Snap for 7266504 from d0a72022c32cbfc8b39603c735d365b8dfc1f4da to mainline-tethering-release
Change-Id: I52d200b2a2880da094078e8dbf04d1f3480fd5a3
diff --git a/profile/avrcp/connection_handler.cc b/profile/avrcp/connection_handler.cc
index af8fb57..06c61b3 100644
--- a/profile/avrcp/connection_handler.cc
+++ b/profile/avrcp/connection_handler.cc
@@ -406,7 +406,7 @@
device_map_[handle]->MessageReceived(label, Packet::Parse(pkt));
}
-void ConnectionHandler::SdpCb(const RawAddress& bdaddr, SdpCallback cb,
+void ConnectionHandler::SdpCb(RawAddress bdaddr, SdpCallback cb,
tSDP_DISCOVERY_DB* disc_db, bool retry,
uint16_t status) {
LOG(INFO) << __PRETTY_FUNCTION__ << ": SDP lookup callback received";
diff --git a/profile/avrcp/connection_handler.h b/profile/avrcp/connection_handler.h
index d5f0a27..a5029cf 100644
--- a/profile/avrcp/connection_handler.h
+++ b/profile/avrcp/connection_handler.h
@@ -136,7 +136,7 @@
using SdpCallback = base::Callback<void(uint16_t status, uint16_t version,
uint16_t features)>;
virtual bool SdpLookup(const RawAddress& bdaddr, SdpCallback cb, bool retry);
- void SdpCb(const RawAddress& bdaddr, SdpCallback cb,
+ void SdpCb(RawAddress bdaddr, SdpCallback cb,
tSDP_DISCOVERY_DB* disc_db, bool retry, uint16_t status);
virtual bool AvrcpConnect(bool initiator, const RawAddress& bdaddr);
diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index 7b64b86..619aace 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc
@@ -428,12 +428,19 @@
case AVRC_PDU_GET_ITEM_ATTRIBUTES: {
tAVRC_GET_ATTRS_RSP* get_attr_rsp = &(p_rsp->get_attrs);
get_attr_rsp->pdu = pdu;
+ min_len += 2;
+ if (pkt_len < min_len) {
+ android_errorWriteLog(0x534e4554, "179162665");
+ goto browse_length_error;
+ }
BE_STREAM_TO_UINT8(get_attr_rsp->status, p)
BE_STREAM_TO_UINT8(get_attr_rsp->num_attrs, p);
get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_malloc(
get_attr_rsp->num_attrs * sizeof(tAVRC_ATTR_ENTRY));
for (int i = 0; i < get_attr_rsp->num_attrs; i++) {
tAVRC_ATTR_ENTRY* attr_entry = &(get_attr_rsp->p_attrs[i]);
+ min_len += 8;
+ if (pkt_len < min_len) goto browse_length_error;
BE_STREAM_TO_UINT32(attr_entry->attr_id, p);
BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p);
BE_STREAM_TO_UINT16(attr_entry->name.str_len, p);
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index 5a81d0d..190a88d 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -75,6 +75,12 @@
BE_STREAM_TO_UINT8(p_result->reg_notif.event_id, p);
BE_STREAM_TO_UINT32(p_result->reg_notif.param, p);
+
+ if (p_result->reg_notif.event_id == 0 ||
+ p_result->reg_notif.event_id > AVRC_NUM_NOTIF_EVENTS) {
+ android_errorWriteLog(0x534e4554, "181860042");
+ status = AVRC_STS_BAD_PARAM;
+ }
break;
default:
status = AVRC_STS_BAD_CMD;
diff --git a/stack/test/stack_avrcp_test.cc b/stack/test/stack_avrcp_test.cc
index ad1cc9e..72ec45f 100644
--- a/stack/test/stack_avrcp_test.cc
+++ b/stack/test/stack_avrcp_test.cc
@@ -14,6 +14,7 @@
* limitations under the License.
*/
+#include <arpa/inet.h> // htons
#include <dlfcn.h>
#include <gtest/gtest.h>
@@ -110,3 +111,49 @@
EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
AVRC_STS_NO_ERROR);
}
+
+TEST_F(StackAvrcpTest, test_avrcp_pdu_register_notification) {
+ ASSERT_EQ(htons(0x500), 5);
+
+ struct {
+ uint8_t pdu;
+ uint8_t reserved;
+ uint16_t len;
+ struct {
+ uint8_t event_id;
+ uint32_t param;
+ } payload;
+ } data = {
+ AVRC_PDU_REGISTER_NOTIFICATION,
+ 0, // reserved
+ htons(sizeof(data.payload)),
+ .payload =
+ {
+ .event_id = 0,
+ .param = 0x1234,
+ },
+ };
+
+ tAVRC_MSG msg = {
+ .vendor =
+ {
+ .hdr =
+ {
+ .ctype = AVRC_CMD_NOTIF,
+ .opcode = AVRC_OP_VENDOR,
+ },
+ .p_vendor_data = (uint8_t*)&data,
+ .vendor_len = sizeof(data),
+ },
+ };
+ tAVRC_COMMAND result{};
+
+ // Run through all possible event ids
+ uint8_t id = 0;
+ do {
+ data.payload.event_id = id;
+ ASSERT_EQ((id == 0 || id > AVRC_NUM_NOTIF_EVENTS) ? AVRC_STS_BAD_PARAM
+ : AVRC_STS_NO_ERROR,
+ AVRC_Ctrl_ParsCommand(&msg, &result));
+ } while (++id != 0);
+}
