Clarify naming for characteristic value handle
am: 1b53608403
Change-Id: I9d3aafaecfaf612180f9b592f376c5ecc7502bf3
diff --git a/system/bta/pan/bta_pan_act.cc b/system/bta/pan/bta_pan_act.cc
index 64f3be2..f5c5473 100644
--- a/system/bta/pan/bta_pan_act.cc
+++ b/system/bta/pan/bta_pan_act.cc
@@ -28,6 +28,8 @@
#include <string.h>
+#include <cutils/log.h>
+
#include "bt_common.h"
#include "bta_api.h"
#include "bta_pan_api.h"
@@ -174,6 +176,14 @@
if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
/* offset smaller than data structure in front of actual data */
+ if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
+ PAN_BUF_SIZE) {
+ android_errorWriteLog(0x534e4554, "63146237");
+ APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
+ p_buf->len);
+ osi_free(p_buf);
+ return;
+ }
p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE);
memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
(uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
diff --git a/system/btif/src/btif_hf.cc b/system/btif/src/btif_hf.cc
index 1076006..ed713bf 100644
--- a/system/btif/src/btif_hf.cc
+++ b/system/btif/src/btif_hf.cc
@@ -660,7 +660,7 @@
static bool inband_ringing_property_enabled() {
char inband_ringing_flag[PROPERTY_VALUE_MAX] = {0};
osi_property_get("persist.bluetooth.enableinbandringing", inband_ringing_flag,
- "false");
+ "true");
if (strncmp(inband_ringing_flag, "true", 4) == 0) {
BTIF_TRACE_DEBUG("%s: In-band ringing enabled by property", __func__);
return true;
diff --git a/system/btif/src/btif_sdp_server.cc b/system/btif/src/btif_sdp_server.cc
index a9d2dd9..9263574 100644
--- a/system/btif/src/btif_sdp_server.cc
+++ b/system/btif/src/btif_sdp_server.cc
@@ -214,7 +214,8 @@
static int free_sdp_slot(int id) {
int handle = -1;
bluetooth_sdp_record* record = NULL;
- if (id >= MAX_SDP_SLOTS) {
+ if (id < 0 || id >= MAX_SDP_SLOTS) {
+ android_errorWriteLog(0x534e4554, "37502513");
APPL_TRACE_ERROR("%s() failed - id %d is invalid", __func__, id);
return handle;
}
diff --git a/system/device/include/interop_database.h b/system/device/include/interop_database.h
index 0146675..38c3a24 100644
--- a/system/device/include/interop_database.h
+++ b/system/device/include/interop_database.h
@@ -117,9 +117,6 @@
// Unknown keyboard (carried over from auto_pair_devlist.conf)
{{{0x00, 0x0F, 0xF6, 0, 0, 0}}, 3, INTEROP_KEYBOARD_REQUIRES_FIXED_PIN},
- // Kinivo BTC-450 - volume is erratic when using Absolute Volume
- {{{0x00, 0x18, 0x91, 0, 0, 0}}, 3, INTEROP_DISABLE_ABSOLUTE_VOLUME},
-
// Kenwood KMM-BT518HD - no audio when A2DP codec sample rate is changed
{{{0x00, 0x1d, 0x86, 0, 0, 0}}, 3, INTEROP_DISABLE_AVDTP_RECONFIGURE},
diff --git a/system/stack/avdt/avdt_api.cc b/system/stack/avdt/avdt_api.cc
index 3f738fb..75c1de7 100644
--- a/system/stack/avdt/avdt_api.cc
+++ b/system/stack/avdt/avdt_api.cc
@@ -1153,7 +1153,7 @@
/* build SR - assume fit in one packet */
p_tbl = avdt_ad_tc_tbl_by_type(AVDT_CHAN_REPORT, p_scb->p_ccb, p_scb);
