Merge "Packet: Shard pybind11 Python binding generation for faster compilation" am: 9bc9f7850b am: c78ae4e586
am: 15e07473a7
Change-Id: I92b6e72f5717efafea708f0aa6df0a5d454f7d69
diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc
index 5543988..0589a6e 100644
--- a/btif/src/btif_dm.cc
+++ b/btif/src/btif_dm.cc
@@ -925,8 +925,8 @@
******************************************************************************/
static void btif_dm_ssp_cfm_req_evt(tBTA_DM_SP_CFM_REQ* p_ssp_cfm_req) {
bt_bdname_t bd_name;
- uint32_t cod;
bool is_incoming = !(pairing_cb.state == BT_BOND_STATE_BONDING);
+ uint32_t cod;
int dev_type;
BTIF_TRACE_DEBUG("%s", __func__);
diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc
index e203d2f..59f0593 100644
--- a/btif/src/btif_storage.cc
+++ b/btif/src/btif_storage.cc
@@ -889,8 +889,9 @@
tBTA_LE_KEY_VALUE key;
memset(&key, 0, sizeof(key));
- if (btif_storage_get_ble_bonding_key(&bd_addr, BTIF_DM_LE_KEY_PENC, (uint8_t*)&key, sizeof(tBTM_LE_PENC_KEYS)) ==
- BT_STATUS_SUCCESS) {
+ if (btif_storage_get_ble_bonding_key(
+ &bd_addr, BTIF_DM_LE_KEY_PENC, (uint8_t*)&key,
+ sizeof(tBTM_LE_PENC_KEYS)) == BT_STATUS_SUCCESS) {
if (is_sample_ltk(key.penc_key.ltk)) {
bad_ltk.push_back(bd_addr);
}
@@ -899,7 +900,8 @@
for (RawAddress address : bad_ltk) {
android_errorWriteLog(0x534e4554, "128437297");
- LOG(ERROR) << __func__ << ": removing bond to device using test TLK: " << address;
+ LOG(ERROR) << __func__
+ << ": removing bond to device using test TLK: " << address;
btif_storage_remove_bonded_device(&address);
}
diff --git a/main/shim/btm.cc b/main/shim/btm.cc
index 7ebbf90..cdf21e2 100644
--- a/main/shim/btm.cc
+++ b/main/shim/btm.cc
@@ -39,7 +39,8 @@
extern void btm_process_cancel_complete(uint8_t status, uint8_t mode);
extern void btm_process_inq_complete(uint8_t status, uint8_t result_type);
-extern void btm_process_inq_results(uint8_t* p, uint8_t result_mode);
+extern void btm_process_inq_results(uint8_t* p, uint8_t hci_evt_len,
+ uint8_t result_mode);
using BtmRemoteDeviceName = tBTM_REMOTE_DEV_NAME;
@@ -50,7 +51,8 @@
CHECK(result.size() < kMaxInquiryResultSize);
std::copy(result.begin(), result.end(), inquiry_result_buf);
- btm_process_inq_results(inquiry_result_buf, kInquiryResultMode);
+ btm_process_inq_results(inquiry_result_buf, result.size(),
+ kInquiryResultMode);
}
void bluetooth::shim::Btm::OnInquiryResultWithRssi(
@@ -58,7 +60,8 @@
CHECK(result.size() < kMaxInquiryResultSize);
std::copy(result.begin(), result.end(), inquiry_result_buf);
- btm_process_inq_results(inquiry_result_buf, kInquiryResultWithRssiMode);
+ btm_process_inq_results(inquiry_result_buf, result.size(),
+ kInquiryResultWithRssiMode);
}
void bluetooth::shim::Btm::OnExtendedInquiryResult(
@@ -66,7 +69,8 @@
CHECK(result.size() < kMaxInquiryResultSize);
std::copy(result.begin(), result.end(), inquiry_result_buf);
- btm_process_inq_results(inquiry_result_buf, kExtendedInquiryResultMode);
+ btm_process_inq_results(inquiry_result_buf, result.size(),
+ kExtendedInquiryResultMode);
}
void bluetooth::shim::Btm::OnInquiryComplete(uint16_t status) {
diff --git a/stack/btm/btm_acl.cc b/stack/btm/btm_acl.cc
index 97f235f..6157ecb 100644
--- a/stack/btm/btm_acl.cc
+++ b/stack/btm/btm_acl.cc
@@ -50,7 +50,6 @@
#include "device/include/interop.h"
#include "hcidefs.h"
#include "hcimsgs.h"
-#include "log/log.h"
#include "l2c_int.h"
#include "osi/include/log.h"
#include "osi/include/osi.h"
diff --git a/stack/btm/btm_ble_batchscan.cc b/stack/btm/btm_ble_batchscan.cc
index f7d5d3c5..3d89358 100644
--- a/stack/btm/btm_ble_batchscan.cc
+++ b/stack/btm/btm_ble_batchscan.cc
@@ -63,6 +63,7 @@
uint8_t sub_event = 0;
tBTM_BLE_VSC_CB cmn_ble_vsc_cb;
+ if (len == 0) return;
STREAM_TO_UINT8(sub_event, p);
