Merge "Revert "Fix potential OOB write in btm_read_remote_ext_features_complete"" into oc-dev am: aa754ed3ec am: 53afb387a4 am: a651e35ad0 am: 91f38752fa am: 9d7aa50fb7
am: 9e976434fe
Change-Id: I62a7aefbeaeb699b21daf88ccd16b1d72f3c0438
diff --git a/binder/android/bluetooth/IBluetoothPan.aidl b/binder/android/bluetooth/IBluetoothPan.aidl
index 16b6ddf..4052aa4 100644
--- a/binder/android/bluetooth/IBluetoothPan.aidl
+++ b/binder/android/bluetooth/IBluetoothPan.aidl
@@ -26,7 +26,7 @@
interface IBluetoothPan {
// Public API
boolean isTetheringOn();
- void setBluetoothTethering(boolean value);
+ void setBluetoothTethering(boolean value, String pkgName);
boolean connect(in BluetoothDevice device);
boolean disconnect(in BluetoothDevice device);
List<BluetoothDevice> getConnectedDevices();
diff --git a/btif/include/btif_keystore.h b/btif/include/btif_keystore.h
index cc06a98..4762350 100644
--- a/btif/include/btif_keystore.h
+++ b/btif/include/btif_keystore.h
@@ -59,14 +59,6 @@
*/
std::string Decrypt(const std::string& input_filename);
- /**
- * Check for existence of keystore key.
- *
- * This key can be cleared if a user manually wipes bluetooth storage data
- * b/133214365
- */
- bool DoesKeyExist();
-
private:
std::unique_ptr<keystore::KeystoreClient> keystore_client_;
std::mutex api_mutex_;
diff --git a/btif/src/btif_config.cc b/btif/src/btif_config.cc
index ed24d7d..be006ab 100644
--- a/btif/src/btif_config.cc
+++ b/btif/src/btif_config.cc
@@ -183,9 +183,7 @@
static future_t* init(void) {
std::unique_lock<std::recursive_mutex> lock(config_lock);
- if (is_factory_reset() ||
- (use_key_attestation() && !btif_keystore.DoesKeyExist()))
- delete_config_files();
+ if (is_factory_reset()) delete_config_files();
std::string file_source;
diff --git a/btif/src/btif_keystore.cc b/btif/src/btif_keystore.cc
index 0af03e1..fe9d3dd 100644
--- a/btif/src/btif_keystore.cc
+++ b/btif/src/btif_keystore.cc
@@ -98,8 +98,4 @@
&software_enforced_characteristics);
}
-bool BtifKeystore::DoesKeyExist() {
- return keystore_client_->doesKeyExist(kKeyStore);
-}
-
} // namespace bluetooth
diff --git a/btif/src/btif_profile_queue.cc b/btif/src/btif_profile_queue.cc
index 41275f1..900a6af 100644
--- a/btif/src/btif_profile_queue.cc
+++ b/btif/src/btif_profile_queue.cc
@@ -195,7 +195,14 @@
LOG_INFO(LOG_TAG, "%s: executing connection request: %s", __func__,
head.ToString().c_str());
- return head.connect();
+ bt_status_t b_status = head.connect();
+ if (b_status != BT_STATUS_SUCCESS) {
+ LOG_INFO(LOG_TAG,
+ "%s: connect %s failed, advance to next scheduled connection.",
+ __func__, head.ToString().c_str());
+ btif_queue_advance();
+ }
+ return b_status;
}
/*******************************************************************************
diff --git a/btif/test/btif_profile_queue_test.cc b/btif/test/btif_profile_queue_test.cc
index 486959b..af0255b 100644
--- a/btif/test/btif_profile_queue_test.cc
+++ b/btif/test/btif_profile_queue_test.cc
@@ -97,6 +97,49 @@
EXPECT_EQ(sResult, UUID1_ADDR1);
}
+static bt_status_t test_connect_cb_fail(RawAddress* bda, uint16_t uuid) {
+ sResult = UNKNOWN;
+ if (*bda == BtifProfileQueueTest::kTestAddr1) {
+ if (uuid == BtifProfileQueueTest::kTestUuid1) {
+ sResult = UUID1_ADDR1;
+ } else if (uuid == BtifProfileQueueTest::kTestUuid2) {
+ sResult = UUID2_ADDR1;
+ }
+ } else if (*bda == BtifProfileQueueTest::kTestAddr2) {
+ if (uuid == BtifProfileQueueTest::kTestUuid1) {
+ sResult = UUID1_ADDR2;
+ } else if (uuid == BtifProfileQueueTest::kTestUuid2) {
+ sResult = UUID2_ADDR2;
+ }
+ }
+ return BT_STATUS_BUSY;
+}
+
+TEST_F(BtifProfileQueueTest, test_connect_fail_still_can_advance_the_queue) {
+ sResult = NOT_SET;
+ // First connect-message for UUID1-ADDR1 is executed, but does not be removed
+ // from connect-queue yet.
