Snap for 8730993 from 2c3cd720c07e3dcb70d6e412177c340dfa94ef5a to mainline-tzdata3-release
Change-Id: If3f269b0fb4c07c38cf5f1f65f621571c4474b96
diff --git a/Android.bp b/Android.bp
index 2b49380..81162c4 100644
--- a/Android.bp
+++ b/Android.bp
@@ -66,3 +66,21 @@
"AndroidTestTemplate.xml",
],
}
+
+filegroup {
+ name: "framework-bluetooth-srcs",
+ srcs: [],
+ visibility: ["//visibility:private"]
+}
+
+java_library {
+ name: "framework-bluetooth",
+ srcs: [":framework-bluetooth-srcs"],
+ sdk_version: "module_current"
+}
+
+java_library {
+ name: "framework-bluetooth.stubs.module_lib",
+ srcs: [":framework-bluetooth-srcs"],
+ sdk_version: "module_current"
+}
diff --git a/apex/Android.bp b/apex/Android.bp
index c206dca..676623a 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -35,3 +35,12 @@
name: "com.android.bluetooth.updatable.certificate",
certificate: "com.android.bluetooth.updatable",
}
+
+// Empty, disabled APEX to allow other libraries to specify "apex_available"
+// in all branches without merge conflicts.
+apex {
+ name: "com.android.bluetooth",
+ enabled: false,
+ key: "com.android.bluetooth.updatable.key",
+ certificate: ":com.android.bluetooth.updatable.certificate",
+}
diff --git a/bta/dm/bta_dm_act.cc b/bta/dm/bta_dm_act.cc
index 8f9e26e..cde0fa7 100644
--- a/bta/dm/bta_dm_act.cc
+++ b/bta/dm/bta_dm_act.cc
@@ -25,11 +25,14 @@
#define LOG_TAG "bt_bta_dm"
+#include <base/logging.h>
+
#include <cstdint>
#include "bta/dm/bta_dm_int.h"
#include "bta/gatt/bta_gattc_int.h"
#include "bta/include/bta_dm_ci.h"
+#include "btif/include/btif_config.h"
#include "btif/include/btif_dm.h"
#include "btif/include/btif_storage.h"
#include "btif/include/stack_manager.h"
@@ -42,6 +45,7 @@
#include "osi/include/fixed_queue.h"
#include "osi/include/log.h"
#include "osi/include/osi.h"
+#include "stack/btm/btm_ble_int.h"
#include "stack/btm/btm_sec.h"
#include "stack/btm/neighbor_inquiry.h"
#include "stack/gatt/connection_manager.h"
@@ -645,6 +649,13 @@
if (!other_address_connected && !other_address.IsEmpty()) {
bta_dm_process_remove_device(other_address);
}
+
+ /* Check the length of the paired devices, and if 0 then reset IRK */
+ auto paired_devices = btif_config_get_paired_devices();
+ if (paired_devices.empty()) {
+ LOG_INFO("Last paired device removed, resetting IRK");
+ btm_ble_reset_id();
+ }
}
/*******************************************************************************
diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc
index 721bbbc..0392a4d 100644
--- a/bta/hf_client/bta_hf_client_at.cc
+++ b/bta/hf_client/bta_hf_client_at.cc
@@ -333,6 +333,10 @@
APPL_TRACE_DEBUG("%s: %lu.%s <%lu:%lu>", __func__, index, name, min, max);
+ if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) {
+ return;
+ }
+
/* look for a matching indicator on list of supported ones */
for (i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++) {
if (strcmp(name, BTA_HF_CLIENT_INDICATOR_SERVICE) == 0) {
@@ -812,9 +816,9 @@
} while (0)
/* skip rest of AT string up to <cr> */
-#define AT_SKIP_REST(buf) \
- do { \
- while (*(buf) != '\r') (buf)++; \
+#define AT_SKIP_REST(buf) \
+ do { \
+ while (*(buf) != '\r' && *(buf) != '\0') (buf)++; \
} while (0)
static char* bta_hf_client_parse_ok(tBTA_HF_CLIENT_CB* client_cb,
diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc
index 49be641..8541198 100644
--- a/btif/src/btif_dm.cc
+++ b/btif/src/btif_dm.cc
@@ -1044,22 +1044,14 @@
break;
case HCI_ERR_PAIRING_NOT_ALLOWED:
- if (!bluetooth::shim::is_gd_security_enabled()) {
- is_bonded_device_removed = (btif_storage_remove_bonded_device(
- &bd_addr) == BT_STATUS_SUCCESS);
- } else {
- is_bonded_device_removed = true;
- }
+ is_bonded_device_removed = false;
status = BT_STATUS_AUTH_REJECTED;
break;
/* map the auth failure codes, so we can retry pairing if necessary */
case HCI_ERR_AUTH_FAILURE:
case HCI_ERR_KEY_MISSING:
- is_bonded_device_removed = (bluetooth::shim::is_gd_security_enabled())
- ? true
- : (btif_storage_remove_bonded_device(
- &bd_addr) == BT_STATUS_SUCCESS);
+ is_bonded_device_removed = false;
[[fallthrough]];
case HCI_ERR_HOST_REJECT_SECURITY:
case HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE:
@@ -1090,10 +1082,7 @@
/* Remove Device as bonded in nvram as authentication failed */
BTIF_TRACE_DEBUG("%s(): removing hid pointing device from nvram",
__func__);
- is_bonded_device_removed = (bluetooth::shim::is_gd_security_enabled())
- ? true
- : (btif_storage_remove_bonded_device(
- &bd_addr) == BT_STATUS_SUCCESS);
+ is_bonded_device_removed = false;
}
// Report bond state change to java only if we are bonding to a device or
// a device is removed from the pairing list.
diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index 2141bf17..0555af0 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc
@@ -581,6 +581,10 @@
p_result->get_caps.capability_id,
p_result->get_caps.count);
if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID) {
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_COMP_ID) {
+ android_errorWriteLog(0x534e4554, "205837191");
+ return AVRC_STS_INTERNAL_ERR;
+ }
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3;
if (len < min_len) goto length_error;
for (int xx = 0; ((xx < p_result->get_caps.count) &&
@@ -590,6 +594,10 @@
}
} else if (p_result->get_caps.capability_id ==
AVRC_CAP_EVENTS_SUPPORTED) {
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_EVT_ID) {
+ android_errorWriteLog(0x534e4554, "205837191");
+ return AVRC_STS_INTERNAL_ERR;
+ }
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID);
if (len < min_len) goto length_error;
for (int xx = 0; ((xx < p_result->get_caps.count) &&
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index c59c18d..98a6495 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -44,6 +44,12 @@
tAVRC_COMMAND* p_result) {
tAVRC_STS status = AVRC_STS_NO_ERROR;
+ if (p_msg->vendor_len < 4) { // 4 == pdu + reserved byte + len as uint16
+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
+ __func__, p_msg->vendor_len);
+ android_errorWriteLog(0x534e4554, "205571133");
+ return AVRC_STS_INTERNAL_ERR;
+ }
uint8_t* p = p_msg->p_vendor_data;
p_result->pdu = *p++;
AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 50bd604..4b5d70d 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -3385,7 +3385,6 @@
void btm_sec_connected(const RawAddress& bda, uint16_t handle,
tHCI_STATUS status, uint8_t enc_mode,
tHCI_ROLE assigned_role) {
- tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
tBTM_STATUS res;
bool is_pairing_device = false;
bool addr_matched;
@@ -3393,6 +3392,7 @@
btm_acl_resubmit_page();
+ tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
if (!p_dev_rec) {
LOG_DEBUG(
"Connected to new device state:%s handle:0x%04x status:%s "
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index 8c3567d..cb5c138 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -745,7 +745,7 @@
rem_len -= 4;
// Make sure we don't read past the remaining data even if the length says
// we can Also need to watch comparing the int16_t with the uint16_t
- value.len = std::min(rem_len, (int16_t)value.len);
+ value.len = std::min((uint16_t)rem_len, value.len);
STREAM_TO_ARRAY(value.value, p, value.len);
// Accounting
rem_len -= value.len;
diff --git a/stack/gatt/gatt_db.cc b/stack/gatt/gatt_db.cc
index f7d18e4..6353c28 100644
--- a/stack/gatt/gatt_db.cc
+++ b/stack/gatt/gatt_db.cc
@@ -27,6 +27,7 @@
#include "bt_trace.h"
#include "bt_utils.h"
+#include <log/log.h>
#include <stdio.h>
#include <string.h>
#include "gatt_int.h"
@@ -237,6 +238,12 @@
uint16_t char_ext_prop =
attr16.p_value ? attr16.p_value->char_ext_prop : 0x0000;
*p_len = 2;
+
+ if (mtu < *p_len) {