BTM_TRACE_EVENT(
@@ -90,6 +91,7 @@
/* Extract the adv info details */
if (ADV_INFO_PRESENT == adv_data.advertiser_info_present) {
+ if (len < 15) return;
STREAM_TO_UINT8(adv_data.tx_power, p);
STREAM_TO_UINT8(adv_data.rssi_value, p);
STREAM_TO_UINT16(adv_data.time_stamp, p);
diff --git a/stack/btm/btm_inq.cc b/stack/btm/btm_inq.cc
index aaadd2b..cabd117 100644
--- a/stack/btm/btm_inq.cc
+++ b/stack/btm/btm_inq.cc
@@ -25,6 +25,7 @@
*
******************************************************************************/
+#include <log/log.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
@@ -1671,7 +1672,8 @@
* Returns void
*
******************************************************************************/
-void btm_process_inq_results(uint8_t* p, uint8_t inq_res_mode) {
+void btm_process_inq_results(uint8_t* p, uint8_t hci_evt_len,
+ uint8_t inq_res_mode) {
uint8_t num_resp, xx;
RawAddress bda;
tINQ_DB_ENT* p_i;
@@ -1700,10 +1702,29 @@
STREAM_TO_UINT8(num_resp, p);
- if (inq_res_mode == BTM_INQ_RESULT_EXTENDED && (num_resp > 1)) {
- BTM_TRACE_ERROR("btm_process_inq_results() extended results (%d) > 1",
- num_resp);
- return;
+ if (inq_res_mode == BTM_INQ_RESULT_EXTENDED) {
+ if (num_resp > 1) {
+ BTM_TRACE_ERROR("btm_process_inq_results() extended results (%d) > 1",
+ num_resp);
+ return;
+ }
+
+ constexpr uint16_t extended_inquiry_result_size = 254;
+ if (hci_evt_len - 1 != extended_inquiry_result_size) {
+ android_errorWriteLog(0x534e4554, "141620271");
+ BTM_TRACE_ERROR("%s: can't fit %d results in %d bytes", __func__,
+ num_resp, hci_evt_len);
+ return;
+ }
+ } else if (inq_res_mode == BTM_INQ_RESULT_STANDARD ||
+ inq_res_mode == BTM_INQ_RESULT_WITH_RSSI) {
+ constexpr uint16_t inquiry_result_size = 14;
+ if (hci_evt_len < num_resp * inquiry_result_size) {
+ android_errorWriteLog(0x534e4554, "141620271");
+ BTM_TRACE_ERROR("%s: can't fit %d results in %d bytes", __func__,
+ num_resp, hci_evt_len);
+ return;
+ }
}
for (xx = 0; xx < num_resp; xx++) {
diff --git a/stack/btm/btm_int.h b/stack/btm/btm_int.h
index ee1d655..88cb724 100644
--- a/stack/btm/btm_int.h
+++ b/stack/btm/btm_int.h
@@ -65,7 +65,8 @@
/* Inquiry related functions */
extern void btm_clr_inq_db(const RawAddress* p_bda);
extern void btm_inq_db_init(void);
-extern void btm_process_inq_results(uint8_t* p, uint8_t inq_res_mode);
+extern void btm_process_inq_results(uint8_t* p, uint8_t hci_evt_len,
+ uint8_t inq_res_mode);
extern void btm_process_inq_complete(uint8_t status, uint8_t mode);
extern void btm_process_cancel_complete(uint8_t status, uint8_t mode);
extern void btm_event_filter_complete(uint8_t* p);
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 935903d..8162e47 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -4560,7 +4560,8 @@
*/
if (is_sample_ltk(p_dev_rec->ble.keys.pltk)) {
android_errorWriteLog(0x534e4554, "128437297");
- LOG(INFO) << __func__ << " removing bond to device that used sample LTK: " << p_dev_rec->bd_addr;
+ LOG(INFO) << __func__ << " removing bond to device that used sample LTK: "
+ << p_dev_rec->bd_addr;
bta_dm_remove_device(p_dev_rec->bd_addr);
}
diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
index 17fde3b..a1f868a 100644
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -65,11 +65,12 @@
/* L O C A L F U N C T I O N P R O T O T Y P E S */
/******************************************************************************/
static void btu_hcif_inquiry_comp_evt(uint8_t* p);
-static void btu_hcif_inquiry_result_evt(uint8_t* p);
-static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p);
-static void btu_hcif_extended_inquiry_result_evt(uint8_t* p);
+static void btu_hcif_inquiry_result_evt(uint8_t* p, uint8_t hci_evt_len);
+static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p, uint8_t hci_evt_len);
