Merge "PDL: SMP packet definitions"
diff --git a/OWNERS b/OWNERS
index 5596ce1..aeb2b83 100644
--- a/OWNERS
+++ b/OWNERS
@@ -2,7 +2,6 @@
# Project owners
zachoverflow@google.com
-apanicke@google.com
cmanton@google.com
hsz@google.com
jpawlowski@google.com
diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc
index 683834a..3b56bf8 100644
--- a/btif/src/btif_dm.cc
+++ b/btif/src/btif_dm.cc
@@ -260,6 +260,11 @@
return !memcmp(zero, data, sizeof(zero));
}
+static bool is_bonding_or_sdp() {
+ return pairing_cb.state == BT_BOND_STATE_BONDING ||
+ (pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts);
+}
+
static void btif_dm_data_copy(uint16_t event, char* dst, char* src) {
tBTA_DM_SEC* dst_dm_sec = (tBTA_DM_SEC*)dst;
tBTA_DM_SEC* src_dm_sec = (tBTA_DM_SEC*)src;
@@ -486,8 +491,6 @@
bt_bond_state_t state) {
btif_stats_add_bond_event(bd_addr, BTIF_DM_FUNC_BOND_STATE_CHANGED, state);
- // Send bonding state only once - based on outgoing/incoming we may receive
- // duplicates
if ((pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING)) {
// Cross key pairing so send callback for static address
if (!pairing_cb.static_bdaddr.IsEmpty()) {
@@ -505,14 +508,18 @@
auto tmp = bd_addr;
HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state);
- if (state == BT_BOND_STATE_BONDING) {
+ int dev_type;
+ if (!btif_get_device_type(bd_addr, &dev_type)) {
+ dev_type = BT_DEVICE_TYPE_BREDR;
+ }
+
+ if (state == BT_BOND_STATE_BONDING ||
+ (state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts > 0)) {
+ // Save state for the device is bonding or SDP.
pairing_cb.state = state;
pairing_cb.bd_addr = bd_addr;
} else {
- if (!pairing_cb.sdp_attempts)
- memset(&pairing_cb, 0, sizeof(pairing_cb));
- else
- BTIF_TRACE_DEBUG("%s: BR-EDR service discovery active", __func__);
+ pairing_cb = {};
}
}
@@ -1138,6 +1145,10 @@
/* Trigger SDP on the device */
pairing_cb.sdp_attempts = 1;
+
+ // Report bonded to Java before start SDP
+ bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED);
+
btif_dm_get_remote_services(bd_addr);
}
}
@@ -1395,9 +1406,9 @@
BTIF_TRACE_DEBUG("%s:(result=0x%x, services 0x%x)", __func__,
p_data->disc_res.result, p_data->disc_res.services);
- if ((p_data->disc_res.result != BTA_SUCCESS) &&
- (pairing_cb.state == BT_BOND_STATE_BONDING) &&
- (pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING)) {
+ if (p_data->disc_res.result != BTA_SUCCESS &&
+ pairing_cb.state == BT_BOND_STATE_BONDED &&
+ pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING) {
if (pairing_cb.sdp_attempts) {
BTIF_TRACE_WARNING("%s: SDP failed after bonding re-attempting",
__func__);
@@ -1424,21 +1435,39 @@
/* onUuidChanged requires getBondedDevices to be populated.
** bond_state_changed needs to be sent prior to remote_device_property
*/
- if ((pairing_cb.state == BT_BOND_STATE_BONDING) &&
+ if (pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts &&
(p_data->disc_res.bd_addr == pairing_cb.bd_addr ||
- p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) &&
- pairing_cb.sdp_attempts > 0) {
- BTIF_TRACE_DEBUG(
- "%s Remote Service SDP done. Call bond_state_changed_cb BONDED",
- __func__);
+ p_data->disc_res.bd_addr == pairing_cb.static_bdaddr)) {
+ LOG_INFO(LOG_TAG, "%s Remote Service SDP done.", __func__);
pairing_cb.sdp_attempts = 0;
- // If bonding occured due to cross-key pairing, send bonding callback
+ // If bond occured due to cross-key pairing, send bond state callback
// for static address now
- if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr)
+ if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) {
bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDING);
+ bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED);
+ }
+ if (pairing_cb.state == BT_BOND_STATE_BONDED) {
+ if (p_data->disc_res.result == BTA_SUCCESS) {
+ // Device is bonded and SDP completed. Clear the pairing control
+ // block.
