Merge "Fix cert" am: d146839f6a am: a74cb80d47
am: 87bb1ee386
Change-Id: I920e5ec381896e2009dd74dcc77e3b6bbe448dc7
diff --git a/btif/Android.bp b/btif/Android.bp
index 6be1d81..8e55de6 100644
--- a/btif/Android.bp
+++ b/btif/Android.bp
@@ -24,8 +24,8 @@
"system/bt/utils/include",
"system/bt/include",
"system/libhwbinder/include",
- "system/security/keystore/include",
- "hardware/interfaces/keymaster/4.0/support/include",
+ //"system/security/keystore/include",
+ //"hardware/interfaces/keymaster/4.0/support/include",
]
// libbtif static library for target
@@ -73,7 +73,7 @@
"src/btif_hf_client.cc",
"src/btif_hh.cc",
"src/btif_hd.cc",
- "src/btif_keystore.cc",
+ //"src/btif_keystore.cc",
"src/btif_mce.cc",
"src/btif_pan.cc",
"src/btif_profile_queue.cc",
@@ -107,12 +107,12 @@
"libhidlbase",
"libutils",
"libcrypto",
- "android.hardware.keymaster@4.0",
- "android.hardware.keymaster@3.0",
- "libkeymaster4support",
- "libkeystore_aidl",
- "libkeystore_binder",
- "libkeystore_parcelables",
+ //"android.hardware.keymaster@4.0",
+ //"android.hardware.keymaster@3.0",
+ //"libkeymaster4support",
+ //"libkeystore_aidl",
+ //"libkeystore_binder",
+ //"libkeystore_parcelables",
],
whole_static_libs: [
"avrcp-target-service",
@@ -135,7 +135,7 @@
include_dirs: btifCommonIncludes,
srcs: [
"test/btif_storage_test.cc",
- "test/btif_keystore_test.cc"
+ //"test/btif_keystore_test.cc"
],
header_libs: ["libbluetooth_headers"],
shared_libs: [
@@ -150,13 +150,13 @@
"libprocessgroup",
"libutils",
"libcrypto",
- "android.hardware.keymaster@4.0",
- "android.hardware.keymaster@3.0",
- "libkeymaster4support",
- "libkeystore_aidl",
- "libkeystore_binder",
- "libkeystore_parcelables",
- "libbinder",
+ //"android.hardware.keymaster@4.0",
+ //"android.hardware.keymaster@3.0",
+ //"libkeymaster4support",
+ //"libkeystore_aidl",
+ //"libkeystore_binder",
+ //"libkeystore_parcelables",
+ //"libbinder",
],
static_libs: [
"libbt-bta",
diff --git a/btif/src/btif_config.cc b/btif/src/btif_config.cc
index be006ab..b1af0ba 100644
--- a/btif/src/btif_config.cc
+++ b/btif/src/btif_config.cc
@@ -38,7 +38,7 @@
#include "btif_api.h"
#include "btif_common.h"
#include "btif_config_transcode.h"
-#include "btif_keystore.h"
+//#include "btif_keystore.h"
#include "btif_util.h"
#include "common/address_obfuscator.h"
#include "osi/include/alarm.h"
@@ -58,15 +58,15 @@
#define DISABLED "disabled"
static const char* TIME_STRING_FORMAT = "%Y-%m-%d %H:%M:%S";
-constexpr int kBufferSize = 400 * 10; // initial file is ~400B
+// constexpr int kBufferSize = 400 * 10; // initial file is ~400B
-static bool use_key_attestation() {
+/*static bool use_key_attestation() {
return getuid() == AID_BLUETOOTH && is_single_user_mode();
-}
+}*/
#define BT_CONFIG_METRICS_SECTION "Metrics"
#define BT_CONFIG_METRICS_SALT_256BIT "Salt256Bit"
-using bluetooth::BtifKeystore;
+// using bluetooth::BtifKeystore;
using bluetooth::common::AddressObfuscator;
// TODO(armansito): Find a better way than searching by a hardcoded path.
