099 | 1099 | |
| 1100 | + if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) { | |
| 1101 | + android_errorWriteLog(0x534e4554, "141552859"); | |
| 1102 | + BTM_TRACE_ERROR( | |
| 1103 | + "btm_read_remote_ext_features_complete evt length too short. length=%d", | |
| 1104 | + evt_len); | |
| 1105 | + return; | |
| 1106 | + } | |
| 1107 | + | |
| 1100 | 1108 | ++p; |
| 1101 | 1109 | STREAM_TO_UINT16(handle, p); |
| 1102 | 1110 | STREAM_TO_UINT8(page_num, p); |
| @@ -1116,6 +1124,19 @@ void btm_read_remote_ext_features_complete(uint8_t* p) { | ||
| 1116 | 1124 | return; |
| 1117 | 1125 | } |
| 1118 | 1126 | |
| 1127 | + if (page_num > HCI_EXT_FEATURES_PAGE_MAX) { | |
| 1128 | + android_errorWriteLog(0x534e4554, "141552859"); | |
| 1129 | + BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid", | |
| 1130 | + page_num); | |
| 1131 | + return; | |
| 1132 | + } | |
| 1133 | + | |
| 1134 | + if (page_num > max_page) { | |
| 1135 | + BTM_TRACE_WARNING( | |
| 1136 | + "btm_read_remote_ext_features_complete num_page=%d, max_page=%d " | |
| 1137 | + "invalid", page_num, max_page); | |
| 1138 | + } | |
| 1139 | + | |
| 1119 | 1140 | p_acl_cb = &btm_cb.acl_db[acl_idx]; |
| 1120 | 1141 | |
| 1121 | 1142 | /* Copy the received features page */ |
| @@ -118,7 +118,7 @@ extern uint16_t btm_get_acl_disc_reason_code(void); | ||
| 118 | 118 | extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr, |
| 119 | 119 | tBT_TRANSPORT transport); |
| 120 | 120 | extern void btm_read_remote_features_complete(uint8_t* p); |
| 121 | -extern void btm_read_remote_ext_features_complete(uint8_t* p); | |
| 121 | +extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len); | |
| 122 | 122 | extern void btm_read_remote_ext_features_failed(uint8_t status, |
| 123 | 123 | uint16_t handle); |
| 124 | 124 | extern void btm_read_remote_version_complete(uint8_t* p); |
| @@ -71,7 +71,8 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p); | ||
| 71 | 71 | static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len); |
| 72 | 72 | static void btu_hcif_encryption_change_evt(uint8_t* p); |
| 73 | 73 | static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p); |
| 74 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p); | |
| 74 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
| 75 | + uint8_t evt_len); | |
| 75 | 76 | static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p); |
| 76 | 77 | static void btu_hcif_qos_setup_comp_evt(uint8_t* p); |
| 77 | 78 | static void btu_hcif_command_complete_evt(BT_HDR* response, void* context); |
| @@ -195,7 +196,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) { | ||
| 195 | 196 | btu_hcif_read_rmt_features_comp_evt(p); |
| 196 | 197 | break; |
| 197 | 198 | case HCI_READ_RMT_EXT_FEATURES_COMP_EVT: |
| 198 | - btu_hcif_read_rmt_ext_features_comp_evt(p); | |
| 199 | + btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len); | |
| 199 | 200 | break; |
| 200 | 201 | case HCI_READ_RMT_VERSION_COMP_EVT: |
| 201 | 202 | btu_hcif_read_rmt_version_comp_evt(p); |
| @@ -812,7 +813,8 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) { | ||
| 812 | 813 | * Returns void |
| 813 | 814 | * |
| 814 | 815 | ******************************************************************************/ |
| 815 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) { | |
| 816 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
| 817 | + uint8_t evt_len) { | |
| 816 | 818 | uint8_t* p_cur = p; |
| 817 | 819 | uint8_t status; |
| 818 | 820 | uint16_t handle; |
| @@ -820,7 +822,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) { | ||
| 820 | 822 | STREAM_TO_UINT8(status, p_cur); |
| 821 | 823 | |
| 822 | 824 | if (status == HCI_SUCCESS) |
| 823 | - btm_read_remote_ext_features_complete(p); | |
| 825 | + btm_read_remote_ext_features_complete(p, evt_len); | |
| 824 | 826 | else { |
| 825 | 827 | STREAM_TO_UINT16(handle, p_cur); |
| 826 | 828 | btm_read_remote_ext_features_failed(status, handle); |
| @@ -1322,6 +1322,8 @@ typedef struct { | ||
| 1322 | 1322 | |
| 1323 | 1323 | #define HCI_FEATURE_BYTES_PER_PAGE 8 |
| 1324 | 1324 | |
| 1325 | +#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13 | |
| 1326 | + | |
| 1325 | 1327 | #define HCI_FEATURES_KNOWN(x) \ |
| 1326 | 1328 | (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0) |
| 1327 | 1329 |
| @@ -474,6 +474,7 @@ static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, | ||
| 474 | 474 | if (!sdp_copy_raw_data(p_ccb, false)) { |
| 475 | 475 | SDP_TRACE_ERROR("sdp_copy_raw_data failed"); |
| 476 | 476 | sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER); |
| 477 | + return; | |
| 477 | 478 | } |
| 478 | 479 | |
| 479 | 480 | #endif |
| @@ -703,6 +704,7 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, | ||
| 703 | 704 | if (!sdp_copy_raw_data(p_ccb, true)) { |
| 704 | 705 | SDP_TRACE_ERROR("sdp_copy_raw_data failed"); |
| 705 | 706 | sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER); |
| 707 | + return; | |
| 706 | 708 | } |
| 707 | 709 | #endif |
| 708 | 710 |
Fork