+ pairing_cb = {};
+ } else {
+ // Report empty UUID to Java if SDP report negative result while
+ // pairing.
+ bt_property_t prop;
+ Uuid uuid;
- bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED);
+ prop.type = BT_PROPERTY_UUIDS;
+ prop.val = &uuid;
+ prop.len = Uuid::kNumBytes128;
+
+ /* Send the event to the BTIF */
+ HAL_CBACK(bt_hal_cbacks, remote_device_properties_cb,
+ BT_STATUS_SUCCESS, &bd_addr, 1, &prop);
+ break;
+ }
+ }
}
if (p_data->disc_res.num_uuids != 0) {
@@ -1634,7 +1663,7 @@
break;
case BTA_DM_BOND_CANCEL_CMPL_EVT:
- if (pairing_cb.state == BT_BOND_STATE_BONDING) {
+ if (is_bonding_or_sdp()) {
bd_addr = pairing_cb.bd_addr;
btm_set_bond_type_dev(pairing_cb.bd_addr, BOND_TYPE_UNKNOWN);
bond_state_changed((bt_status_t)p_data->bond_cancel_cmpl.result,
@@ -2274,7 +2303,7 @@
** 1. Restore scan modes
** 2. special handling for HID devices
*/
- if (pairing_cb.state == BT_BOND_STATE_BONDING) {
+ if (is_bonding_or_sdp()) {
if (pairing_cb.is_ssp) {
if (pairing_cb.is_le_only) {
BTA_DmBleSecurityGrant(*bd_addr, BTA_DM_SEC_PAIR_NOT_SPT);
@@ -2486,7 +2515,7 @@
/*******************************************************************************
*
- * Function btif_dm_get_remote_services_transport
+ * Function btif_dm_get_remote_services_by_transport
*
* Description Start SDP to get remote services by transport
*
@@ -3191,7 +3220,7 @@
void btif_dm_on_disable() {
/* cancel any pending pairing requests */
- if (pairing_cb.state == BT_BOND_STATE_BONDING) {
+ if (is_bonding_or_sdp()) {
BTIF_TRACE_DEBUG("%s: Cancel pending pairing request", __func__);
btif_dm_cancel_bond(&pairing_cb.bd_addr);
}
diff --git a/gd/Android.bp b/gd/Android.bp
index 2340b08..5e50536 100644
--- a/gd/Android.bp
+++ b/gd/Android.bp
@@ -84,6 +84,18 @@
":BluetoothHalSources_hci_rootcanal",
],
},
+ android: {
+ srcs: [
+ ":BluetoothHalSources_hci_android_hidl",
+ ],
+ shared_libs: [
+ "android.hardware.bluetooth@1.0",
+ "libhwbinder",
+ "libhidlbase",
+ "libhidltransport",
+ "libutils",
+ ],
+ },
},
srcs: [
":BluetoothCommonSources",
@@ -110,6 +122,18 @@
":BluetoothHalTestSources_hci_rootcanal",
],
},
+ android: {
+ srcs: [
+ ":BluetoothHalTestSources_hci_android_hidl",
+ ],
+ shared_libs: [
+ "android.hardware.bluetooth@1.0",
+ "libhwbinder",
+ "libhidlbase",
+ "libhidltransport",
+ "libutils",
+ ],
+ },
},
srcs: [
":BluetoothCommonTestSources",
diff --git a/gd/hal/Android.bp b/gd/hal/Android.bp
index 7bdafe0..5437722 100644
--- a/gd/hal/Android.bp
+++ b/gd/hal/Android.bp
@@ -2,12 +2,26 @@
name: "BluetoothHalSources_hci_rootcanal",
srcs: [
"hci_hal_host_rootcanal.cc",
- ]
+ ],
+}
+
+filegroup {
+ name: "BluetoothHalSources_hci_android_hidl",
+ srcs: [
+ "hci_hal_android_hidl.cc",
+ ],
}
filegroup {
name: "BluetoothHalTestSources_hci_rootcanal",
srcs: [
