system/bt
Revisão | 8d930b9143c201787699beb7be0b47fd66699db7 (tree) |
---|---|
Hora | 2020-03-16 19:40:40 |
Autor | Chih-Wei Huang <cwhuang@linu...> |
Commiter | Chih-Wei Huang |
Merge tag 'android-8.1.0_r74' into oreo-x86
Android 8.1.0 release 74
@@ -87,7 +87,9 @@ void device_class_from_int(bt_device_class_t* dc, int data) { | ||
87 | 87 | int device_class_to_int(const bt_device_class_t* dc) { |
88 | 88 | CHECK(dc != NULL); |
89 | 89 | // Careful with endianess. |
90 | - return (int)(le32toh(*(int*)dc) & 0xffffff); | |
90 | + int val = 0; | |
91 | + memcpy(&val, dc, sizeof(*dc)); | |
92 | + return static_cast<int>(le32toh(val) & 0xffffff); | |
91 | 93 | } |
92 | 94 | |
93 | 95 | bool device_class_equals(const bt_device_class_t* p1, |
@@ -22,9 +22,6 @@ | ||
22 | 22 | |
23 | 23 | #include "btcore/include/device_class.h" |
24 | 24 | |
25 | -// Device Class is 3 bytes. | |
26 | -static const int DC_MASK = 0xffffff; | |
27 | - | |
28 | 25 | ::testing::AssertionResult check_bitfield(const char* m_expr, |
29 | 26 | const char* n_expr, int m, int n) { |
30 | 27 | if (m == n) return ::testing::AssertionSuccess(); |
@@ -84,8 +81,9 @@ TEST_F(DeviceClassTest, to_stream) { | ||
84 | 81 | int rc = device_class_to_stream(&dc, dc_stream1, sizeof(dc_stream1)); |
85 | 82 | EXPECT_EQ(3, rc); |
86 | 83 | |
87 | - uint32_t* val = (uint32_t*)&dc; | |
88 | - EXPECT_PRED_FORMAT2(check_bitfield, 0x00000000, *val & 0xffffff); | |
84 | + uint32_t val = 0; | |
85 | + memcpy(&val, &dc, sizeof(dc)); | |
86 | + EXPECT_PRED_FORMAT2(check_bitfield, 0x00000000, val); | |
89 | 87 | |
90 | 88 | EXPECT_PRED_FORMAT2(check_bitfield, 0x00, dc_stream1[0]); |
91 | 89 | EXPECT_PRED_FORMAT2(check_bitfield, 0x00, dc_stream1[1]); |
@@ -101,8 +99,9 @@ TEST_F(DeviceClassTest, to_stream) { | ||
101 | 99 | |
102 | 100 | int rc = device_class_to_stream(&dc, dc_stream1, sizeof(dc_stream1)); |
103 | 101 | EXPECT_EQ(3, rc); |
104 | - uint32_t* val = (uint32_t*)&dc; | |
105 | - EXPECT_PRED_FORMAT2(check_bitfield, 0x00aa55aa, *val & 0xffffff); | |
102 | + uint32_t val = 0; | |
103 | + memcpy(&val, &dc, sizeof(dc)); | |
104 | + EXPECT_PRED_FORMAT2(check_bitfield, 0x00aa55aa, val); | |
106 | 105 | |
107 | 106 | EXPECT_PRED_FORMAT2(check_bitfield, 0xaa, dc_stream1[0]); |
108 | 107 | EXPECT_PRED_FORMAT2(check_bitfield, 0x55, dc_stream1[1]); |
@@ -118,8 +117,9 @@ TEST_F(DeviceClassTest, to_stream) { | ||
118 | 117 | |
119 | 118 | int rc = device_class_to_stream(&dc, dc_stream1, sizeof(dc_stream1)); |
120 | 119 | EXPECT_EQ(3, rc); |
121 | - uint32_t* val = (uint32_t*)&dc; | |
122 | - EXPECT_PRED_FORMAT2(check_bitfield, 0x452301, *val & 0xffffff); | |
120 | + uint32_t val = 0; | |
121 | + memcpy(&val, &dc, sizeof(dc)); | |
122 | + EXPECT_PRED_FORMAT2(check_bitfield, 0x452301, val); | |
123 | 123 | |
124 | 124 | EXPECT_PRED_FORMAT2(check_bitfield, 0x01, dc_stream1[0]); |
125 | 125 | EXPECT_PRED_FORMAT2(check_bitfield, 0x23, dc_stream1[1]); |
@@ -131,24 +131,33 @@ TEST_F(DeviceClassTest, limited_discoverable_mode) { | ||
131 | 131 | uint8_t dc_stream[] = {0x00, 0x00, 0x00}; |
132 | 132 | bt_device_class_t dc; |
133 | 133 | device_class_from_stream(&dc, dc_stream); |
134 | - uint32_t* test = (uint32_t*)&dc; | |
134 | + uint32_t test = 0; | |
135 | + memcpy(&test, &dc, sizeof(dc)); | |
135 | 136 | |
136 | 137 | EXPECT_FALSE(device_class_get_limited(&dc)); |
137 | - EXPECT_EQ((unsigned)0x00000000, *test & DC_MASK); | |
138 | + EXPECT_EQ((unsigned)0x00000000, test); | |
