Merge cherrypicks of [5704859, 5705300, 5704034, 5704195, 5705082, 5704058, 5704059, 5704932, 5705340, 5705341, 5705342, 5705343, 5705344, 5705361, 5705362, 5705363, 5705364, 5704870, 5704196, 5705083, 5701785, 5701786, 5701787, 5704035, 5705261, 5705281, 5704036, 5704037, 5704038, 5704871, 5704933, 5704872, 5705347, 5705262, 5704934] into pi-qpr2-release
Change-Id: I79e2d186f92610fd13b4164c3d599a432d86441c
diff --git a/bta/hl/bta_hl_main.cc b/bta/hl/bta_hl_main.cc
index dcd0815..c224a76 100644
--- a/bta/hl/bta_hl_main.cc
+++ b/bta/hl/bta_hl_main.cc
@@ -1404,14 +1404,13 @@
tBTA_HL_MCL_CB* p_mcb = BTA_HL_GET_MCL_CB_PTR(app_idx, mcl_idx);
tBTA_HL_SDP* p_sdp = NULL;
uint16_t event;
- bool release_sdp_buf = false;
event = p_data->hdr.event;
if (event == BTA_HL_SDP_QUERY_OK_EVT) {
+ // this is freed in btif_hl_proc_sdp_query_cfm
p_sdp = (tBTA_HL_SDP*)osi_malloc(sizeof(tBTA_HL_SDP));
memcpy(p_sdp, &p_mcb->sdp, sizeof(tBTA_HL_SDP));
- release_sdp_buf = true;
} else {
status = BTA_HL_STATUS_SDP_FAIL;
}
@@ -1430,8 +1429,6 @@
p_mcb->bd_addr, p_sdp, status);
p_acb->p_cback(BTA_HL_SDP_QUERY_CFM_EVT, (tBTA_HL*)&evt_data);
- if (release_sdp_buf) osi_free_and_reset((void**)&p_sdp);
-
if (p_data->cch_sdp.release_mcl_cb) {
memset(p_mcb, 0, sizeof(tBTA_HL_MCL_CB));
} else {
diff --git a/btif/src/btif_hl.cc b/btif/src/btif_hl.cc
index a317f79..184dbf4 100644
--- a/btif/src/btif_hl.cc
+++ b/btif/src/btif_hl.cc
@@ -2128,6 +2128,10 @@
}
}
}
+
+ // this was allocated in bta_hl_sdp_query_results
+ osi_free_and_reset((void**)&p_data->sdp_query_cfm.p_sdp);
+
return status;
}
diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index a7a42a5..2b77618 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc
@@ -220,69 +220,88 @@
uint8_t* p = p_msg->p_browse_data;
/* read the pdu */
+ if (p_msg->browse_len < 3) {
+ android_errorWriteLog(0x534e4554, "111451066");
+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 3",
+ __func__, p_msg->browse_len);
+ return AVRC_STS_BAD_PARAM;
+ }
BE_STREAM_TO_UINT8(pdu, p);
uint16_t pkt_len;
+ int min_len = 0;
/* read the entire packet len */
BE_STREAM_TO_UINT16(pkt_len, p);
- AVRC_TRACE_DEBUG("%s pdu %d", __func__, pdu);
+ AVRC_TRACE_DEBUG("%s pdu:%d, pkt_len:%d", __func__, pdu, pkt_len);
- /* used to track how much we have read, if we cannot read anymore but the
- * packet says so then we have a malformed packet. Also vice versa. */
- uint16_t pkt_len_read = 0;
+ if (p_msg->browse_len < (pkt_len + 3)) {
+ android_errorWriteLog(0x534e4554, "111451066");
+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
+ __func__, p_msg->browse_len, pkt_len + 3);
+ return AVRC_STS_INTERNAL_ERR;
+ }
switch (pdu) {
case AVRC_PDU_GET_FOLDER_ITEMS: {
tAVRC_GET_ITEMS_RSP* get_item_rsp = &(p_rsp->get_items);
/* Copy back the PDU */
get_item_rsp->pdu = pdu;
+
+ min_len += 1;
+ if (pkt_len < min_len) goto browse_length_error;
/* read the status */
