Merge cherrypicks of [14129455, 14130265, 14129457, 14130197, 14130199, 14130200, 14130201, 14130203, 14129438, 14129439, 14129732, 14129441, 14130241, 14129733, 14129734, 14130308, 14130309, 14130310, 14130312] into security-aosp-qt-release
Change-Id: I0cf6e018af3f2d2fd89e29b59ac6491a17726c32
diff --git a/profile/avrcp/connection_handler.cc b/profile/avrcp/connection_handler.cc
index 3177506..51ebfea 100644
--- a/profile/avrcp/connection_handler.cc
+++ b/profile/avrcp/connection_handler.cc
@@ -407,7 +407,7 @@
device_map_[handle]->MessageReceived(label, Packet::Parse(pkt));
}
-void ConnectionHandler::SdpCb(const RawAddress& bdaddr, SdpCallback cb,
+void ConnectionHandler::SdpCb(RawAddress bdaddr, SdpCallback cb,
tSDP_DISCOVERY_DB* disc_db, uint16_t status) {
LOG(INFO) << __PRETTY_FUNCTION__ << ": SDP lookup callback received";
diff --git a/profile/avrcp/connection_handler.h b/profile/avrcp/connection_handler.h
index e22cb6a..9a4e27b 100644
--- a/profile/avrcp/connection_handler.h
+++ b/profile/avrcp/connection_handler.h
@@ -136,7 +136,7 @@
using SdpCallback = base::Callback<void(uint16_t status, uint16_t version,
uint16_t features)>;
virtual bool SdpLookup(const RawAddress& bdaddr, SdpCallback cb);
- void SdpCb(const RawAddress& bdaddr, SdpCallback cb,
+ void SdpCb(RawAddress bdaddr, SdpCallback cb,
tSDP_DISCOVERY_DB* disc_db, uint16_t status);
virtual bool AvrcpConnect(bool initiator, const RawAddress& bdaddr);
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index 0745fcb..3b21894 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -73,6 +73,12 @@
case AVRC_PDU_REGISTER_NOTIFICATION: /* 0x31 */
BE_STREAM_TO_UINT8(p_result->reg_notif.event_id, p);
BE_STREAM_TO_UINT32(p_result->reg_notif.param, p);
+
+ if (p_result->reg_notif.event_id == 0 ||
+ p_result->reg_notif.event_id > AVRC_NUM_NOTIF_EVENTS) {
+ android_errorWriteLog(0x534e4554, "181860042");
+ status = AVRC_STS_BAD_PARAM;
+ }
break;
default:
status = AVRC_STS_BAD_CMD;
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index bfce7cb..ba7cbce 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -689,6 +689,16 @@
memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
+ if (!memcmp(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, BT_OCTET32_LEN) &&
+ !memcmp(p_cb->peer_publ_key.y, p_cb->loc_publ_key.y, BT_OCTET32_LEN)) {
+ android_errorWriteLog(0x534e4554, "174886838");
+ SMP_TRACE_WARNING("Remote and local public keys can't match");
+ tSMP_INT_DATA smp;
+ smp.status = SMP_PAIR_AUTH_FAIL;
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
+ return;
+ }
+
if (!ECC_ValidatePoint(pt)) {
android_errorWriteLog(0x534e4554, "72377774");
tSMP_INT_DATA smp;
diff --git a/stack/test/stack_avrcp_test.cc b/stack/test/stack_avrcp_test.cc
new file mode 100644
index 0000000..d3a5165
--- /dev/null
+++ b/stack/test/stack_avrcp_test.cc
@@ -0,0 +1,159 @@
+/*
+ * Copyright 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <arpa/inet.h> // htons
+#include <dlfcn.h>
+#include <gtest/gtest.h>
+
+#include "stack/include/avrc_api.h"
+
+class StackAvrcpTest : public ::testing::Test {
+ protected:
+ StackAvrcpTest() = default;
+
+ virtual ~StackAvrcpTest() = default;
+};
+
+TEST_F(StackAvrcpTest, test_avrcp_parse_browse_cmd) {
+ uint8_t scratch_buf[512]{};
+ tAVRC_MSG msg{};
+ tAVRC_COMMAND result{};
+ uint8_t browse_cmd_buf[512]{};