@@ -93,9 +93,10 @@
static std::unique_ptr<config_t> btif_config_open(const char* filename, const char* checksum_filename);
// Key attestation
-static std::string hash_file(const char* filename);
-static std::string read_checksum_file(const char* filename);
-static void write_checksum_file(const char* filename, const std::string& hash);
+// static std::string hash_file(const char* filename);
+// static std::string read_checksum_file(const char* filename);
+// static void write_checksum_file(const char* filename, const std::string&
+// hash);
static enum ConfigSource {
NOT_LOADED,
@@ -176,7 +177,7 @@
static std::unique_ptr<config_t> config;
static alarm_t* config_timer;
-static BtifKeystore btif_keystore(new keystore::KeystoreClientImpl);
+// static BtifKeystore btif_keystore(new keystore::KeystoreClientImpl);
// Module lifecycle functions
@@ -184,6 +185,9 @@
std::unique_lock<std::recursive_mutex> lock(config_lock);
if (is_factory_reset()) delete_config_files();
+ /*if (is_factory_reset() ||
+ (use_key_attestation() && !btif_keystore.DoesKeyExist()))
+ delete_config_files();*/
std::string file_source;
@@ -262,7 +266,7 @@
}
static std::unique_ptr<config_t> btif_config_open(const char* filename, const char* checksum_filename) {
- // START KEY ATTESTATION
+ /*// START KEY ATTESTATION
// Get hash of current file
std::string current_hash = hash_file(filename);
// Get stored hash
@@ -278,7 +282,7 @@
if (current_hash != stored_hash) {
return nullptr;
}
- // END KEY ATTESTATION
+ // END KEY ATTESTATION*/
std::unique_ptr<config_t> config = config_new(filename);
if (!config) return nullptr;
@@ -512,11 +516,11 @@
bool ret = config_save(*config, CONFIG_FILE_PATH);
btif_config_source = RESET;
- // Save encrypted hash
+ /*// Save encrypted hash
std::string current_hash = hash_file(CONFIG_FILE_PATH);
if (!current_hash.empty()) {
write_checksum_file(CONFIG_FILE_CHECKSUM_PATH, current_hash);
- }
+ }*/
return ret;
}
@@ -539,11 +543,11 @@
std::unique_ptr<config_t> config_paired = config_new_clone(*config);
btif_config_remove_unpaired(config_paired.get());
config_save(*config_paired, CONFIG_FILE_PATH);
- // Save hash
+ /*// Save hash
std::string current_hash = hash_file(CONFIG_FILE_PATH);
if (!current_hash.empty()) {
write_checksum_file(CONFIG_FILE_CHECKSUM_PATH, current_hash);
- }
+ }*/
}
static void btif_config_remove_unpaired(config_t* conf) {
@@ -635,12 +639,12 @@
static void delete_config_files(void) {
remove(CONFIG_FILE_PATH);
remove(CONFIG_BACKUP_PATH);
- remove(CONFIG_FILE_CHECKSUM_PATH);
- remove(CONFIG_BACKUP_CHECKSUM_PATH);
+ // remove(CONFIG_FILE_CHECKSUM_PATH);
+ // remove(CONFIG_BACKUP_CHECKSUM_PATH);
osi_property_set("persist.bluetooth.factoryreset", "false");
}
-static std::string hash_file(const char* filename) {
+/*static std::string hash_file(const char* filename) {
if (!use_key_attestation()) {
LOG(INFO) << __func__ << ": Disabled for multi-user";
return DISABLED;
@@ -696,4 +700,4 @@
<< __func__ << ": Failed encrypting checksum";
CHECK(checksum_save(encrypted_checksum, checksum_filename))