BE_STREAM_TO_UINT8(get_item_rsp->status, p);
- /* read the UID counter */
- BE_STREAM_TO_UINT16(get_item_rsp->uid_counter, p);
- /* read the number of items */
- BE_STREAM_TO_UINT16(get_item_rsp->item_count, p);
- pkt_len_read += 5;
-
- AVRC_TRACE_DEBUG(
- "%s pdu %d status %d pkt_len %d uid counter %d item count %d",
- __func__, get_item_rsp->pdu, get_item_rsp->status, pkt_len,
- get_item_rsp->uid_counter, get_item_rsp->item_count);
-
if (get_item_rsp->status != AVRC_STS_NO_ERROR) {
AVRC_TRACE_WARNING("%s returning error %d", __func__,
get_item_rsp->status);
return get_item_rsp->status;
}
+ min_len += 4;
+ if (pkt_len < min_len) goto browse_length_error;
+ /* read the UID counter */
+ BE_STREAM_TO_UINT16(get_item_rsp->uid_counter, p);
+ /* read the number of items */
+ BE_STREAM_TO_UINT16(get_item_rsp->item_count, p);
+
+ AVRC_TRACE_DEBUG(
+ "%s pdu %d status %d pkt_len %d uid counter %d item count %d",
+ __func__, get_item_rsp->pdu, get_item_rsp->status, pkt_len,
+ get_item_rsp->uid_counter, get_item_rsp->item_count);
+
/* get each of the items */
get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_malloc(
get_item_rsp->item_count * (sizeof(tAVRC_ITEM)));
tAVRC_ITEM* curr_item = get_item_rsp->p_item_list;
for (int i = 0; i < get_item_rsp->item_count; i++) {
+ min_len += 1;
+ if (pkt_len < min_len) goto browse_length_error;
BE_STREAM_TO_UINT8(curr_item->item_type, p);
- pkt_len_read += 1;
AVRC_TRACE_DEBUG("%s item type %d", __func__, curr_item->item_type);
switch (curr_item->item_type) {
case AVRC_ITEM_PLAYER: {
/* Handle player */
tAVRC_ITEM_PLAYER* player = &(curr_item->u.player);
uint8_t player_len;
+ min_len += 10 + AVRC_FEATURE_MASK_SIZE;
+ if (pkt_len < min_len) goto browse_length_error;
BE_STREAM_TO_UINT16(player_len, p);
BE_STREAM_TO_UINT16(player->player_id, p);
BE_STREAM_TO_UINT8(player->major_type, p);
BE_STREAM_TO_UINT32(player->sub_type, p);
BE_STREAM_TO_UINT8(player->play_status, p);
BE_STREAM_TO_ARRAY(p, player->features, AVRC_FEATURE_MASK_SIZE);
- pkt_len_read += (10 + AVRC_FEATURE_MASK_SIZE);
/* read str */
+ min_len += 4;
+ if (pkt_len < min_len) goto browse_length_error;
BE_STREAM_TO_UINT16(player->name.charset_id, p);
BE_STREAM_TO_UINT16(player->name.str_len, p);
+ min_len += player->name.str_len;
+ if (pkt_len < min_len) goto browse_length_error;
player->name.p_str = (uint8_t*)osi_malloc(
(player->name.str_len + 1) * sizeof(uint8_t));
BE_STREAM_TO_ARRAY(p, player->name.p_str, player->name.str_len);
- pkt_len_read += (4 + player->name.str_len);
AVRC_TRACE_DEBUG(
"%s type %d id %d mtype %d stype %d ps %d cs %d name len %d",
__func__, curr_item->item_type, player->player_id,
@@ -293,20 +312,24 @@
case AVRC_ITEM_FOLDER: {
tAVRC_ITEM_FOLDER* folder = &(curr_item->u.folder);
uint16_t folder_len;
+ min_len += 4 + AVRC_UID_SIZE;
+ if (pkt_len < min_len) goto browse_length_error;
BE_STREAM_TO_UINT16(folder_len, p);