if (p_tbl->state == AVDT_AD_ST_OPEN) {
- BT_HDR* p_pkt = (BT_HDR*)osi_malloc(p_tbl->peer_mtu);
+ BT_HDR* p_pkt = (BT_HDR*)osi_malloc(p_tbl->peer_mtu + sizeof(BT_HDR));
p_pkt->offset = L2CAP_MIN_OFFSET;
p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
diff --git a/system/stack/bnep/bnep_main.cc b/system/stack/bnep/bnep_main.cc
index 246d5c0..a22fb33 100644
--- a/system/stack/bnep/bnep_main.cc
+++ b/system/stack/bnep/bnep_main.cc
@@ -521,7 +521,8 @@
if (ctrl_type == BNEP_SETUP_CONNECTION_REQUEST_MSG &&
p_bcb->con_state != BNEP_STATE_CONNECTED && extension_present && p &&
rem_len) {
- p_bcb->p_pending_data = (BT_HDR*)osi_malloc(rem_len);
+ osi_free(p_bcb->p_pending_data);
+ p_bcb->p_pending_data = (BT_HDR*)osi_malloc(rem_len + sizeof(BT_HDR));
memcpy((uint8_t*)(p_bcb->p_pending_data + 1), p, rem_len);
p_bcb->p_pending_data->len = rem_len;
p_bcb->p_pending_data->offset = 0;
diff --git a/system/stack/bnep/bnep_utils.cc b/system/stack/bnep/bnep_utils.cc
index 070f275..f1465db 100644
--- a/system/stack/bnep/bnep_utils.cc
+++ b/system/stack/bnep/bnep_utils.cc
@@ -143,7 +143,7 @@
/* Drop any response pointer we may be holding */
p_bcb->con_state = BNEP_STATE_IDLE;
- p_bcb->p_pending_data = NULL;
+ osi_free_and_reset((void**)&p_bcb->p_pending_data);
/* Free transmit queue */
while (!fixed_queue_is_empty(p_bcb->xmit_q)) {
@@ -720,26 +720,41 @@
uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p,
uint16_t* rem_len, bool is_ext) {
uint8_t control_type;
- bool bad_pkt = false;
uint16_t len, ext_len = 0;
- uint16_t rem_len_prev = *rem_len;
+
+ if (p == NULL || rem_len == NULL) {
+ if (rem_len != NULL) *rem_len = 0;
+ BNEP_TRACE_DEBUG("%s: invalid packet: p = %p rem_len = %p", __func__, p,
+ rem_len);
+ return NULL;
+ }
+ uint16_t rem_len_orig = *rem_len;
if (is_ext) {
+ if (*rem_len < 1) goto bad_packet_length;
ext_len = *p++;
*rem_len = *rem_len - 1;
}
+ if (*rem_len < 1) goto bad_packet_length;
control_type = *p++;
*rem_len = *rem_len - 1;
BNEP_TRACE_EVENT(
- "BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d",
- *rem_len, is_ext, control_type);
+ "%s: BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d",
+ __func__, *rem_len, is_ext, control_type);
switch (control_type) {
case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD:
- BNEP_TRACE_ERROR("BNEP Received Cmd not understood for ctl pkt type: %d",
- *p);
+ if (*rem_len < 1) {
+ BNEP_TRACE_ERROR(
+ "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD with bad length",
+ __func__);
+ goto bad_packet_length;
+ }
+ BNEP_TRACE_ERROR(
+ "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD for pkt type: %d",
+ __func__, *p);
p++;
*rem_len = *rem_len - 1;
break;
@@ -747,9 +762,10 @@
case BNEP_SETUP_CONNECTION_REQUEST_MSG:
len = *p++;
if (*rem_len < ((2 * len) + 1)) {
- bad_pkt = true;
- BNEP_TRACE_ERROR("BNEP Received Setup message with bad length");
- break;
+ BNEP_TRACE_ERROR(