+ btif_queue_connect(kTestUuid1, &kTestAddr1, test_connect_cb);
+ EXPECT_EQ(sResult, UUID1_ADDR1);
+ sResult = NOT_SET;
+ // Second connect-message for UUID2-ADDR1 be pushed into connect-queue, but is
+ // not executed
+ btif_queue_connect(kTestUuid2, &kTestAddr1, test_connect_cb_fail);
+ EXPECT_EQ(sResult, NOT_SET);
+ // Third connect-message for UUID1-ADDR2 be pushed into connect-queue, but is
+ // not executed
+ btif_queue_connect(kTestUuid1, &kTestAddr2, test_connect_cb_fail);
+ EXPECT_EQ(sResult, NOT_SET);
+ // Fourth connect-message for UUID2-ADDR2 be pushed into connect-queue, but is
+ // not executed
+ btif_queue_connect(kTestUuid2, &kTestAddr2, test_connect_cb_fail);
+ EXPECT_EQ(sResult, NOT_SET);
+ // removed First connect-message from connect-queue, check it can advance to
+ // subsequent connect-message.
+ btif_queue_advance();
+ EXPECT_EQ(sResult, UUID2_ADDR2);
+}
+
TEST_F(BtifProfileQueueTest, test_connect_same_uuid_do_not_repeat) {
sResult = NOT_SET;
btif_queue_connect(kTestUuid1, &kTestAddr1, test_connect_cb);
diff --git a/profile/avrcp/connection_handler.cc b/profile/avrcp/connection_handler.cc
index 3177506..686f89b 100644
--- a/profile/avrcp/connection_handler.cc
+++ b/profile/avrcp/connection_handler.cc
@@ -138,9 +138,7 @@
bool ConnectionHandler::DisconnectDevice(const RawAddress& bdaddr) {
for (auto it = device_map_.begin(); it != device_map_.end(); it++) {
if (bdaddr == it->second->GetAddress()) {
- it->second->DeviceDisconnected();
uint8_t handle = it->first;
- device_map_.erase(handle);
return avrc_->Close(handle) == AVRC_SUCCESS;
}
}
diff --git a/stack/btm/btm_acl.cc b/stack/btm/btm_acl.cc
index dcb2fb4..be0c937 100644
--- a/stack/btm/btm_acl.cc
+++ b/stack/btm/btm_acl.cc
@@ -825,7 +825,8 @@
tBTM_SEC_DEV_REC* p_dev_rec = btm_find_or_alloc_dev(bda);
/* If there are any preferred connection parameters, set them now */
- if ((p_dev_rec->conn_params.min_conn_int >= BTM_BLE_CONN_INT_MIN) &&
+ if ((p_lcb != NULL) && (p_dev_rec != NULL) &&
+ (p_dev_rec->conn_params.min_conn_int >= BTM_BLE_CONN_INT_MIN) &&
(p_dev_rec->conn_params.min_conn_int <= BTM_BLE_CONN_INT_MAX) &&
(p_dev_rec->conn_params.max_conn_int >= BTM_BLE_CONN_INT_MIN) &&
(p_dev_rec->conn_params.max_conn_int <= BTM_BLE_CONN_INT_MAX) &&
diff --git a/stack/btm/btm_ble_bgconn.cc b/stack/btm/btm_ble_bgconn.cc
index 73256c8..209f49f 100644
--- a/stack/btm/btm_ble_bgconn.cc
+++ b/stack/btm/btm_ble_bgconn.cc
@@ -39,6 +39,7 @@
uint16_t conn_timeout, uint16_t min_ce_len, uint16_t max_ce_len,
uint8_t phy);
extern void btm_ble_create_conn_cancel();
+void wl_remove_complete(uint8_t* p_data, uint16_t /* evt_len */);
// Unfortunately (for now?) we have to maintain a copy of the device whitelist
// on the host to determine if a device is pending to be connected or not. This
@@ -72,7 +73,14 @@
BackgroundConnection{address, addr_type, false, 0, false};
} else {
BackgroundConnection* connection = &map_iter->second;
- connection->addr_type = addr_type;
+ if (addr_type != connection->addr_type) {
+ LOG(INFO) << __func__ << " Addr type mismatch " << address;
+ btsnd_hcic_ble_remove_from_white_list(
+ connection->addr_type_in_wl, connection->address,
+ base::Bind(&wl_remove_complete));
+ connection->addr_type = addr_type;
+ connection->in_controller_wl = false;
+ }
connection->pending_removal = false;
}
}
@@ -170,8 +178,7 @@
return true;
// bonded device with identity address known
- if (p_dev_rec->ble.identity_addr != address &&
- !p_dev_rec->ble.identity_addr.IsEmpty()) {
+ if (!p_dev_rec->ble.identity_addr.IsEmpty()) {
return true;
}
@@ -197,8 +204,7 @@
if (p_dev_rec != NULL && p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) {
if (to_add) {
- if (p_dev_rec->ble.identity_addr != bd_addr &&
