Merge cherrypicks of ['ag/20614047', 'ag/20834832', 'ag/20857269', 'ag/20874088', 'ag/20857271'] into security-aosp-sc-release.
Change-Id: Ie0a6acd0615ffdd97e226a65ea49d1e4843a88e0
diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
index dcbb18a..771faa6 100644
--- a/bta/av/bta_av_act.cc
+++ b/bta/av/bta_av_act.cc
@@ -1975,8 +1975,23 @@
if (p_lcb) {
rc_handle = bta_av_rc_create(p_cb, AVCT_INT,
(uint8_t)(p_scb->hdi + 1), p_lcb->lidx);
- p_cb->rcb[rc_handle].peer_features = peer_features;
- p_cb->rcb[rc_handle].cover_art_psm = cover_art_psm;
+ if (rc_handle < BTA_AV_NUM_RCB) {
+ p_cb->rcb[rc_handle].peer_features = peer_features;
+ p_cb->rcb[rc_handle].cover_art_psm = cover_art_psm;
+ } else {
+ /* cannot create valid rc_handle for current device. report failure
+ */
+ APPL_TRACE_ERROR("%s: no link resources available", __func__);
+ p_scb->use_rc = false;
+ tBTA_AV_RC_OPEN rc_open;
+ rc_open.peer_addr = p_scb->PeerAddress();
+ rc_open.peer_features = 0;
+ rc_open.cover_art_psm = 0;
+ rc_open.status = BTA_AV_FAIL_RESOURCES;
+ tBTA_AV bta_av_data;
+ bta_av_data.rc_open = rc_open;
+ (*p_cb->p_cback)(BTA_AV_RC_OPEN_EVT, &bta_av_data);
+ }
} else {
APPL_TRACE_ERROR("%s: can not find LCB!!", __func__);
}
diff --git a/stack/a2dp/a2dp_sbc.cc b/stack/a2dp/a2dp_sbc.cc
index de55883..7abdc58 100644
--- a/stack/a2dp/a2dp_sbc.cc
+++ b/stack/a2dp/a2dp_sbc.cc
@@ -696,6 +696,11 @@
return false;
}
+ // there is a timestamp right following p_buf
+ if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) {
+ return false;
+ }
+
p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;
uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset;
p_buf->len += A2DP_SBC_MPL_HDR_LEN;
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index cb5c138..174c9ce 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -585,7 +585,8 @@
VLOG(1) << StringPrintf("value resp op_code = %s len = %d",
gatt_dbg_op_name(op_code), len);
- if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
+ if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
+ len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {
LOG(ERROR) << "illegal prepare write response length, discard";
gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
return;
@@ -594,7 +595,7 @@
STREAM_TO_UINT16(value.handle, p);
STREAM_TO_UINT16(value.offset, p);
- value.len = len - 4;
+ value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
memcpy(value.value, p, value.len);
diff --git a/stack/sdp/sdp_db.cc b/stack/sdp/sdp_db.cc
index 2b258d2..d64a647 100644
--- a/stack/sdp/sdp_db.cc
+++ b/stack/sdp/sdp_db.cc
@@ -349,6 +349,11 @@
uint16_t xx, yy, zz;
tSDP_RECORD* p_rec = &sdp_cb.server_db.record[0];
+ if (p_val == nullptr) {
+ SDP_TRACE_WARNING("Trying to add attribute with p_val == nullptr, skipped");
+ return (false);
+ }
+
if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) {
if ((attr_type == UINT_DESC_TYPE) ||
(attr_type == TWO_COMP_INT_DESC_TYPE) ||
@@ -396,6 +401,13 @@
if (p_rec->record_handle == handle) {
tSDP_ATTRIBUTE* p_attr = &p_rec->attribute[0];
+ // error out early, no need to look up
+ if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) {
+ SDP_TRACE_ERROR("the free pad for SDP record with handle %d is "
+ "full, skip adding the attribute", handle);
+ return (false);
+ }
+
/* Found the record. Now, see if the attribute already exists */
for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++) {
/* The attribute exists. replace it */
@@ -435,15 +447,13 @@
attr_len = 0;
}
- if ((attr_len > 0) && (p_val != 0)) {
+ if (attr_len > 0) {
p_attr->len = attr_len;
memcpy(&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len);
p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr];
p_rec->free_pad_ptr += attr_len;
- } else if ((attr_len == 0 &&
- p_attr->len !=
- 0) || /* if truncate to 0 length, simply don't add */
- p_val == 0) {
+ } else if (attr_len == 0 && p_attr->len != 0) {
+ /* if truncate to 0 length, simply don't add */
SDP_TRACE_ERROR(
"SDP_AddAttribute fail, length exceed maximum: ID %d: attr_len:%d ",
attr_id, attr_len);