+
+ msg.hdr.opcode = AVRC_OP_BROWSE;
+ msg.browse.p_browse_data = browse_cmd_buf;
+ msg.browse.browse_len = 2;
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_BAD_CMD);
+
+ memset(browse_cmd_buf, 0, sizeof(browse_cmd_buf));
+ browse_cmd_buf[0] = AVRC_PDU_SET_BROWSED_PLAYER;
+ msg.browse.browse_len = 3;
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_BAD_CMD);
+
+ msg.browse.browse_len = 5;
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_NO_ERROR);
+
+ memset(browse_cmd_buf, 0, sizeof(browse_cmd_buf));
+ browse_cmd_buf[0] = AVRC_PDU_GET_FOLDER_ITEMS;
+ msg.browse.browse_len = 3;
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_BAD_CMD);
+
+ msg.browse.browse_len = 13;
+ uint8_t* p = &browse_cmd_buf[3];
+ UINT8_TO_STREAM(p, AVRC_SCOPE_NOW_PLAYING); // scope
+ UINT32_TO_STREAM(p, 0x00000001); // start_item
+ UINT32_TO_STREAM(p, 0x00000002); // end_item
+ browse_cmd_buf[12] = 0; // attr_count
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_NO_ERROR);
+
+ memset(browse_cmd_buf, 0, sizeof(browse_cmd_buf));
+ browse_cmd_buf[0] = AVRC_PDU_CHANGE_PATH;
+ msg.browse.browse_len = 3;
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_BAD_CMD);
+
+ msg.browse.browse_len = 14;
+ p = &browse_cmd_buf[3];
+ UINT16_TO_STREAM(p, 0x1234); // uid_counter
+ UINT8_TO_STREAM(p, AVRC_DIR_UP); // direction
+ UINT8_TO_STREAM(p, 0); // attr_count
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_NO_ERROR);
+
+ memset(browse_cmd_buf, 0, sizeof(browse_cmd_buf));
+ browse_cmd_buf[0] = AVRC_PDU_GET_ITEM_ATTRIBUTES;
+ msg.browse.browse_len = 3;
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_BAD_CMD);
+
+ msg.browse.browse_len = 15;
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_NO_ERROR);
+
+ memset(browse_cmd_buf, 0, sizeof(browse_cmd_buf));
+ browse_cmd_buf[0] = AVRC_PDU_GET_TOTAL_NUM_OF_ITEMS;
+ msg.browse.browse_len = 3;
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_BAD_CMD);
+
+ msg.browse.browse_len = 4;
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_NO_ERROR);
+
+ memset(browse_cmd_buf, 0, sizeof(browse_cmd_buf));
+ browse_cmd_buf[0] = AVRC_PDU_SEARCH;
+ msg.browse.browse_len = 3;
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_BAD_CMD);
+
+ p = &browse_cmd_buf[3];
+ UINT16_TO_STREAM(p, 0x0000); // charset_id
+ UINT16_TO_STREAM(p, 0x0000); // str_len
+ msg.browse.browse_len = 7;
+ EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+ AVRC_STS_NO_ERROR);
+}
+
+TEST_F(StackAvrcpTest, test_avrcp_pdu_register_notification) {
+ ASSERT_EQ(htons(0x500), 5);
+
+ struct {
+ uint8_t pdu;
+ uint8_t reserved;
+ uint16_t len;
+ struct {
+ uint8_t event_id;
+ uint32_t param;
+ } payload;
+ } data = {
+ AVRC_PDU_REGISTER_NOTIFICATION,
+ 0, // reserved
+ htons(sizeof(data.payload)),
+ .payload =
+ {
+ .event_id = 0,
+ .param = 0x1234,
+ },
+ };
+
+ tAVRC_MSG msg = {
+ .vendor =
+ {
+ .hdr =
+ {
+ .ctype = AVRC_CMD_NOTIF,
+ .opcode = AVRC_OP_VENDOR,
+ },
+ .p_vendor_data = (uint8_t*)&data,
+ .vendor_len = sizeof(data),
+ },
+ };
+ tAVRC_COMMAND result{};
+
+ // Run through all possible event ids
+ uint8_t id = 0;
+ do {
+ data.payload.event_id = id;
+ ASSERT_EQ((id == 0 || id > AVRC_NUM_NOTIF_EVENTS) ? AVRC_STS_BAD_PARAM
+ : AVRC_STS_NO_ERROR,
+ AVRC_Ctrl_ParsCommand(&msg, &result));
+ } while (++id != 0);
+}
\ No newline at end of file