138 | 139 | |
139 | 140 | device_class_set_limited(&dc, true); |
141 | + test = 0; | |
142 | + memcpy(&test, &dc, sizeof(dc)); | |
140 | 143 | EXPECT_TRUE(device_class_get_limited(&dc)); |
141 | - EXPECT_EQ((unsigned)0x00002000, *test & DC_MASK); | |
144 | + EXPECT_EQ((unsigned)0x00002000, test); | |
142 | 145 | |
143 | 146 | device_class_set_limited(&dc, false); |
147 | + test = 0; | |
148 | + memcpy(&test, &dc, sizeof(dc)); | |
144 | 149 | EXPECT_FALSE(device_class_get_limited(&dc)); |
145 | - EXPECT_EQ((unsigned)0x00000000, *test & DC_MASK); | |
150 | + EXPECT_EQ((unsigned)0x00000000, test); | |
146 | 151 | |
147 | 152 | device_class_set_limited(&dc, true); |
148 | - EXPECT_PRED_FORMAT2(check_bitfield, 0x00002000, *test & DC_MASK); | |
153 | + test = 0; | |
154 | + memcpy(&test, &dc, sizeof(dc)); | |
155 | + EXPECT_PRED_FORMAT2(check_bitfield, 0x00002000, test); | |
149 | 156 | |
150 | 157 | device_class_set_limited(&dc, false); |
151 | - EXPECT_PRED_FORMAT2(check_bitfield, 0x00000000, *test & DC_MASK); | |
158 | + test = 0; | |
159 | + memcpy(&test, &dc, sizeof(dc)); | |
160 | + EXPECT_PRED_FORMAT2(check_bitfield, 0x00000000, test); | |
152 | 161 | } |
153 | 162 | |
154 | 163 | TEST_F(DeviceClassTest, equals) { |
@@ -100,7 +100,7 @@ void btif_dm_load_ble_local_keys(void); | ||
100 | 100 | void btif_dm_get_ble_local_keys(tBTA_DM_BLE_LOCAL_KEY_MASK* p_key_mask, |
101 | 101 | BT_OCTET16 er, |
102 | 102 | tBTA_BLE_LOCAL_ID_KEYS* p_id_keys); |
103 | -void btif_dm_save_ble_bonding_keys(void); | |
103 | +void btif_dm_save_ble_bonding_keys(RawAddress& bd_addr); | |
104 | 104 | void btif_dm_remove_ble_bonding_keys(void); |
105 | 105 | void btif_dm_ble_sec_req_evt(tBTA_DM_BLE_SEC_REQ* p_ble_req); |
106 | 106 |
@@ -183,6 +183,7 @@ typedef struct { | ||
183 | 183 | #define BTA_SERVICE_ID_TO_SERVICE_MASK(id) (1 << (id)) |
184 | 184 | |
185 | 185 | #define UUID_HUMAN_INTERFACE_DEVICE "00001124-0000-1000-8000-00805f9b34fb" |
186 | +#define UUID_EMPTY "00000000-0000-0000-0000-000000000000" | |
186 | 187 | |
187 | 188 | #define MAX_BTIF_BOND_EVENT_ENTRIES 15 |
188 | 189 |
@@ -261,6 +262,11 @@ static bool is_empty_128bit(uint8_t* data) { | ||
261 | 262 | return !memcmp(zero, data, sizeof(zero)); |
262 | 263 | } |
263 | 264 | |
265 | +static bool is_bonding_or_sdp() { | |
266 | + return pairing_cb.state == BT_BOND_STATE_BONDING || | |
267 | + (pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts); | |
268 | +} | |
269 | + | |
264 | 270 | static void btif_dm_data_copy(uint16_t event, char* dst, char* src) { |
265 | 271 | tBTA_DM_SEC* dst_dm_sec = (tBTA_DM_SEC*)dst; |
266 | 272 | tBTA_DM_SEC* src_dm_sec = (tBTA_DM_SEC*)src; |
@@ -487,8 +493,6 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr, | ||
487 | 493 | bt_bond_state_t state) { |
488 | 494 | btif_stats_add_bond_event(bd_addr, BTIF_DM_FUNC_BOND_STATE_CHANGED, state); |
489 | 495 | |
490 | - // Send bonding state only once - based on outgoing/incoming we may receive | |
491 | - // duplicates | |
492 | 496 | if ((pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING)) { |
493 | 497 | // Cross key pairing so send callback for static address |
494 | 498 | if (!pairing_cb.static_bdaddr.IsEmpty()) { |
@@ -506,14 +510,13 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr, | ||
506 | 510 | auto tmp = bd_addr; |
507 | 511 | HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state); |
508 | 512 | |
509 | - if (state == BT_BOND_STATE_BONDING) { | |