<< __func__ << ": Failed to save checksum!";
-}
+}*/
diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc
index 5543988..0589a6e 100644
--- a/btif/src/btif_dm.cc
+++ b/btif/src/btif_dm.cc
@@ -925,8 +925,8 @@
******************************************************************************/
static void btif_dm_ssp_cfm_req_evt(tBTA_DM_SP_CFM_REQ* p_ssp_cfm_req) {
bt_bdname_t bd_name;
- uint32_t cod;
bool is_incoming = !(pairing_cb.state == BT_BOND_STATE_BONDING);
+ uint32_t cod;
int dev_type;
BTIF_TRACE_DEBUG("%s", __func__);
diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc
index e203d2f..59f0593 100644
--- a/btif/src/btif_storage.cc
+++ b/btif/src/btif_storage.cc
@@ -889,8 +889,9 @@
tBTA_LE_KEY_VALUE key;
memset(&key, 0, sizeof(key));
- if (btif_storage_get_ble_bonding_key(&bd_addr, BTIF_DM_LE_KEY_PENC, (uint8_t*)&key, sizeof(tBTM_LE_PENC_KEYS)) ==
- BT_STATUS_SUCCESS) {
+ if (btif_storage_get_ble_bonding_key(
+ &bd_addr, BTIF_DM_LE_KEY_PENC, (uint8_t*)&key,
+ sizeof(tBTM_LE_PENC_KEYS)) == BT_STATUS_SUCCESS) {
if (is_sample_ltk(key.penc_key.ltk)) {
bad_ltk.push_back(bd_addr);
}
@@ -899,7 +900,8 @@
for (RawAddress address : bad_ltk) {
android_errorWriteLog(0x534e4554, "128437297");
- LOG(ERROR) << __func__ << ": removing bond to device using test TLK: " << address;
+ LOG(ERROR) << __func__
+ << ": removing bond to device using test TLK: " << address;
btif_storage_remove_bonded_device(&address);
}
diff --git a/main/Android.bp b/main/Android.bp
index ef7dba6..2a5b8cf 100644
--- a/main/Android.bp
+++ b/main/Android.bp
@@ -69,12 +69,9 @@
"libtinyxml2",
"libz",
"libcrypto",
- "android.hardware.keymaster@4.0",
- "android.hardware.keymaster@3.0",
- "libkeymaster4support",
- "libkeystore_aidl",
- "libkeystore_binder",
- "libkeystore_parcelables",
+ //"android.hardware.keymaster@4.0",
+ //"libkeymaster4support",
+ //"libkeystore_binder",
],
static_libs: [
"libbt-sbc-decoder",
diff --git a/main/shim/btm.cc b/main/shim/btm.cc
index 7ebbf90..cdf21e2 100644
--- a/main/shim/btm.cc
+++ b/main/shim/btm.cc
@@ -39,7 +39,8 @@
extern void btm_process_cancel_complete(uint8_t status, uint8_t mode);
extern void btm_process_inq_complete(uint8_t status, uint8_t result_type);
-extern void btm_process_inq_results(uint8_t* p, uint8_t result_mode);
+extern void btm_process_inq_results(uint8_t* p, uint8_t hci_evt_len,
+ uint8_t result_mode);
using BtmRemoteDeviceName = tBTM_REMOTE_DEV_NAME;
@@ -50,7 +51,8 @@
CHECK(result.size() < kMaxInquiryResultSize);
std::copy(result.begin(), result.end(), inquiry_result_buf);
- btm_process_inq_results(inquiry_result_buf, kInquiryResultMode);
+ btm_process_inq_results(inquiry_result_buf, result.size(),
+ kInquiryResultMode);
}
void bluetooth::shim::Btm::OnInquiryResultWithRssi(
@@ -58,7 +60,8 @@
CHECK(result.size() < kMaxInquiryResultSize);
std::copy(result.begin(), result.end(), inquiry_result_buf);
- btm_process_inq_results(inquiry_result_buf, kInquiryResultWithRssiMode);
+ btm_process_inq_results(inquiry_result_buf, result.size(),
+ kInquiryResultWithRssiMode);
}
void bluetooth::shim::Btm::OnExtendedInquiryResult(