BE_STREAM_TO_ARRAY(p, folder->uid, AVRC_UID_SIZE);
BE_STREAM_TO_UINT8(folder->type, p);
BE_STREAM_TO_UINT8(folder->playable, p);
- pkt_len_read += (4 + AVRC_UID_SIZE);
/* read str, encoding to be handled by upper layers */
+ min_len += 4;
+ if (pkt_len < min_len) goto browse_length_error;
BE_STREAM_TO_UINT16(folder->name.charset_id, p);
BE_STREAM_TO_UINT16(folder->name.str_len, p);
+ min_len += folder->name.str_len;
+ if (pkt_len < min_len) goto browse_length_error;
folder->name.p_str = (uint8_t*)osi_malloc(
(folder->name.str_len + 1) * sizeof(uint8_t));
BE_STREAM_TO_ARRAY(p, folder->name.p_str, folder->name.str_len);
- pkt_len_read += (4 + folder->name.str_len);
AVRC_TRACE_DEBUG("%s type %d playable %d cs %d name len %d",
__func__, folder->type, folder->playable,
folder->name.charset_id, folder->name.str_len);
@@ -315,14 +338,19 @@
case AVRC_ITEM_MEDIA: {
tAVRC_ITEM_MEDIA* media = &(curr_item->u.media);
uint8_t media_len;
+ min_len += 3 + AVRC_UID_SIZE;
+ if (pkt_len < min_len) goto browse_length_error;
BE_STREAM_TO_UINT16(media_len, p);
BE_STREAM_TO_ARRAY(p, media->uid, AVRC_UID_SIZE);
BE_STREAM_TO_UINT8(media->type, p);
- pkt_len_read += (3 + AVRC_UID_SIZE);
/* read str, encoding to be handled by upper layers */
+ min_len += 4;
+ if (pkt_len < min_len) goto browse_length_error;
BE_STREAM_TO_UINT16(media->name.charset_id, p);
BE_STREAM_TO_UINT16(media->name.str_len, p);
+ min_len += 1 + media->name.str_len;
+ if (pkt_len < min_len) goto browse_length_error;
media->name.p_str =
(uint8_t*)osi_malloc((media->name.str_len) * sizeof(uint8_t));
BE_STREAM_TO_ARRAY(p, media->name.p_str, media->name.str_len);
@@ -331,22 +359,24 @@
AVRC_TRACE_DEBUG("%s media type %d charset id %d len %d attr ct %d",
__func__, media->type, media->name.charset_id,
media->name.str_len, media->attr_count);
- pkt_len_read += (5 + media->name.str_len);
media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_malloc(
media->attr_count * sizeof(tAVRC_ATTR_ENTRY));
for (int jk = 0; jk < media->attr_count; jk++) {
tAVRC_ATTR_ENTRY* attr_entry = &(media->p_attr_list[jk]);
+ min_len += 8;
+ if (pkt_len < min_len) goto browse_length_error;
BE_STREAM_TO_UINT32(attr_entry->attr_id, p);
/* Parse the name now */
BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p);
BE_STREAM_TO_UINT16(attr_entry->name.str_len, p);
+ min_len += attr_entry->name.str_len;
+ if (pkt_len < min_len) goto browse_length_error;
attr_entry->name.p_str = (uint8_t*)osi_malloc(
attr_entry->name.str_len * sizeof(uint8_t));
BE_STREAM_TO_ARRAY(p, attr_entry->name.p_str,
attr_entry->name.str_len);
- pkt_len_read += (8 + attr_entry->name.str_len);
AVRC_TRACE_DEBUG("%s media attr id %d cs %d name len %d",
__func__, attr_entry->attr_id,
attr_entry->name.charset_id,
@@ -360,14 +390,8 @@
return AVRC_STS_INTERNAL_ERR;
}
- /* we check if we have overrun */
- if (pkt_len_read > pkt_len) {