"hci_hal_host_rootcanal_test.cc",
- ]
+ ],
+}
+
+filegroup {
+ name: "BluetoothHalTestSources_hci_android_hidl",
+ srcs: [
+ "hci_hal_android_hidl_test.cc",
+ ],
}
diff --git a/gd/hal/hci_hal_android_hidl.cc b/gd/hal/hci_hal_android_hidl.cc
new file mode 100644
index 0000000..0431b38
--- /dev/null
+++ b/gd/hal/hci_hal_android_hidl.cc
@@ -0,0 +1,126 @@
+/*
+ * Copyright 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "hal/hci_hal.h"
+
+#include <stdlib.h>
+#include <vector>
+
+#include <android/hardware/bluetooth/1.0/IBluetoothHci.h>
+#include <android/hardware/bluetooth/1.0/IBluetoothHciCallbacks.h>
+#include <android/hardware/bluetooth/1.0/types.h>
+
+#include "os/log.h"
+
+using ::android::hardware::hidl_vec;
+using ::android::hardware::Return;
+using ::android::hardware::Void;
+using ::android::hardware::bluetooth::V1_0::IBluetoothHci;
+using ::android::hardware::bluetooth::V1_0::IBluetoothHciCallbacks;
+using HidlStatus = ::android::hardware::bluetooth::V1_0::Status;
+
+namespace bluetooth {
+namespace hal {
+namespace {
+class BluetoothHciDeathRecipient : public ::android::hardware::hidl_death_recipient {
+ public:
+ virtual void serviceDied(uint64_t /*cookie*/, const android::wp<::android::hidl::base::V1_0::IBase>& /*who*/) {
+ LOG_ERROR("Bluetooth HAL service died!");
+ abort();
+ }
+};
+
+android::sp<BluetoothHciDeathRecipient> bluetooth_hci_death_recipient_ = new BluetoothHciDeathRecipient();
+
+class HciHalBluetoothHciCallbacks : public IBluetoothHciCallbacks {
+ public:
+ HciHalBluetoothHciCallbacks(BluetoothHciHalCallbacks* callback) : callback_(callback) {}
+
+ Return<void> initializationComplete(HidlStatus status) {
+ ASSERT(status == HidlStatus::SUCCESS);
+ callback_->initializationComplete(Status::SUCCESS);
+ return Void();
+ }
+
+ Return<void> hciEventReceived(const hidl_vec<uint8_t>& event) {
+ callback_->hciEventReceived(std::vector<uint8_t>(event.begin(), event.end()));
+ return Void();
+ }
+
+ Return<void> aclDataReceived(const hidl_vec<uint8_t>& data) {
+ callback_->aclDataReceived(std::vector<uint8_t>(data.begin(), data.end()));
+ return Void();
+ }
+
+ Return<void> scoDataReceived(const hidl_vec<uint8_t>& data) {
+ callback_->scoDataReceived(std::vector<uint8_t>(data.begin(), data.end()));
+ return Void();
+ }
+
+ private:
+ BluetoothHciHalCallbacks* callback_;
+};
+
+} // namespace
+
+class BluetoothHciHalHidl : public BluetoothHciHal {
+ public:
+ void initialize(BluetoothHciHalCallbacks* callback) override {
+ bt_hci_ = IBluetoothHci::getService();
+ ASSERT(bt_hci_ != nullptr);
+ auto death_link = bt_hci_->linkToDeath(bluetooth_hci_death_recipient_, 0);
+ ASSERT_LOG(death_link.isOk(), "Unable to set the death recipient for the Bluetooth HAL");
+
+ // Block allows allocation of a variable that might be bypassed by goto.