@@ -66,7 +69,8 @@
CHECK(result.size() < kMaxInquiryResultSize);
std::copy(result.begin(), result.end(), inquiry_result_buf);
- btm_process_inq_results(inquiry_result_buf, kExtendedInquiryResultMode);
+ btm_process_inq_results(inquiry_result_buf, result.size(),
+ kExtendedInquiryResultMode);
}
void bluetooth::shim::Btm::OnInquiryComplete(uint16_t status) {
diff --git a/stack/btm/btm_acl.cc b/stack/btm/btm_acl.cc
index 97f235f..6157ecb 100644
--- a/stack/btm/btm_acl.cc
+++ b/stack/btm/btm_acl.cc
@@ -50,7 +50,6 @@
#include "device/include/interop.h"
#include "hcidefs.h"
#include "hcimsgs.h"
-#include "log/log.h"
#include "l2c_int.h"
#include "osi/include/log.h"
#include "osi/include/osi.h"
diff --git a/stack/btm/btm_ble_batchscan.cc b/stack/btm/btm_ble_batchscan.cc
index f7d5d3c5..3d89358 100644
--- a/stack/btm/btm_ble_batchscan.cc
+++ b/stack/btm/btm_ble_batchscan.cc
@@ -63,6 +63,7 @@
uint8_t sub_event = 0;
tBTM_BLE_VSC_CB cmn_ble_vsc_cb;
+ if (len == 0) return;
STREAM_TO_UINT8(sub_event, p);
BTM_TRACE_EVENT(
@@ -90,6 +91,7 @@
/* Extract the adv info details */
if (ADV_INFO_PRESENT == adv_data.advertiser_info_present) {
+ if (len < 15) return;
STREAM_TO_UINT8(adv_data.tx_power, p);
STREAM_TO_UINT8(adv_data.rssi_value, p);
STREAM_TO_UINT16(adv_data.time_stamp, p);
diff --git a/stack/btm/btm_inq.cc b/stack/btm/btm_inq.cc
index aaadd2b..cabd117 100644
--- a/stack/btm/btm_inq.cc
+++ b/stack/btm/btm_inq.cc
@@ -25,6 +25,7 @@
*
******************************************************************************/
+#include <log/log.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
@@ -1671,7 +1672,8 @@
* Returns void
*
******************************************************************************/
-void btm_process_inq_results(uint8_t* p, uint8_t inq_res_mode) {
+void btm_process_inq_results(uint8_t* p, uint8_t hci_evt_len,
+ uint8_t inq_res_mode) {
uint8_t num_resp, xx;
RawAddress bda;
tINQ_DB_ENT* p_i;
@@ -1700,10 +1702,29 @@
STREAM_TO_UINT8(num_resp, p);
- if (inq_res_mode == BTM_INQ_RESULT_EXTENDED && (num_resp > 1)) {
- BTM_TRACE_ERROR("btm_process_inq_results() extended results (%d) > 1",
- num_resp);
- return;
+ if (inq_res_mode == BTM_INQ_RESULT_EXTENDED) {
+ if (num_resp > 1) {
+ BTM_TRACE_ERROR("btm_process_inq_results() extended results (%d) > 1",
+ num_resp);
+ return;
+ }
+
+ constexpr uint16_t extended_inquiry_result_size = 254;
+ if (hci_evt_len - 1 != extended_inquiry_result_size) {
+ android_errorWriteLog(0x534e4554, "141620271");
+ BTM_TRACE_ERROR("%s: can't fit %d results in %d bytes", __func__,
+ num_resp, hci_evt_len);
+ return;
+ }
+ } else if (inq_res_mode == BTM_INQ_RESULT_STANDARD ||
+ inq_res_mode == BTM_INQ_RESULT_WITH_RSSI) {
+ constexpr uint16_t inquiry_result_size = 14;
+ if (hci_evt_len < num_resp * inquiry_result_size) {
+ android_errorWriteLog(0x534e4554, "141620271");
+ BTM_TRACE_ERROR("%s: can't fit %d results in %d bytes", __func__,
+ num_resp, hci_evt_len);
+ return;
+ }
}
for (xx = 0; xx < num_resp; xx++) {
diff --git a/stack/btm/btm_int.h b/stack/btm/btm_int.h