+static void btu_hcif_extended_inquiry_result_evt(uint8_t* p,
+ uint8_t hci_evt_len);
-static void btu_hcif_connection_comp_evt(uint8_t* p);
+static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len);
static void btu_hcif_connection_request_evt(uint8_t* p);
static void btu_hcif_disconnection_comp_evt(uint8_t* p);
static void btu_hcif_authentication_comp_evt(uint8_t* p);
@@ -86,7 +87,7 @@
static void btu_hcif_hardware_error_evt(uint8_t* p);
static void btu_hcif_flush_occured_evt(void);
static void btu_hcif_role_change_evt(uint8_t* p);
-static void btu_hcif_num_compl_data_pkts_evt(uint8_t* p);
+static void btu_hcif_num_compl_data_pkts_evt(uint8_t* p, uint8_t evt_len);
static void btu_hcif_mode_change_evt(uint8_t* p);
static void btu_hcif_pin_code_request_evt(uint8_t* p);
static void btu_hcif_link_key_request_evt(uint8_t* p);
@@ -264,16 +265,16 @@
btu_hcif_inquiry_comp_evt(p);
break;
case HCI_INQUIRY_RESULT_EVT:
- btu_hcif_inquiry_result_evt(p);
+ btu_hcif_inquiry_result_evt(p, hci_evt_len);
break;
case HCI_INQUIRY_RSSI_RESULT_EVT:
- btu_hcif_inquiry_rssi_result_evt(p);
+ btu_hcif_inquiry_rssi_result_evt(p, hci_evt_len);
break;
case HCI_EXTENDED_INQUIRY_RESULT_EVT:
- btu_hcif_extended_inquiry_result_evt(p);
+ btu_hcif_extended_inquiry_result_evt(p, hci_evt_len);
break;
case HCI_CONNECTION_COMP_EVT:
- btu_hcif_connection_comp_evt(p);
+ btu_hcif_connection_comp_evt(p, hci_evt_len);
break;
case HCI_CONNECTION_REQUEST_EVT:
btu_hcif_connection_request_evt(p);
@@ -327,7 +328,7 @@
btu_hcif_role_change_evt(p);
break;
case HCI_NUM_COMPL_DATA_PKTS_EVT:
- btu_hcif_num_compl_data_pkts_evt(p);
+ btu_hcif_num_compl_data_pkts_evt(p, hci_evt_len);
break;
case HCI_MODE_CHANGE_EVT:
btu_hcif_mode_change_evt(p);
@@ -949,9 +950,9 @@
* Returns void
*
******************************************************************************/
-static void btu_hcif_inquiry_result_evt(uint8_t* p) {
+static void btu_hcif_inquiry_result_evt(uint8_t* p, uint8_t hci_evt_len) {
/* Store results in the cache */
- btm_process_inq_results(p, BTM_INQ_RESULT_STANDARD);
+ btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_STANDARD);
}
/*******************************************************************************
@@ -963,9 +964,9 @@
* Returns void
*
******************************************************************************/
-static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p) {
+static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p, uint8_t hci_evt_len) {
/* Store results in the cache */
- btm_process_inq_results(p, BTM_INQ_RESULT_WITH_RSSI);
+ btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_WITH_RSSI);
}
/*******************************************************************************
@@ -977,9 +978,10 @@
* Returns void
*
******************************************************************************/
-static void btu_hcif_extended_inquiry_result_evt(uint8_t* p) {
+static void btu_hcif_extended_inquiry_result_evt(uint8_t* p,
+ uint8_t hci_evt_len) {
/* Store results in the cache */
- btm_process_inq_results(p, BTM_INQ_RESULT_EXTENDED);
+ btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_EXTENDED);
}
/*******************************************************************************
@@ -991,7 +993,7 @@
* Returns void
*
******************************************************************************/
-static void btu_hcif_connection_comp_evt(uint8_t* p) {
+static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len) {
uint8_t status;
uint16_t handle;
RawAddress bda;
@@ -999,6 +1001,12 @@
uint8_t enc_mode;
tBTM_ESCO_DATA esco_data;
+ if (evt_len < 11) {
+ android_errorWriteLog(0x534e4554, "141619686");
+ HCI_TRACE_WARNING("%s: malformed event of size %hhd", __func__, evt_len);