513 | + if (state == BT_BOND_STATE_BONDING || | |
514 | + (state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts > 0)) { | |
515 | + // Save state for the device is bonding or SDP. | |
510 | 516 | pairing_cb.state = state; |
511 | 517 | pairing_cb.bd_addr = bd_addr; |
512 | 518 | } else { |
513 | - if (!pairing_cb.sdp_attempts) | |
514 | - memset(&pairing_cb, 0, sizeof(pairing_cb)); | |
515 | - else | |
516 | - BTIF_TRACE_DEBUG("%s: BR-EDR service discovery active", __func__); | |
519 | + pairing_cb = {}; | |
517 | 520 | } |
518 | 521 | } |
519 | 522 |
@@ -947,21 +950,12 @@ static void btif_dm_ssp_cfm_req_evt(tBTA_DM_SP_CFM_REQ* p_ssp_cfm_req) { | ||
947 | 950 | |
948 | 951 | /* If JustWorks auto-accept */ |
949 | 952 | if (p_ssp_cfm_req->just_works) { |
950 | - /* Pairing consent for JustWorks needed if: | |
951 | - * 1. Incoming (non-temporary) pairing is detected AND | |
952 | - * 2. local IO capabilities are DisplayYesNo AND | |
953 | - * 3. remote IO capabiltiies are DisplayOnly or NoInputNoOutput; | |
953 | + /* Pairing consent for JustWorks NOT needed if: | |
954 | + * 1. Incoming temporary pairing is detected | |
954 | 955 | */ |
955 | - if (is_incoming && pairing_cb.bond_type != BOND_TYPE_TEMPORARY && | |
956 | - ((p_ssp_cfm_req->loc_io_caps == HCI_IO_CAP_DISPLAY_YESNO) && | |
957 | - (p_ssp_cfm_req->rmt_io_caps == HCI_IO_CAP_DISPLAY_ONLY || | |
958 | - p_ssp_cfm_req->rmt_io_caps == HCI_IO_CAP_NO_IO))) { | |
956 | + if (is_incoming && pairing_cb.bond_type == BOND_TYPE_TEMPORARY) { | |
959 | 957 | BTIF_TRACE_EVENT( |
960 | - "%s: User consent needed for incoming pairing request. loc_io_caps: " | |
961 | - "%d, rmt_io_caps: %d", | |
962 | - __func__, p_ssp_cfm_req->loc_io_caps, p_ssp_cfm_req->rmt_io_caps); | |
963 | - } else { | |
964 | - BTIF_TRACE_EVENT("%s: Auto-accept JustWorks pairing", __func__); | |
958 | + "%s: Auto-accept JustWorks pairing for temporary incoming", __func__); | |
965 | 959 | btif_dm_ssp_reply(&bd_addr, BT_SSP_VARIANT_CONSENT, true, 0); |
966 | 960 | return; |
967 | 961 | } |
@@ -1121,6 +1115,17 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { | ||
1121 | 1115 | |
1122 | 1116 | /* Trigger SDP on the device */ |
1123 | 1117 | pairing_cb.sdp_attempts = 1; |
1118 | + | |
1119 | + if (is_crosskey) { | |
1120 | + // If bonding occurred due to cross-key pairing, send bonding callback | |
1121 | + // for static address now | |
1122 | + LOG_INFO(LOG_TAG, | |
1123 | + "%s: send bonding state update for static address %s", | |
1124 | + __func__, bd_addr.ToString().c_str()); | |
1125 | + bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDING); | |
1126 | + } | |
1127 | + bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED); | |
1128 | + | |
1124 | 1129 | btif_dm_get_remote_services(bd_addr); |
1125 | 1130 | } |
1126 | 1131 | } |
@@ -1378,9 +1383,9 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) { | ||
1378 | 1383 | |
1379 | 1384 | BTIF_TRACE_DEBUG("%s:(result=0x%x, services 0x%x)", __func__, |
1380 | 1385 | p_data->disc_res.result, p_data->disc_res.services); |
1381 | - if ((p_data->disc_res.result != BTA_SUCCESS) && | |
1382 | - (pairing_cb.state == BT_BOND_STATE_BONDING) && | |
1383 | - (pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING)) { | |
1386 | + if (p_data->disc_res.result != BTA_SUCCESS && | |
1387 | + pairing_cb.state == BT_BOND_STATE_BONDED && | |
1388 | + pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING) { | |