+ {
+ android::sp<IBluetoothHciCallbacks> callbacks = new HciHalBluetoothHciCallbacks(callback);
+ bt_hci_->initialize(callbacks);
+ }
+ }
+
+ void sendHciCommand(HciPacket command) override {
+ bt_hci_->sendHciCommand(command);
+ }
+
+ void sendAclData(HciPacket packet) override {
+ bt_hci_->sendAclData(packet);
+ }
+
+ void sendScoData(HciPacket packet) override {
+ bt_hci_->sendScoData(packet);
+ }
+
+ void close() override {
+ ASSERT(bt_hci_ != nullptr);
+ auto death_unlink = bt_hci_->unlinkToDeath(bluetooth_hci_death_recipient_);
+ if (!death_unlink.isOk()) {
+ LOG_ERROR("Error unlinking death recipient from the Bluetooth HAL");
+ }
+ bt_hci_->close();
+ bt_hci_ = nullptr;
+ }
+
+ private:
+ android::sp<IBluetoothHci> bt_hci_;
+};
+
+BluetoothHciHal* GetBluetoothHciHal() {
+ static auto* instance = new BluetoothHciHalHidl;
+ return instance;
+}
+
+} // namespace hal
+} // namespace bluetooth
diff --git a/gd/hal/hci_hal_android_hidl_test.cc b/gd/hal/hci_hal_android_hidl_test.cc
new file mode 100644
index 0000000..ed0e924
--- /dev/null
+++ b/gd/hal/hci_hal_android_hidl_test.cc
@@ -0,0 +1,53 @@
+#include "hal/hci_hal.h"
+
+#include <chrono>
+#include <future>
+
+#include <gtest/gtest.h>
+
+namespace bluetooth {
+namespace hal {
+namespace {
+
+std::promise<void>* g_promise;
+
+class TestBluetoothHciHalCallbacks : public BluetoothHciHalCallbacks {
+ public:
+ void initializationComplete(Status status) override {
+ EXPECT_EQ(status, Status::SUCCESS);
+ g_promise->set_value();
+ }
+
+ void hciEventReceived(HciPacket) override {}
+
+ void aclDataReceived(HciPacket) override {}
+
+ void scoDataReceived(HciPacket) override {}
+};
+
+class HciHalHidlTest : public ::testing::Test {
+ protected:
+ void SetUp() override {
+ g_promise = new std::promise<void>;
+ hal_ = GetBluetoothHciHal();
+ hal_->initialize(&callbacks_);
+ }
+
+ void TearDown() override {
+ hal_->close();
+ hal_ = nullptr;
+ delete g_promise;
+ }
+
+ BluetoothHciHal* hal_ = nullptr;
+ TestBluetoothHciHalCallbacks callbacks_;
+};
+
+TEST_F(HciHalHidlTest, init_and_close) {
+ // Give a long timeout because this only checks HAL is initialized, not performance
+ auto wait_status = g_promise->get_future().wait_for(std::chrono::seconds(30));
+ EXPECT_EQ(wait_status, std::future_status::ready);
+}
+} // namespace
+} // namespace hal
+} // namespace bluetooth
diff --git a/stack/btm/ble_advertiser_hci_interface.cc b/stack/btm/ble_advertiser_hci_interface.cc
index baf70b5..dddf8d4 100644
--- a/stack/btm/ble_advertiser_hci_interface.cc
+++ b/stack/btm/ble_advertiser_hci_interface.cc
@@ -22,6 +22,7 @@
#include "btm_int_types.h"
#include "device/include/controller.h"
#include "hcidefs.h"
+#include "log/log.h"
#include <queue>
#include <utility>
@@ -164,6 +165,14 @@
uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN];
memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN);
+ if (data_length > BTM_BLE_AD_DATA_LEN) {
+ android_errorWriteLog(0x534e4554, "121145627");
+ LOG(ERROR) << __func__
+ << ": data_length=" << static_cast<int>(data_length)
+ << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN;
+ data_length = BTM_BLE_AD_DATA_LEN;
+ }
+
uint8_t* pp = param;
UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_ADV_DATA);
UINT8_TO_STREAM(pp, data_length);
@@ -183,6 +192,14 @@
uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN];
memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN);
+ if (scan_response_data_length > BTM_BLE_AD_DATA_LEN) {
+ android_errorWriteLog(0x534e4554, "121145627");
+ LOG(ERROR) << __func__ << ": scan_response_data_length="
+ << static_cast<int>(scan_response_data_length)
+ << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN;
+ scan_response_data_length = BTM_BLE_AD_DATA_LEN;
+ }
+
uint8_t* pp = param;
UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_SCAN_RSP_DATA);
UINT8_TO_STREAM(pp, scan_response_data_length);
@@ -374,6 +391,15 @@
uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1];
+ if (data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) {
+ android_errorWriteLog(0x534e4554, "121145627");
+ LOG(ERROR) << __func__
+ << ": data_length=" << static_cast<int>(data_length)