- AVRC_TRACE_ERROR("%s overflow in read pkt_len %d pkt_len_read %d",
- __func__, pkt_len, pkt_len_read);
- return AVRC_STS_BAD_CMD;
- }
- AVRC_TRACE_DEBUG("%s pkt_len %d pkt_len_read %d", __func__, pkt_len,
- pkt_len_read);
+ AVRC_TRACE_DEBUG("%s pkt_len %d min_len %d", __func__, pkt_len,
+ min_len);
/* advance to populate the next item */
curr_item++;
@@ -377,13 +401,14 @@
case AVRC_PDU_CHANGE_PATH: {
tAVRC_CHG_PATH_RSP* change_path_rsp = &(p_rsp->chg_path);
+ min_len += 5;
+ if (pkt_len < min_len) goto browse_length_error;
/* Copyback the PDU */
change_path_rsp->pdu = pdu;
/* Read the status */
BE_STREAM_TO_UINT8(change_path_rsp->status, p);
/* Read the number of items in folder */
BE_STREAM_TO_UINT32(change_path_rsp->num_items, p);
- pkt_len_read += 5;
AVRC_TRACE_DEBUG("%s pdu %d status %d item count %d", __func__,
change_path_rsp->pdu, change_path_rsp->status,
@@ -397,6 +422,8 @@
set_br_pl_rsp->pdu = pdu;
/* Read the status */
+ min_len += 10;
+ if (pkt_len < min_len) goto browse_length_error;
BE_STREAM_TO_UINT8(set_br_pl_rsp->status, p);
if (set_br_pl_rsp->status != AVRC_STS_NO_ERROR) {
@@ -413,7 +440,6 @@
"%s AVRC_PDU_SET_BROWSED_PLAYER status %d items %d cs %d depth %d",
__func__, set_br_pl_rsp->status, set_br_pl_rsp->num_items,
set_br_pl_rsp->charset_id, set_br_pl_rsp->folder_depth);
- pkt_len_read += 10;
set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_malloc(
set_br_pl_rsp->num_items * sizeof(tAVRC_NAME));
@@ -421,13 +447,16 @@
/* Read each of the folder in the depth */
for (uint32_t i = 0; i < set_br_pl_rsp->folder_depth; i++) {
tAVRC_NAME* folder_name = &(set_br_pl_rsp->p_folders[i]);
+ min_len += 2;
+ if (pkt_len < min_len) goto browse_length_error;
BE_STREAM_TO_UINT16(folder_name->str_len, p);
+ min_len += folder_name->str_len;
+ if (pkt_len < min_len) goto browse_length_error;
AVRC_TRACE_DEBUG("%s AVRC_PDU_SET_BROWSED_PLAYER item: %d len: %d",
__func__, i, folder_name->str_len);
folder_name->p_str =
(uint8_t*)osi_malloc((folder_name->str_len + 1) * sizeof(uint8_t));
BE_STREAM_TO_ARRAY(p, folder_name->p_str, folder_name->str_len);
- pkt_len_read += (2 + folder_name->str_len);
}
break;
}
@@ -436,12 +465,13 @@
AVRC_TRACE_ERROR("%s pdu %d not handled", __func__, pdu);
}
- if (pkt_len != pkt_len_read) {
- AVRC_TRACE_ERROR("%s finished pkt_len %d pkt_len_read %d", __func__,
- pkt_len, pkt_len_read);
- return AVRC_STS_BAD_CMD;
- }
return status;
+
+browse_length_error:
+ android_errorWriteLog(0x534e4554, "111451066");
+ AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least %d",
+ __func__, pkt_len, min_len);
+ return AVRC_STS_BAD_CMD;
}
/*******************************************************************************
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index 15dfae1..b775d5d 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -341,7 +341,7 @@
* Description send encryption information command.
