Merge "L2CAP ERTM: Drop invalid packet on reassembly" am: 16210d5a08
am: 7eac0c8aa3
Change-Id: Ia3a85b7d943eca9b155ebc5f795d1e086c625ad5
diff --git a/bta/av/bta_av_aact.cc b/bta/av/bta_av_aact.cc
index f7867d3..4cfc3e6 100644
--- a/bta/av/bta_av_aact.cc
+++ b/bta/av/bta_av_aact.cc
@@ -3060,14 +3060,14 @@
}
void offload_vendor_callback(tBTM_VSC_CMPL* param) {
- uint8_t status = 0;
+ tBTA_AV value{0};
uint8_t sub_opcode = 0;
if (param->param_len) {
APPL_TRACE_DEBUG("%s: param_len = %d status = %d", __func__,
param->param_len, param->p_param_buf[0]);
- status = param->p_param_buf[0];
+ value.status = param->p_param_buf[0];
}
- if (status == 0) {
+ if (value.status == 0) {
sub_opcode = param->p_param_buf[1];
APPL_TRACE_DEBUG("%s: subopcode = %d", __func__, sub_opcode);
switch (sub_opcode) {
@@ -3075,7 +3075,7 @@
APPL_TRACE_DEBUG("%s: VS_HCI_STOP_A2DP_MEDIA successful", __func__);
break;
case VS_HCI_A2DP_OFFLOAD_START:
- (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, (tBTA_AV*)&status);
+ (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, &value);
break;
default:
break;
@@ -3084,7 +3084,7 @@
APPL_TRACE_DEBUG("%s: Offload failed for subopcode= %d", __func__,
sub_opcode);
if (param->opcode != VS_HCI_A2DP_OFFLOAD_STOP)
- (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, (tBTA_AV*)&status);
+ (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, &value);
}
}
diff --git a/btif/include/btif_keystore.h b/btif/include/btif_keystore.h
index cc06a98..4762350 100644
--- a/btif/include/btif_keystore.h
+++ b/btif/include/btif_keystore.h
@@ -59,14 +59,6 @@
*/
std::string Decrypt(const std::string& input_filename);
- /**
- * Check for existence of keystore key.
- *
- * This key can be cleared if a user manually wipes bluetooth storage data
- * b/133214365
- */
- bool DoesKeyExist();
-
private:
std::unique_ptr<keystore::KeystoreClient> keystore_client_;
std::mutex api_mutex_;
diff --git a/btif/src/btif_config.cc b/btif/src/btif_config.cc
index ed24d7d..be006ab 100644
--- a/btif/src/btif_config.cc
+++ b/btif/src/btif_config.cc
@@ -183,9 +183,7 @@
static future_t* init(void) {
std::unique_lock<std::recursive_mutex> lock(config_lock);
- if (is_factory_reset() ||
- (use_key_attestation() && !btif_keystore.DoesKeyExist()))
- delete_config_files();
+ if (is_factory_reset()) delete_config_files();
std::string file_source;
diff --git a/btif/src/btif_keystore.cc b/btif/src/btif_keystore.cc
index 0af03e1..fe9d3dd 100644
--- a/btif/src/btif_keystore.cc
+++ b/btif/src/btif_keystore.cc
@@ -98,8 +98,4 @@
&software_enforced_characteristics);
}
-bool BtifKeystore::DoesKeyExist() {
- return keystore_client_->doesKeyExist(kKeyStore);
-}
-
} // namespace bluetooth
diff --git a/stack/btm/btm_acl.cc b/stack/btm/btm_acl.cc
index 2a417b9..97f235f 100644
--- a/stack/btm/btm_acl.cc
+++ b/stack/btm/btm_acl.cc
@@ -50,6 +50,7 @@
#include "device/include/interop.h"
#include "hcidefs.h"
#include "hcimsgs.h"
+#include "log/log.h"
#include "l2c_int.h"
#include "osi/include/log.h"
#include "osi/include/osi.h"
@@ -1085,7 +1086,7 @@
* Returns void
*
******************************************************************************/
-void btm_read_remote_ext_features_complete(uint8_t* p) {
+void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {
tACL_CONN* p_acl_cb;
uint8_t page_num, max_page;
uint16_t handle;
@@ -1093,6 +1094,14 @@
BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete");
+ if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) {
+ android_errorWriteLog(0x534e4554, "141552859");
+ BTM_TRACE_ERROR(
+ "btm_read_remote_ext_features_complete evt length too short. length=%d",
+ evt_len);
+ return;
+ }
+
++p;
STREAM_TO_UINT16(handle, p);
STREAM_TO_UINT8(page_num, p);
@@ -1112,6 +1121,13 @@
return;
}
+ if (page_num > max_page) {
+ android_errorWriteLog(0x534e4554, "141552859");
+ BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid",
+ page_num);
+ return;
+ }
+
p_acl_cb = &btm_cb.acl_db[acl_idx];
/* Copy the received features page */
diff --git a/stack/btm/btm_int.h b/stack/btm/btm_int.h
index 6b80717..ee1d655 100644
--- a/stack/btm/btm_int.h
+++ b/stack/btm/btm_int.h
@@ -119,7 +119,7 @@
extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr,
tBT_TRANSPORT transport);
extern void btm_read_remote_features_complete(uint8_t* p);
-extern void btm_read_remote_ext_features_complete(uint8_t* p);
+extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len);
extern void btm_read_remote_ext_features_failed(uint8_t status,
uint16_t handle);
extern void btm_read_remote_version_complete(uint8_t* p);
diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
index 2035cc6..17fde3b 100644
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -76,7 +76,8 @@
static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len);
static void btu_hcif_encryption_change_evt(uint8_t* p);
static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p);
-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p);
+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
+ uint8_t evt_len);
static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p);
static void btu_hcif_qos_setup_comp_evt(uint8_t* p);
static void btu_hcif_command_complete_evt(BT_HDR* response, void* context);
@@ -296,7 +297,7 @@
btu_hcif_read_rmt_features_comp_evt(p);
break;
case HCI_READ_RMT_EXT_FEATURES_COMP_EVT:
- btu_hcif_read_rmt_ext_features_comp_evt(p);
+ btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len);
break;
case HCI_READ_RMT_VERSION_COMP_EVT:
btu_hcif_read_rmt_version_comp_evt(p);
@@ -1212,7 +1213,8 @@
* Returns void
*
******************************************************************************/
-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
+ uint8_t evt_len) {
uint8_t* p_cur = p;
uint8_t status;
uint16_t handle;
@@ -1220,7 +1222,7 @@
STREAM_TO_UINT8(status, p_cur);
if (status == HCI_SUCCESS)
- btm_read_remote_ext_features_complete(p);
+ btm_read_remote_ext_features_complete(p, evt_len);
else {
STREAM_TO_UINT16(handle, p_cur);
btm_read_remote_ext_features_failed(status, handle);
diff --git a/stack/include/hcidefs.h b/stack/include/hcidefs.h
index 22df8af..088f2b3 100644
--- a/stack/include/hcidefs.h
+++ b/stack/include/hcidefs.h
@@ -1323,6 +1323,8 @@
#define HCI_FEATURE_BYTES_PER_PAGE 8
+#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13
+
#define HCI_FEATURES_KNOWN(x) \
(((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0)