+ "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
+ __func__);
+ goto bad_packet_length;
}
if (!is_ext) bnep_process_setup_conn_req(p_bcb, p, (uint8_t)len);
p += (2 * len);
@@ -757,6 +773,12 @@
break;
case BNEP_SETUP_CONNECTION_RESPONSE_MSG:
+ if (*rem_len < 2) {
+ BNEP_TRACE_ERROR(
+ "%s: Received BNEP_SETUP_CONNECTION_RESPONSE_MSG with bad length",
+ __func__);
+ goto bad_packet_length;
+ }
if (!is_ext) bnep_process_setup_conn_responce(p_bcb, p);
p += 2;
*rem_len = *rem_len - 2;
@@ -765,9 +787,10 @@
case BNEP_FILTER_NET_TYPE_SET_MSG:
BE_STREAM_TO_UINT16(len, p);
if (*rem_len < (len + 2)) {
- bad_pkt = true;
- BNEP_TRACE_ERROR("BNEP Received Filter set message with bad length");
- break;
+ BNEP_TRACE_ERROR(
+ "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",
+ __func__);
+ goto bad_packet_length;
}
bnepu_process_peer_filter_set(p_bcb, p, len);
p += len;
@@ -775,6 +798,12 @@
break;
case BNEP_FILTER_NET_TYPE_RESPONSE_MSG:
+ if (*rem_len < 2) {
+ BNEP_TRACE_ERROR(
+ "%s: Received BNEP_FILTER_NET_TYPE_RESPONSE_MSG with bad length",
+ __func__);
+ goto bad_packet_length;
+ }
bnepu_process_peer_filter_rsp(p_bcb, p);
p += 2;
*rem_len = *rem_len - 2;
@@ -783,10 +812,10 @@
case BNEP_FILTER_MULTI_ADDR_SET_MSG:
BE_STREAM_TO_UINT16(len, p);
if (*rem_len < (len + 2)) {
- bad_pkt = true;
BNEP_TRACE_ERROR(
- "BNEP Received Multicast Filter Set message with bad length");
- break;
+ "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",
+ __func__);
+ goto bad_packet_length;
}
bnepu_process_peer_multicast_filter_set(p_bcb, p, len);
p += len;
@@ -794,28 +823,37 @@
break;
case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG:
+ if (*rem_len < 2) {
+ BNEP_TRACE_ERROR(
+ "%s: Received BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG with bad length",
+ __func__);
+ goto bad_packet_length;
+ }
bnepu_process_multicast_filter_rsp(p_bcb, p);
p += 2;
*rem_len = *rem_len - 2;
break;
default:
- BNEP_TRACE_ERROR("BNEP - bad ctl pkt type: %d", control_type);
+ BNEP_TRACE_ERROR("%s: BNEP - bad ctl pkt type: %d", __func__,
+ control_type);
bnep_send_command_not_understood(p_bcb, control_type);
- if (is_ext) {
+ if (is_ext && (ext_len > 0)) {
+ if (*rem_len < (ext_len - 1)) {
+ goto bad_packet_length;
+ }
p += (ext_len - 1);
*rem_len -= (ext_len - 1);
}
break;
}
-
- if (bad_pkt || *rem_len > rem_len_prev) {
- BNEP_TRACE_ERROR("BNEP - bad ctl pkt length: %d", *rem_len);
- *rem_len = 0;
- return NULL;
- }
-
return p;
+
+bad_packet_length:
+ BNEP_TRACE_ERROR("%s: bad control packet length: original=%d remaining=%d",
+ __func__, rem_len_orig, *rem_len);
+ *rem_len = 0;
+ return NULL;
}
/*******************************************************************************
diff --git a/system/stack/l2cap/l2cap_client.cc b/system/stack/l2cap/l2cap_client.cc
index aa43598..6ccf8c5 100644
--- a/system/stack/l2cap/l2cap_client.cc
+++ b/system/stack/l2cap/l2cap_client.cc
@@ -391,7 +391,7 @@
// TODO(sharvil): eliminate copy into BT_HDR.