******************************************************************************/
void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
- tBTM_LE_LENC_KEYS le_key;
+ tBTM_LE_KEY_VALUE le_key;
SMP_TRACE_DEBUG("%s: p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size);
smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
@@ -350,15 +350,14 @@
smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb);
/* save the DIV and key size information when acting as slave device */
- memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
- le_key.div = p_cb->div;
- le_key.key_size = p_cb->loc_enc_size;
- le_key.sec_level = p_cb->sec_level;
+ memcpy(le_key.lenc_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
+ le_key.lenc_key.div = p_cb->div;
+ le_key.lenc_key.key_size = p_cb->loc_enc_size;
+ le_key.lenc_key.sec_level = p_cb->sec_level;
if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
(p_cb->loc_auth_req & SMP_AUTH_BOND))
- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC,
- (tBTM_LE_KEY_VALUE*)&le_key, true);
+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &le_key, true);
SMP_TRACE_WARNING("%s", __func__);
@@ -390,17 +389,16 @@
* Description send CSRK command.
******************************************************************************/
void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
- tBTM_LE_LCSRK_KEYS key;
+ tBTM_LE_KEY_VALUE key;
SMP_TRACE_DEBUG("%s", __func__);
smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false);
if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
- key.div = p_cb->div;
- key.sec_level = p_cb->sec_level;
- key.counter = 0; /* initialize the local counter */
- memcpy(key.csrk, p_cb->csrk, BT_OCTET16_LEN);
- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK,
- (tBTM_LE_KEY_VALUE*)&key, true);
+ key.lcsrk_key.div = p_cb->div;
+ key.lcsrk_key.sec_level = p_cb->sec_level;
+ key.lcsrk_key.counter = 0; /* initialize the local counter */
+ memcpy(key.lcsrk_key.csrk, p_cb->csrk, BT_OCTET16_LEN);
+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, &key, true);
}
smp_key_distribution_by_transport(p_cb, NULL);
@@ -935,7 +933,7 @@
******************************************************************************/
void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
uint8_t* p = p_data->p_data;
- tBTM_LE_PENC_KEYS le_key;
+ tBTM_LE_KEY_VALUE le_key;
SMP_TRACE_DEBUG("%s", __func__);
@@ -948,18 +946,17 @@
smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
- STREAM_TO_UINT16(le_key.ediv, p);
- STREAM_TO_ARRAY(le_key.rand, p, BT_OCTET8_LEN);
+ STREAM_TO_UINT16(le_key.penc_key.ediv, p);
+ STREAM_TO_ARRAY(le_key.penc_key.rand, p, BT_OCTET8_LEN);
/* store the encryption keys from peer device */
- memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
- le_key.sec_level = p_cb->sec_level;
- le_key.key_size = p_cb->loc_enc_size;
+ memcpy(le_key.penc_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
+ le_key.penc_key.sec_level = p_cb->sec_level;
+ le_key.penc_key.key_size = p_cb->loc_enc_size;
if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
(p_cb->loc_auth_req & SMP_AUTH_BOND))
- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC,
- (tBTM_LE_KEY_VALUE*)&le_key, true);
+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &le_key, true);
smp_key_distribution(p_cb, NULL);
}
@@ -991,25 +988,24 @@
******************************************************************************/
void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
uint8_t* p = p_data->p_data;
- tBTM_LE_PID_KEYS pid_key;
+ tBTM_LE_KEY_VALUE pid_key;
SMP_TRACE_DEBUG("%s", __func__);
smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true);
- STREAM_TO_UINT8(pid_key.addr_type, p);