+ return;
+ }
+
STREAM_TO_UINT8(status, p);
STREAM_TO_UINT16(handle, p);
STREAM_TO_BDADDR(bda, p);
@@ -1700,9 +1708,9 @@
* Returns void
*
******************************************************************************/
-static void btu_hcif_num_compl_data_pkts_evt(uint8_t* p) {
+static void btu_hcif_num_compl_data_pkts_evt(uint8_t* p, uint8_t evt_len) {
/* Process for L2CAP and SCO */
- l2c_link_process_num_completed_pkts(p);
+ l2c_link_process_num_completed_pkts(p, evt_len);
/* Send on to SCO */
/*?? No SCO for now */
diff --git a/stack/include/bt_types.h b/stack/include/bt_types.h
index 01e8248..71bc2e1 100644
--- a/stack/include/bt_types.h
+++ b/stack/include/bt_types.h
@@ -585,9 +585,7 @@
* 0x4C68384139F574D836BCF34E9DFB01BF */
constexpr Octet16 SAMPLE_LTK = {0xbf, 0x01, 0xfb, 0x9d, 0x4e, 0xf3, 0xbc, 0x36,
0xd8, 0x74, 0xf5, 0x39, 0x41, 0x38, 0x68, 0x4c};
-inline bool is_sample_ltk(const Octet16& ltk) {
- return ltk == SAMPLE_LTK;
-}
+inline bool is_sample_ltk(const Octet16& ltk) { return ltk == SAMPLE_LTK; }
#endif
diff --git a/stack/l2cap/l2c_int.h b/stack/l2cap/l2c_int.h
index 53b6f32..e58efaf 100644
--- a/stack/l2cap/l2c_int.h
+++ b/stack/l2cap/l2c_int.h
@@ -713,7 +713,7 @@
extern void l2c_link_check_send_pkts(tL2C_LCB* p_lcb, tL2C_CCB* p_ccb,
BT_HDR* p_buf);
extern void l2c_link_adjust_allocation(void);
-extern void l2c_link_process_num_completed_pkts(uint8_t* p);
+extern void l2c_link_process_num_completed_pkts(uint8_t* p, uint8_t evt_len);
extern void l2c_link_process_num_completed_blocks(uint8_t controller_id,
uint8_t* p, uint16_t evt_len);
extern void l2c_link_processs_num_bufs(uint16_t num_lm_acl_bufs);
diff --git a/stack/l2cap/l2c_link.cc b/stack/l2cap/l2c_link.cc
index 7f6d5b9..f15e123 100644
--- a/stack/l2cap/l2c_link.cc
+++ b/stack/l2cap/l2c_link.cc
@@ -40,6 +40,7 @@
#include "l2c_api.h"
#include "l2c_int.h"
#include "l2cdefs.h"
+#include "log/log.h"
#include "osi/include/osi.h"
static bool l2c_link_send_to_lower(tL2C_LCB* p_lcb, BT_HDR* p_buf,
@@ -1219,13 +1220,22 @@
* Returns void
*
******************************************************************************/
-void l2c_link_process_num_completed_pkts(uint8_t* p) {
+void l2c_link_process_num_completed_pkts(uint8_t* p, uint8_t evt_len) {
uint8_t num_handles, xx;
uint16_t handle;
uint16_t num_sent;
tL2C_LCB* p_lcb;
- STREAM_TO_UINT8(num_handles, p);
+ if (evt_len > 0) {
+ STREAM_TO_UINT8(num_handles, p);
+ } else {
+ num_handles = 0;
+ }
+
+ if (num_handles > evt_len / (2 * sizeof(uint16_t))) {
+ android_errorWriteLog(0x534e4554, "141617601");
+ num_handles = evt_len / (2 * sizeof(uint16_t));
+ }
for (xx = 0; xx < num_handles; xx++) {
STREAM_TO_UINT16(handle, p);
diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc
index 128f60e..52d77c5 100644
--- a/stack/l2cap/l2c_main.cc
+++ b/stack/l2cap/l2c_main.cc
@@ -97,6 +97,11 @@
/* There is a slight possibility (specifically with USB) that we get an */
/* L2CAP connection request before we get the HCI connection complete. */
/* So for these types of messages, hold them for up to 2 seconds. */
+ if (l2cap_len == 0) {
+ L2CAP_TRACE_WARNING("received empty L2CAP packet");
+ osi_free(p_msg);
+ return;
+ }
uint8_t cmd_code;
STREAM_TO_UINT8(cmd_code, p);
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index baadd7a..bdc15bd 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -436,6 +436,7 @@
if (!sdp_copy_raw_data(p_ccb, false)) {
SDP_TRACE_ERROR("sdp_copy_raw_data failed");
sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
+ return;
}
#endif
@@ -642,6 +643,7 @@
if (!sdp_copy_raw_data(p_ccb, true)) {
SDP_TRACE_ERROR("sdp_copy_raw_data failed");
sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
+ return;
}
#endif