index ee1d655..88cb724 100644
--- a/stack/btm/btm_int.h
+++ b/stack/btm/btm_int.h
@@ -65,7 +65,8 @@
/* Inquiry related functions */
extern void btm_clr_inq_db(const RawAddress* p_bda);
extern void btm_inq_db_init(void);
-extern void btm_process_inq_results(uint8_t* p, uint8_t inq_res_mode);
+extern void btm_process_inq_results(uint8_t* p, uint8_t hci_evt_len,
+ uint8_t inq_res_mode);
extern void btm_process_inq_complete(uint8_t status, uint8_t mode);
extern void btm_process_cancel_complete(uint8_t status, uint8_t mode);
extern void btm_event_filter_complete(uint8_t* p);
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 935903d..8162e47 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -4560,7 +4560,8 @@
*/
if (is_sample_ltk(p_dev_rec->ble.keys.pltk)) {
android_errorWriteLog(0x534e4554, "128437297");
- LOG(INFO) << __func__ << " removing bond to device that used sample LTK: " << p_dev_rec->bd_addr;
+ LOG(INFO) << __func__ << " removing bond to device that used sample LTK: "
+ << p_dev_rec->bd_addr;
bta_dm_remove_device(p_dev_rec->bd_addr);
}
diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
index 17fde3b..a1f868a 100644
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -65,11 +65,12 @@
/* L O C A L F U N C T I O N P R O T O T Y P E S */
/******************************************************************************/
static void btu_hcif_inquiry_comp_evt(uint8_t* p);
-static void btu_hcif_inquiry_result_evt(uint8_t* p);
-static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p);
-static void btu_hcif_extended_inquiry_result_evt(uint8_t* p);
+static void btu_hcif_inquiry_result_evt(uint8_t* p, uint8_t hci_evt_len);
+static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p, uint8_t hci_evt_len);
+static void btu_hcif_extended_inquiry_result_evt(uint8_t* p,
+ uint8_t hci_evt_len);
-static void btu_hcif_connection_comp_evt(uint8_t* p);
+static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len);
static void btu_hcif_connection_request_evt(uint8_t* p);
static void btu_hcif_disconnection_comp_evt(uint8_t* p);
static void btu_hcif_authentication_comp_evt(uint8_t* p);
@@ -86,7 +87,7 @@
static void btu_hcif_hardware_error_evt(uint8_t* p);
static void btu_hcif_flush_occured_evt(void);
static void btu_hcif_role_change_evt(uint8_t* p);
-static void btu_hcif_num_compl_data_pkts_evt(uint8_t* p);
+static void btu_hcif_num_compl_data_pkts_evt(uint8_t* p, uint8_t evt_len);
static void btu_hcif_mode_change_evt(uint8_t* p);
static void btu_hcif_pin_code_request_evt(uint8_t* p);
static void btu_hcif_link_key_request_evt(uint8_t* p);
@@ -264,16 +265,16 @@
btu_hcif_inquiry_comp_evt(p);
break;
case HCI_INQUIRY_RESULT_EVT:
- btu_hcif_inquiry_result_evt(p);
+ btu_hcif_inquiry_result_evt(p, hci_evt_len);
break;
case HCI_INQUIRY_RSSI_RESULT_EVT:
- btu_hcif_inquiry_rssi_result_evt(p);
+ btu_hcif_inquiry_rssi_result_evt(p, hci_evt_len);
break;
case HCI_EXTENDED_INQUIRY_RESULT_EVT:
- btu_hcif_extended_inquiry_result_evt(p);
+ btu_hcif_extended_inquiry_result_evt(p, hci_evt_len);
break;
case HCI_CONNECTION_COMP_EVT:
- btu_hcif_connection_comp_evt(p);
+ btu_hcif_connection_comp_evt(p, hci_evt_len);
break;
case HCI_CONNECTION_REQUEST_EVT:
btu_hcif_connection_request_evt(p);
@@ -327,7 +328,7 @@
btu_hcif_role_change_evt(p);
break;
case HCI_NUM_COMPL_DATA_PKTS_EVT:
- btu_hcif_num_compl_data_pkts_evt(p);
+ btu_hcif_num_compl_data_pkts_evt(p, hci_evt_len);
break;
case HCI_MODE_CHANGE_EVT:
btu_hcif_mode_change_evt(p);
@@ -949,9 +950,9 @@
* Returns void
*
******************************************************************************/
-static void btu_hcif_inquiry_result_evt(uint8_t* p) {
+static void btu_hcif_inquiry_result_evt(uint8_t* p, uint8_t hci_evt_len) {
/* Store results in the cache */
- btm_process_inq_results(p, BTM_INQ_RESULT_STANDARD);
+ btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_STANDARD);
}
/*******************************************************************************
@@ -963,9 +964,9 @@
* Returns void
*
******************************************************************************/
-static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p) {
+static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p, uint8_t hci_evt_len) {
/* Store results in the cache */
- btm_process_inq_results(p, BTM_INQ_RESULT_WITH_RSSI);
+ btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_WITH_RSSI);
}
/*******************************************************************************
@@ -977,9 +978,10 @@
* Returns void
*
******************************************************************************/
-static void btu_hcif_extended_inquiry_result_evt(uint8_t* p) {
+static void btu_hcif_extended_inquiry_result_evt(uint8_t* p,
+ uint8_t hci_evt_len) {
/* Store results in the cache */
- btm_process_inq_results(p, BTM_INQ_RESULT_EXTENDED);
+ btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_EXTENDED);
}
/*******************************************************************************
@@ -991,7 +993,7 @@
* Returns void
*
******************************************************************************/
-static void btu_hcif_connection_comp_evt(uint8_t* p) {
+static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len) {
uint8_t status;
uint16_t handle;
RawAddress bda;
@@ -999,6 +1001,12 @@
uint8_t enc_mode;
tBTM_ESCO_DATA esco_data;
+ if (evt_len < 11) {
+ android_errorWriteLog(0x534e4554, "141619686");
+ HCI_TRACE_WARNING("%s: malformed event of size %hhd", __func__, evt_len);
+ return;
+ }
+
STREAM_TO_UINT8(status, p);
STREAM_TO_UINT16(handle, p);
STREAM_TO_BDADDR(bda, p);
@@ -1700,9 +1708,9 @@
* Returns void
*
******************************************************************************/
-static void btu_hcif_num_compl_data_pkts_evt(uint8_t* p) {
+static void btu_hcif_num_compl_data_pkts_evt(uint8_t* p, uint8_t evt_len) {
/* Process for L2CAP and SCO */
- l2c_link_process_num_completed_pkts(p);
+ l2c_link_process_num_completed_pkts(p, evt_len);
/* Send on to SCO */
/*?? No SCO for now */
diff --git a/stack/include/bt_types.h b/stack/include/bt_types.h
index 01e8248..71bc2e1 100644
--- a/stack/include/bt_types.h