- STREAM_TO_BDADDR(pid_key.static_addr, p);
- memcpy(pid_key.irk, p_cb->tk, BT_OCTET16_LEN);
+ STREAM_TO_UINT8(pid_key.pid_key.addr_type, p);
+ STREAM_TO_BDADDR(pid_key.pid_key.static_addr, p);
+ memcpy(pid_key.pid_key.irk, p_cb->tk, BT_OCTET16_LEN);
/* to use as BD_ADDR for lk derived from ltk */
p_cb->id_addr_rcvd = true;
- p_cb->id_addr_type = pid_key.addr_type;
- p_cb->id_addr = pid_key.static_addr;
+ p_cb->id_addr_type = pid_key.pid_key.addr_type;
+ p_cb->id_addr = pid_key.pid_key.static_addr;
/* store the ID key from peer device */
if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
(p_cb->loc_auth_req & SMP_AUTH_BOND))
- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID,
- (tBTM_LE_KEY_VALUE*)&pid_key, true);
+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, &pid_key, true);
smp_key_distribution_by_transport(p_cb, NULL);
}
@@ -1018,24 +1014,23 @@
* Description process security information from peer device
******************************************************************************/
void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
- tBTM_LE_PCSRK_KEYS le_key;
+ tBTM_LE_KEY_VALUE le_key;
SMP_TRACE_DEBUG("%s", __func__);
smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true);
/* save CSRK to security record */
- le_key.sec_level = p_cb->sec_level;
+ le_key.pcsrk_key.sec_level = p_cb->sec_level;
/* get peer CSRK */
- maybe_non_aligned_memcpy(le_key.csrk, p_data->p_data, BT_OCTET16_LEN);
+ maybe_non_aligned_memcpy(le_key.pcsrk_key.csrk, p_data->p_data, BT_OCTET16_LEN);
/* initialize the peer counter */
- le_key.counter = 0;
+ le_key.pcsrk_key.counter = 0;
if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
(p_cb->loc_auth_req & SMP_AUTH_BOND))
- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK,
- (tBTM_LE_KEY_VALUE*)&le_key, true);
+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, &le_key, true);
smp_key_distribution_by_transport(p_cb, NULL);
}
diff --git a/stack/smp/smp_utils.cc b/stack/smp/smp_utils.cc
index 2bd0b24..5027e3d 100644
--- a/stack/smp/smp_utils.cc
+++ b/stack/smp/smp_utils.cc
@@ -1436,25 +1436,23 @@
*
******************************************************************************/
void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) {
- tBTM_LE_LENC_KEYS lle_key;
- tBTM_LE_PENC_KEYS ple_key;
+ tBTM_LE_KEY_VALUE lle_key;
+ tBTM_LE_KEY_VALUE ple_key;
SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__);
- memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
- lle_key.div = 0;
- lle_key.key_size = p_cb->loc_enc_size;
- lle_key.sec_level = p_cb->sec_level;
- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC,
- (tBTM_LE_KEY_VALUE*)&lle_key, true);
+ memcpy(lle_key.lenc_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
+ lle_key.lenc_key.div = 0;
+ lle_key.lenc_key.key_size = p_cb->loc_enc_size;
+ lle_key.lenc_key.sec_level = p_cb->sec_level;
+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &lle_key, true);
SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__);
- ple_key.ediv = 0;
- memset(ple_key.rand, 0, BT_OCTET8_LEN);
- memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
- ple_key.sec_level = p_cb->sec_level;
- ple_key.key_size = p_cb->loc_enc_size;
- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC,
- (tBTM_LE_KEY_VALUE*)&ple_key, true);
+ ple_key.penc_key.ediv = 0;
+ memset(ple_key.penc_key.rand, 0, BT_OCTET8_LEN);
+ memcpy(ple_key.penc_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
+ ple_key.penc_key.sec_level = p_cb->sec_level;
+ ple_key.penc_key.key_size = p_cb->loc_enc_size;
+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &ple_key, true);
}
/*******************************************************************************