BT_HDR* bt_packet = static_cast<BT_HDR*>(
- osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET));
+ osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET + sizeof(BT_HDR)));
bt_packet->offset = L2CAP_MIN_OFFSET;
bt_packet->len = buffer_length(packet);
memcpy(bt_packet->data + bt_packet->offset, buffer_ptr(packet),
@@ -406,8 +406,8 @@
break;
}
- BT_HDR* fragment =
- static_cast<BT_HDR*>(osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET));
+ BT_HDR* fragment = static_cast<BT_HDR*>(
+ osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET + sizeof(BT_HDR)));
fragment->offset = L2CAP_MIN_OFFSET;
fragment->len = client->remote_mtu;
memcpy(fragment->data + fragment->offset,
diff --git a/system/stack/mcap/mca_cact.cc b/system/stack/mcap/mca_cact.cc
index 754c297..f0759ac 100644
--- a/system/stack/mcap/mca_cact.cc
+++ b/system/stack/mcap/mca_cact.cc
@@ -115,7 +115,7 @@
if ((!p_ccb->p_tx_req) || is_abort) {
p_ccb->p_tx_req = p_msg;
if (!p_ccb->cong) {
- BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU);
+ BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
p_pkt->offset = L2CAP_MIN_OFFSET;
p = p_start = (uint8_t*)(p_pkt + 1) + L2CAP_MIN_OFFSET;
@@ -152,7 +152,7 @@
void mca_ccb_snd_rsp(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
tMCA_CCB_MSG* p_msg = (tMCA_CCB_MSG*)p_data;
uint8_t *p, *p_start;
- BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU);
+ BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
MCA_TRACE_DEBUG("%s cong=%d req=%d", __func__, p_ccb->cong, p_msg->op_code);
/* assume that API functions verified the parameters */
@@ -365,7 +365,7 @@
if (((reject_code != MCA_RSP_SUCCESS) &&
(evt_data.hdr.op_code != MCA_OP_SYNC_INFO_IND)) ||
send_rsp) {
- BT_HDR* p_buf = (BT_HDR*)osi_malloc(MCA_CTRL_MTU);
+ BT_HDR* p_buf = (BT_HDR*)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR));
p_buf->offset = L2CAP_MIN_OFFSET;
p = p_start = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
*p++ = reject_opcode;
diff --git a/system/stack/pan/pan_main.cc b/system/stack/pan/pan_main.cc
index 61ea846..caab241 100644
--- a/system/stack/pan/pan_main.cc
+++ b/system/stack/pan/pan_main.cc
@@ -148,6 +148,38 @@
return;
}
+ /* Check for valid interactions between the three PAN profile roles */
+ /*
+ * For reference, see Table 1 in PAN Profile v1.0 spec.
+ * Note: the remote is the initiator.
+ */
+ bool is_valid_interaction = false;
+ switch (remote_uuid16) {
+ case UUID_SERVCLASS_NAP:
+ case UUID_SERVCLASS_GN:
+ if (local_uuid16 == UUID_SERVCLASS_PANU) is_valid_interaction = true;
+ break;
+ case UUID_SERVCLASS_PANU:
+ is_valid_interaction = true;
+ break;
+ }
+ /*
+ * Explicitly disable connections to the local PANU if the remote is
+ * not PANU.
+ */
+ if ((local_uuid16 == UUID_SERVCLASS_PANU) &&
+ (remote_uuid16 != UUID_SERVCLASS_PANU)) {
+ is_valid_interaction = false;
+ }
+ if (!is_valid_interaction) {
+ PAN_TRACE_ERROR(
+ "PAN Connection failed because of invalid PAN profile roles "
+ "interaction: Remote UUID 0x%x Local UUID 0x%x",
+ remote_uuid16, local_uuid16);
+ BNEP_ConnectResp(handle, BNEP_CONN_FAILED_SRC_UUID);
+ return;
+ }
+
uint8_t req_role;
/* Requested destination role is */
if (local_uuid16 == UUID_SERVCLASS_PANU)
diff --git a/system/stack/sdp/sdp_server.cc b/system/stack/sdp/sdp_server.cc
index fe2df6b..9b5fad1 100644
--- a/system/stack/sdp/sdp_server.cc
+++ b/system/stack/sdp/sdp_server.cc
@@ -216,7 +216,7 @@
}
BE_STREAM_TO_UINT16(cont_offset, p_req);
- if (cont_offset != p_ccb->cont_offset) {
+ if (cont_offset != p_ccb->cont_offset || num_rsp_handles < cont_offset) {
sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
SDP_TEXT_BAD_CONT_INX);
return;