+ << ", is longer than size limit "
+ << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA;
+ data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA;
+ }
+
uint8_t* pp = param;
memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1);
UINT8_TO_STREAM(pp, data_length);
@@ -391,6 +417,15 @@
VLOG(1) << __func__;
uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1];
+ if (scan_response_data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) {
+ android_errorWriteLog(0x534e4554, "121145627");
+ LOG(ERROR) << __func__ << ": scan_response_data_length="
+ << static_cast<int>(scan_response_data_length)
+ << ", is longer than size limit "
+ << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA;
+ scan_response_data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA;
+ }
+
uint8_t* pp = param;
memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1);
UINT8_TO_STREAM(pp, scan_response_data_length);
diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc
index 78c7205..3f67876 100644
--- a/stack/btm/btm_ble.cc
+++ b/stack/btm/btm_ble.cc
@@ -39,6 +39,7 @@
#include "gap_api.h"
#include "gatt_api.h"
#include "hcimsgs.h"
+#include "log/log.h"
#include "l2c_int.h"
#include "osi/include/log.h"
#include "osi/include/osi.h"
@@ -1938,6 +1939,12 @@
}
if (event == SMP_COMPLT_EVT) {
+ p_dev_rec = btm_find_dev(bd_addr);
+ if (p_dev_rec == NULL) {
+ BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__);
+ android_errorWriteLog(0x534e4554, "120612744");
+ return 0;
+ }
BTM_TRACE_DEBUG(
"evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x",
p_data->cmplt.sec_level, p_dev_rec->sec_flags);
diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc
index eae77a6..74e7135 100644
--- a/stack/l2cap/l2c_main.cc
+++ b/stack/l2cap/l2c_main.cc
@@ -455,19 +455,40 @@
switch (cfg_code & 0x7F) {
case L2CAP_CFG_TYPE_MTU:
cfg_info.mtu_present = true;
- if (p + 2 > p_next_cmd) return;
+ if (cfg_len != 2) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(cfg_info.mtu, p);
break;
case L2CAP_CFG_TYPE_FLUSH_TOUT:
cfg_info.flush_to_present = true;
- if (p + 2 > p_next_cmd) return;
+ if (cfg_len != 2) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(cfg_info.flush_to, p);
break;
case L2CAP_CFG_TYPE_QOS:
cfg_info.qos_present = true;
- if (p + 2 + 5 * 4 > p_next_cmd) return;
+ if (cfg_len != 2 + 5 * 4) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.qos.qos_flags, p);
STREAM_TO_UINT8(cfg_info.qos.service_type, p);
STREAM_TO_UINT32(cfg_info.qos.token_rate, p);
@@ -479,7 +500,14 @@
case L2CAP_CFG_TYPE_FCR:
cfg_info.fcr_present = true;
- if (p + 3 + 3 * 2 > p_next_cmd) return;
+ if (cfg_len != 3 + 3 * 2) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.fcr.mode, p);
STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p);
STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p);
@@ -490,13 +518,27 @@
case L2CAP_CFG_TYPE_FCS:
cfg_info.fcs_present = true;
- if (p + 1 > p_next_cmd) return;
+ if (cfg_len != 1) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.fcs, p);
break;
case L2CAP_CFG_TYPE_EXT_FLOW:
cfg_info.ext_flow_spec_present = true;
- if (p + 2 + 2 + 3 * 4 > p_next_cmd) return;
+ if (cfg_len != 2 + 2 + 3 * 4) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p);
STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p);
STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p);
diff --git a/stack/l2cap/l2c_utils.cc b/stack/l2cap/l2c_utils.cc
index 4f4a48e..448acaa 100644
--- a/stack/l2cap/l2c_utils.cc
+++ b/stack/l2cap/l2c_utils.cc
@@ -789,6 +789,9 @@
case L2CAP_CFG_TYPE_MTU:
case L2CAP_CFG_TYPE_FLUSH_TOUT:
case L2CAP_CFG_TYPE_QOS:
+ case L2CAP_CFG_TYPE_FCR:
+ case L2CAP_CFG_TYPE_FCS:
+ case L2CAP_CFG_TYPE_EXT_FLOW:
p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
break;
diff --git a/test/gen_coverage.py b/test/gen_coverage.py
index 3697c37..c699d3b 100755
--- a/test/gen_coverage.py
+++ b/test/gen_coverage.py
@@ -89,7 +89,7 @@
WORKING_DIR = '/tmp/coverage'
SOONG_UI_BASH = 'build/soong/soong_ui.bash'
-LLVM_DIR = 'prebuilts/clang/host/linux-x86/clang-r328903/bin'
+LLVM_DIR = 'prebuilts/clang/host/linux-x86/clang-r353983b/bin'
LLVM_MERGE = LLVM_DIR + '/llvm-profdata'
LLVM_COV = LLVM_DIR + '/llvm-cov'
