system/bt
| Revisão | 246034af8b438e77c78ef242335902430bc9309d (tree) |
|---|---|
| Hora | 2019-11-23 04:29:14 |
| Autor | Adam Seaton <aseaton@goog...> |
| Commiter | Adam Seaton |
Revert "Fix potential OOB write in btm_read_remote_ext_features_complete"
This reverts commit 33a71f2955f1254d2f96fd4a4d16d44463a21423.
Reason for revert: reverting due to functional regressions in Auto.
Bug: 144205318
Change-Id: I6e1d62f370fc910e91c0919dcb3f37fa2f3c7bf5
stack/btm/btm_acl.cc (diff)
stack/btm/btm_int.h (diff) stack/btu/btu_hcif.cc (diff) stack/include/hcidefs.h (diff)| @@ -46,7 +46,6 @@ | ||
| 46 | 46 | #include "device/include/controller.h" |
| 47 | 47 | #include "hcidefs.h" |
| 48 | 48 | #include "hcimsgs.h" |
| 49 | -#include "log/log.h" | |
| 50 | 49 | #include "l2c_int.h" |
| 51 | 50 | #include "osi/include/osi.h" |
| 52 | 51 |
| @@ -1063,7 +1062,7 @@ void btm_read_remote_features_complete(uint8_t* p) { | ||
| 1063 | 1062 | * Returns void |
| 1064 | 1063 | * |
| 1065 | 1064 | ******************************************************************************/ |
| 1066 | -void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | |
| 1065 | +void btm_read_remote_ext_features_complete(uint8_t* p) { | |
| 1067 | 1066 | tACL_CONN* p_acl_cb; |
| 1068 | 1067 | uint8_t page_num, max_page; |
| 1069 | 1068 | uint16_t handle; |
| @@ -1071,14 +1070,6 @@ void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | ||
| 1071 | 1070 | |
| 1072 | 1071 | BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete"); |
| 1073 | 1072 | |
| 1074 | - if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) { | |
| 1075 | - android_errorWriteLog(0x534e4554, "141552859"); | |
| 1076 | - BTM_TRACE_ERROR( | |
| 1077 | - "btm_read_remote_ext_features_complete evt length too short. length=%d", | |
| 1078 | - evt_len); | |
| 1079 | - return; | |
| 1080 | - } | |
| 1081 | - | |
| 1082 | 1073 | ++p; |
| 1083 | 1074 | STREAM_TO_UINT16(handle, p); |
| 1084 | 1075 | STREAM_TO_UINT8(page_num, p); |
| @@ -1098,13 +1089,6 @@ void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | ||
| 1098 | 1089 | return; |
| 1099 | 1090 | } |
| 1100 | 1091 | |
| 1101 | - if (page_num > max_page) { | |
| 1102 | - android_errorWriteLog(0x534e4554, "141552859"); | |
| 1103 | - BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid", | |
| 1104 | - page_num); | |
| 1105 | - return; | |
| 1106 | - } | |
| 1107 | - | |
| 1108 | 1092 | p_acl_cb = &btm_cb.acl_db[acl_idx]; |
| 1109 | 1093 | |
| 1110 | 1094 | /* Copy the received features page */ |
| @@ -110,7 +110,7 @@ extern void btm_acl_encrypt_change(uint16_t handle, uint8_t status, | ||
| 110 | 110 | extern uint16_t btm_get_acl_disc_reason_code(void); |
| 111 | 111 | extern tBTM_STATUS btm_remove_acl(BD_ADDR bd_addr, tBT_TRANSPORT transport); |
| 112 | 112 | extern void btm_read_remote_features_complete(uint8_t* p); |
| 113 | -extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len); | |
| 113 | +extern void btm_read_remote_ext_features_complete(uint8_t* p); | |
| 114 | 114 | extern void btm_read_remote_ext_features_failed(uint8_t status, |
| 115 | 115 | uint16_t handle); |
| 116 | 116 | extern void btm_read_remote_version_complete(uint8_t* p); |
| @@ -72,8 +72,7 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p); | ||
| 72 | 72 | static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len); |
| 73 | 73 | static void btu_hcif_encryption_change_evt(uint8_t* p); |
| 74 | 74 | static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p); |
| 75 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
| 76 | - uint8_t evt_len); | |
| 75 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p); | |
| 77 | 76 | static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p); |
| 78 | 77 | static void btu_hcif_qos_setup_comp_evt(uint8_t* p); |
| 79 | 78 | static void btu_hcif_command_complete_evt(BT_HDR* response, void* context); |
| @@ -185,7 +184,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) { | ||
| 185 | 184 | btu_hcif_read_rmt_features_comp_evt(p); |
| 186 | 185 | break; |
| 187 | 186 | case HCI_READ_RMT_EXT_FEATURES_COMP_EVT: |
| 188 | - btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len); | |
| 187 | + btu_hcif_read_rmt_ext_features_comp_evt(p); | |
| 189 | 188 | break; |
| 190 | 189 | case HCI_READ_RMT_VERSION_COMP_EVT: |
| 191 | 190 | btu_hcif_read_rmt_version_comp_evt(p); |
| @@ -801,8 +800,7 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) { | ||
| 801 | 800 | * Returns void |
| 802 | 801 | * |
| 803 | 802 | ******************************************************************************/ |
| 804 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
| 805 | - uint8_t evt_len) { | |
| 803 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) { | |
| 806 | 804 | uint8_t* p_cur = p; |
| 807 | 805 | uint8_t status; |
| 808 | 806 | uint16_t handle; |
| @@ -810,7 +808,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | ||
| 810 | 808 | STREAM_TO_UINT8(status, p_cur); |
| 811 | 809 | |
| 812 | 810 | if (status == HCI_SUCCESS) |
| 813 | - btm_read_remote_ext_features_complete(p, evt_len); | |
| 811 | + btm_read_remote_ext_features_complete(p); | |
| 814 | 812 | else { |
| 815 | 813 | STREAM_TO_UINT16(handle, p_cur); |
| 816 | 814 | btm_read_remote_ext_features_failed(status, handle); |
| @@ -1567,8 +1567,6 @@ typedef struct { | ||
| 1567 | 1567 | |
| 1568 | 1568 | #define HCI_FEATURE_BYTES_PER_PAGE 8 |
| 1569 | 1569 | |
| 1570 | -#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13 | |
| 1571 | - | |
| 1572 | 1570 | #define HCI_FEATURES_KNOWN(x) \ |
| 1573 | 1571 | (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0) |
| 1574 | 1572 |
Fork