- !p_dev_rec->ble.identity_addr.IsEmpty()) {
+ if (!p_dev_rec->ble.identity_addr.IsEmpty()) {
background_connection_add(p_dev_rec->ble.identity_addr_type,
p_dev_rec->ble.identity_addr);
} else {
@@ -212,8 +218,7 @@
p_dev_rec->ble.in_controller_list |= BTM_WHITE_LIST_BIT;
} else {
- if (!p_dev_rec->ble.identity_addr.IsEmpty() &&
- p_dev_rec->ble.identity_addr != bd_addr) {
+ if (!p_dev_rec->ble.identity_addr.IsEmpty()) {
background_connection_remove(p_dev_rec->ble.identity_addr);
} else {
background_connection_remove(bd_addr);
diff --git a/stack/btm/btm_ble_connection_establishment.cc b/stack/btm/btm_ble_connection_establishment.cc
index c0d7791..77bc00f 100644
--- a/stack/btm/btm_ble_connection_establishment.cc
+++ b/stack/btm/btm_ble_connection_establishment.cc
@@ -159,6 +159,7 @@
if (!btm_ble_init_pseudo_addr(match_rec, bda)) {
/* assign the original address to be the current report address */
bda = match_rec->ble.pseudo_addr;
+ bda_type = match_rec->ble.ble_addr_type;
} else {
bda = match_rec->bd_addr;
}
diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc
index c46acf0..05cac15 100644
--- a/stack/btm/btm_ble_gap.cc
+++ b/stack/btm/btm_ble_gap.cc
@@ -1755,6 +1755,7 @@
} else {
// Assign the original address to be the current report address
bda = match_rec->ble.pseudo_addr;
+ *addr_type = match_rec->ble.ble_addr_type;
}
}
}
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 4df0974..1ff4eed 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -4305,12 +4305,15 @@
}
}
- if (!addr_matched) {
- /* Don't callback unless this Connection-Complete-failure event has the
- * same mac address as the bonding device */
+ /* p_auth_complete_callback might have freed the p_dev_rec, ensure it exists
+ * before accessing */
+ p_dev_rec = btm_find_dev(bda);
+ if (!p_dev_rec) {
+ /* Don't callback when device security record was removed */
VLOG(1) << __func__
- << ": Different mac addresses: pairing_bda=" << btm_cb.pairing_bda
- << ", bda=" << bda << ", do not callback";
+ << ": device security record associated with this bda has been "
+ "removed! bda="
+ << bda << ", do not callback!";
return;
}
diff --git a/stack/gatt/gatt_main.cc b/stack/gatt/gatt_main.cc
index 87f9c87..ed8d3fd 100644
--- a/stack/gatt/gatt_main.cc
+++ b/stack/gatt/gatt_main.cc
@@ -823,6 +823,9 @@
}
}
+ /* Remove the direct connection */
+ connection_manager::on_connection_complete(p_tcb->peer_bda);
+
if (!p_tcb->app_hold_link.empty() && p_tcb->att_lcid == L2CAP_ATT_CID) {
/* disable idle timeout if one or more clients are holding the link disable
* the idle timer */
diff --git a/stack/l2cap/l2c_link.cc b/stack/l2cap/l2c_link.cc
index 8e04c6e..60e9fd8 100644
--- a/stack/l2cap/l2c_link.cc
+++ b/stack/l2cap/l2c_link.cc
@@ -675,6 +675,8 @@
uint16_t num_hipri_links = 0;
uint16_t controller_xmit_quota = l2cb.num_lm_acl_bufs;
uint16_t high_pri_link_quota = L2CAP_HIGH_PRI_MIN_XMIT_QUOTA_A;
+ bool is_share_buffer =
+ (l2cb.num_lm_ble_bufs == L2C_DEF_NUM_BLE_BUF_SHARED) ? true : false;
/* If no links active, reset buffer quotas and controller buffers */
if (l2cb.num_links_active == 0) {
@@ -685,7 +687,8 @@
/* First, count the links */
for (yy = 0, p_lcb = &l2cb.lcb_pool[0]; yy < MAX_L2CAP_LINKS; yy++, p_lcb++) {
- if (p_lcb->in_use) {
+ if (p_lcb->in_use &&
+ (is_share_buffer || p_lcb->transport != BT_TRANSPORT_LE)) {
if (p_lcb->acl_priority == L2CAP_PRIORITY_HIGH)
num_hipri_links++;
else
@@ -732,7 +735,8 @@
/* Now, assign the quotas to each link */
for (yy = 0, p_lcb = &l2cb.lcb_pool[0]; yy < MAX_L2CAP_LINKS; yy++, p_lcb++) {
- if (p_lcb->in_use) {
+ if (p_lcb->in_use &&
+ (is_share_buffer || p_lcb->transport != BT_TRANSPORT_LE)) {
if (p_lcb->acl_priority == L2CAP_PRIORITY_HIGH) {
p_lcb->link_xmit_quota = high_pri_link_quota;
} else {