+ android_errorWriteWithInfoLog(0x534e4554, "228078096", -1, NULL, 0);
+ return GATT_NO_RESOURCES;
+ }
+
UINT16_TO_STREAM(p, char_ext_prop);
*p_data = p;
return GATT_SUCCESS;
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
index c0aedfa..39c7125 100644
--- a/stack/gatt/gatt_sr.cc
+++ b/stack/gatt/gatt_sr.cc
@@ -172,6 +172,9 @@
if (p_rsp != NULL) {
total_len = (p_buf->len + p_rsp->attr_value.len);
+ if (p_cmd->multi_req.variable_len) {
+ total_len += 2;
+ }
if (total_len > mtu) {
/* just send the partial response for the overflow case */
diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc
index b826dc1..c878ef2 100644
--- a/stack/l2cap/l2c_ble.cc
+++ b/stack/l2cap/l2c_ble.cc
@@ -26,6 +26,7 @@
#include <base/logging.h>
#include <base/strings/stringprintf.h>
+#include <log/log.h>
#include "bt_target.h"
#include "bta_hearing_aid_api.h"
@@ -515,6 +516,15 @@
/* Check how many channels remote side wants. */
num_of_channels = (p_pkt_end - p) / sizeof(uint16_t);
+ if (num_of_channels > L2CAP_CREDIT_BASED_MAX_CIDS) {
+ android_errorWriteLog(0x534e4554, "232256974");
+ LOG_WARN("L2CAP - invalid number of channels requested: %d",
+ num_of_channels);
+ l2cu_reject_credit_based_conn_req(p_lcb, id,
+ L2CAP_CREDIT_BASED_MAX_CIDS,
+ L2CAP_LE_RESULT_INVALID_PARAMETERS);
+ return;
+ }
LOG_DEBUG(
"Recv L2CAP_CMD_CREDIT_BASED_CONN_REQ with "
@@ -621,7 +631,7 @@
break;
}
case L2CAP_CMD_CREDIT_BASED_CONN_RES:
- if (p + 2 > p_pkt_end) {
+ if (p + 8 > p_pkt_end) {
LOG(ERROR) << "invalid L2CAP_CMD_CREDIT_BASED_CONN_RES len";
return;
}
@@ -811,6 +821,11 @@
case L2CAP_CMD_CREDIT_BASED_RECONFIG_RES: {
uint16_t result;
+ if (p + sizeof(uint16_t) > p_pkt_end) {
+ android_errorWriteLog(0x534e4554, "212694559");
+ LOG(ERROR) << "invalid read";
+ return;
+ }
STREAM_TO_UINT16(result, p);
L2CAP_TRACE_DEBUG(
diff --git a/stack/sdp/sdp_utils.cc b/stack/sdp/sdp_utils.cc
index 3fbafb2..adfab9e 100644
--- a/stack/sdp/sdp_utils.cc
+++ b/stack/sdp/sdp_utils.cc
@@ -37,6 +37,8 @@
#include "stack/include/stack_metrics_logging.h"
+#include <log/log.h>
+
using bluetooth::Uuid;
static const uint8_t sdp_base_uuid[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x10, 0x00, 0x80, 0x00, 0x00, 0x80,
@@ -121,6 +123,10 @@
if (p_attr->attr_id == ATTR_ID_SERVICE_CLASS_ID_LIST &&
SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == DATA_ELE_SEQ_DESC_TYPE) {
tSDP_DISC_ATTR* p_first_attr = p_attr->attr_value.v.p_sub_attr;
+ if (p_first_attr == nullptr) {
+ android_errorWriteLog(0x534e4554, "227203684");
+ return 0;
+ }
if (SDP_DISC_ATTR_TYPE(p_first_attr->attr_len_type) == UUID_DESC_TYPE &&
SDP_DISC_ATTR_LEN(p_first_attr->attr_len_type) == 2) {
return p_first_attr->attr_value.v.u16;
diff --git a/test/mock/mock_stack_btm_ble.cc b/test/mock/mock_stack_btm_ble.cc
index 835b1d2..b6e24ee 100644
--- a/test/mock/mock_stack_btm_ble.cc
+++ b/test/mock/mock_stack_btm_ble.cc
@@ -254,3 +254,6 @@
uint8_t* data, uint16_t len) {
mock_function_count_map[__func__]++;
}
+void btm_ble_reset_id(void) {
+ mock_function_count_map[__func__]++;
+}