+++ b/stack/include/bt_types.h
@@ -585,9 +585,7 @@
* 0x4C68384139F574D836BCF34E9DFB01BF */
constexpr Octet16 SAMPLE_LTK = {0xbf, 0x01, 0xfb, 0x9d, 0x4e, 0xf3, 0xbc, 0x36,
0xd8, 0x74, 0xf5, 0x39, 0x41, 0x38, 0x68, 0x4c};
-inline bool is_sample_ltk(const Octet16& ltk) {
- return ltk == SAMPLE_LTK;
-}
+inline bool is_sample_ltk(const Octet16& ltk) { return ltk == SAMPLE_LTK; }
#endif
diff --git a/stack/l2cap/l2c_int.h b/stack/l2cap/l2c_int.h
index 53b6f32..e58efaf 100644
--- a/stack/l2cap/l2c_int.h
+++ b/stack/l2cap/l2c_int.h
@@ -713,7 +713,7 @@
extern void l2c_link_check_send_pkts(tL2C_LCB* p_lcb, tL2C_CCB* p_ccb,
BT_HDR* p_buf);
extern void l2c_link_adjust_allocation(void);
-extern void l2c_link_process_num_completed_pkts(uint8_t* p);
+extern void l2c_link_process_num_completed_pkts(uint8_t* p, uint8_t evt_len);
extern void l2c_link_process_num_completed_blocks(uint8_t controller_id,
uint8_t* p, uint16_t evt_len);
extern void l2c_link_processs_num_bufs(uint16_t num_lm_acl_bufs);
diff --git a/stack/l2cap/l2c_link.cc b/stack/l2cap/l2c_link.cc
index 7f6d5b9..f15e123 100644
--- a/stack/l2cap/l2c_link.cc
+++ b/stack/l2cap/l2c_link.cc
@@ -40,6 +40,7 @@
#include "l2c_api.h"
#include "l2c_int.h"
#include "l2cdefs.h"
+#include "log/log.h"
#include "osi/include/osi.h"
static bool l2c_link_send_to_lower(tL2C_LCB* p_lcb, BT_HDR* p_buf,
@@ -1219,13 +1220,22 @@
* Returns void
*
******************************************************************************/
-void l2c_link_process_num_completed_pkts(uint8_t* p) {
+void l2c_link_process_num_completed_pkts(uint8_t* p, uint8_t evt_len) {
uint8_t num_handles, xx;
uint16_t handle;
uint16_t num_sent;
tL2C_LCB* p_lcb;
- STREAM_TO_UINT8(num_handles, p);
+ if (evt_len > 0) {
+ STREAM_TO_UINT8(num_handles, p);
+ } else {
+ num_handles = 0;
+ }
+
+ if (num_handles > evt_len / (2 * sizeof(uint16_t))) {
+ android_errorWriteLog(0x534e4554, "141617601");
+ num_handles = evt_len / (2 * sizeof(uint16_t));
+ }
for (xx = 0; xx < num_handles; xx++) {
STREAM_TO_UINT16(handle, p);
diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc
index 128f60e..52d77c5 100644
--- a/stack/l2cap/l2c_main.cc
+++ b/stack/l2cap/l2c_main.cc
@@ -97,6 +97,11 @@
/* There is a slight possibility (specifically with USB) that we get an */
/* L2CAP connection request before we get the HCI connection complete. */
/* So for these types of messages, hold them for up to 2 seconds. */
+ if (l2cap_len == 0) {
+ L2CAP_TRACE_WARNING("received empty L2CAP packet");
+ osi_free(p_msg);
+ return;
+ }
uint8_t cmd_code;
STREAM_TO_UINT8(cmd_code, p);
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index baadd7a..bdc15bd 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -436,6 +436,7 @@
if (!sdp_copy_raw_data(p_ccb, false)) {
SDP_TRACE_ERROR("sdp_copy_raw_data failed");
sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
+ return;
}
#endif
@@ -642,6 +643,7 @@
if (!sdp_copy_raw_data(p_ccb, true)) {
SDP_TRACE_ERROR("sdp_copy_raw_data failed");
sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
+ return;
}
#endif
