BNEP: Fix OOB access in bnep_data_ind

* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
  the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
  is most likely triggered

Bug: 78286118
Bug: 79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit 3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit 0416340ffa61337dbaa2f6602ef85a1c32563ec2)
1 file changed
tree: 56cf706e7b87f96e920615d391d756cfe95d9b47
  1. audio_a2dp_hw/
  2. bta/
  3. btcore/
  4. btif/
  5. build/
  6. conf/
  7. device/
  8. doc/
  9. embdrv/
  10. hci/
  11. include/
  12. main/
  13. osi/
  14. service/
  15. stack/
  16. test/
  17. tools/
  18. types/
  19. udrv/
  20. utils/
  21. vendor_libs/
  22. vnd/
  23. .clang-format
  24. .gitignore
  25. .gn
  26. Android.bp
  30. EventLogTags.logtags
  32. NOTICE
  33. OWNERS
  34. PREUPLOAD.cfg

Fluoride Bluetooth stack

Building and running on AOSP

Just build AOSP - Fluoride is there by default.

Building and running on Linux

Instructions for Ubuntu, tested on 14.04 with Clang 3.5.0 and 16.10 with Clang 3.8.0

Download source

mkdir ~/fluoride
cd ~/fluoride
git clone

Install dependencies (require sudo access):

cd ~/fluoride/bt

Then fetch third party dependencies:

cd ~/fluoride/bt
mkdir third_party
cd third_party
git clone
git clone
git clone
git clone
git clone
git clone
git clone

And third party dependencies of third party dependencies:

cd fluoride/bt/third_party/libchrome/base/third_party
mkdir valgrind
cd valgrind
curl | base64 -d > valgrind.h
curl | base64 -d > memcheck.h

NOTE: If system/bt is checked out under AOSP, then create symbolic links instead of downloading sources

cd system/bt
mkdir third_party
cd third_party
ln -s ../../../external/aac aac
ln -s ../../../external/libchrome libchrome
ln -s ../../../external/libldac libldac
ln -s ../../../external/modp_b64 modp_b64
ln -s ../../../external/tinyxml2 tinyxml2
ln -s ../../../hardware/libhardware libhardware
ln -s ../../../external/googletest googletest

Generate your build files

cd ~/fluoride/bt
gn gen out/Default


cd ~/fluoride/bt
ninja -C out/Default all

This will build all targets (the shared library, executables, tests, etc) and put them in out/Default. To build an individual target, replace “all” with the target of your choice, e.g. ninja -C out/Default net_test_osi.


cd ~/fluoride/bt/out/Default
LD_LIBRARY_PATH=./ ./bluetoothtbd -create-ipc-socket=fluoride

Eclipse IDE Support

  1. Follows the Chromium project Eclipse Setup Instructions until “Optional: Building inside Eclipse” section (don't do that section, we will set it up differently)

  2. Generate Eclipse settings:

cd system/bt
gn gen --ide=eclipse out/Default
  1. In Eclipse, do File->Import->C/C++->C/C++ Project Settings, choose the XML location under system/bt/out/Default

  2. Right click on the project. Go to Preferences->C/C++ Build->Builder Settings. Uncheck “Use default build command”, but instead using “ninja -C out/Default”

  3. Goto Behaviour tab, change clean command to “-t clean”