1384 | 1389 | BTIF_TRACE_WARNING("%s:SDP failed after bonding re-attempting", |
1385 | 1390 | __func__); |
1386 | 1391 | pairing_cb.sdp_attempts++; |
@@ -1405,21 +1410,38 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) { | ||
1405 | 1410 | /* onUuidChanged requires getBondedDevices to be populated. |
1406 | 1411 | ** bond_state_changed needs to be sent prior to remote_device_property |
1407 | 1412 | */ |
1408 | - if ((pairing_cb.state == BT_BOND_STATE_BONDING) && | |
1413 | + if ((pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts) && | |
1409 | 1414 | (p_data->disc_res.bd_addr == pairing_cb.bd_addr || |
1410 | - p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) && | |
1411 | - pairing_cb.sdp_attempts > 0) { | |
1412 | - BTIF_TRACE_DEBUG( | |
1413 | - "%s Remote Service SDP done. Call bond_state_changed_cb BONDED", | |
1414 | - __func__); | |
1415 | + p_data->disc_res.bd_addr == pairing_cb.static_bdaddr)) { | |
1416 | + LOG_INFO(LOG_TAG, "%s: SDP search done for %s", __func__, | |
1417 | + bd_addr.ToString().c_str()); | |
1415 | 1418 | pairing_cb.sdp_attempts = 0; |
1416 | 1419 | |
1417 | - // If bonding occured due to cross-key pairing, send bonding callback | |
1418 | - // for static address now | |
1419 | - if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) | |
1420 | - bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDING); | |
1421 | - | |
1422 | - bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED); | |
1420 | + // Both SDP and bonding are done, clear pairing control block | |
1421 | + pairing_cb = {}; | |
1422 | + | |
1423 | + // Send one empty UUID to Java to unblock pairing intent when SDP failed | |
1424 | + // or no UUID is discovered | |
1425 | + if (p_data->disc_res.result != BTA_SUCCESS || | |
1426 | + p_data->disc_res.num_uuids == 0) { | |
1427 | + LOG_INFO(LOG_TAG, | |
1428 | + "%s: SDP failed, send empty UUID to unblock bonding %s", | |
1429 | + __func__, bd_addr.ToString().c_str()); | |
1430 | + bt_property_t prop; | |
1431 | + bt_uuid_t uuid = {}; | |
1432 | + char uuid_str[128] = UUID_EMPTY; | |
1433 | + | |
1434 | + string_to_uuid(uuid_str, &uuid); | |
1435 | + | |
1436 | + prop.type = BT_PROPERTY_UUIDS; | |
1437 | + prop.val = uuid.uu; | |
1438 | + prop.len = MAX_UUID_SIZE; | |
1439 | + | |
1440 | + /* Send the event to the BTIF */ | |
1441 | + HAL_CBACK(bt_hal_cbacks, remote_device_properties_cb, | |
1442 | + BT_STATUS_SUCCESS, &bd_addr, 1, &prop); | |
1443 | + break; | |
1444 | + } | |
1423 | 1445 | } |
1424 | 1446 | |
1425 | 1447 | if (p_data->disc_res.num_uuids != 0) { |
@@ -1629,7 +1651,7 @@ static void btif_dm_upstreams_evt(uint16_t event, char* p_param) { | ||
1629 | 1651 | break; |
1630 | 1652 | |
1631 | 1653 | case BTA_DM_BOND_CANCEL_CMPL_EVT: |
1632 | - if (pairing_cb.state == BT_BOND_STATE_BONDING) { | |
1654 | + if (is_bonding_or_sdp()) { | |
1633 | 1655 | bd_addr = pairing_cb.bd_addr; |
1634 | 1656 | btm_set_bond_type_dev(pairing_cb.bd_addr, BOND_TYPE_UNKNOWN); |
1635 | 1657 | bond_state_changed((bt_status_t)p_data->bond_cancel_cmpl.result, |
@@ -2277,7 +2299,7 @@ bt_status_t btif_dm_cancel_bond(const RawAddress* bd_addr) { | ||
2277 | 2299 | ** 1. Restore scan modes |
2278 | 2300 | ** 2. special handling for HID devices |
2279 | 2301 | */ |
2280 | - if (pairing_cb.state == BT_BOND_STATE_BONDING) { | |
2302 | + if (is_bonding_or_sdp()) { | |
2281 | 2303 | if (pairing_cb.is_ssp) { |
2282 | 2304 | if (pairing_cb.is_le_only) { |
2283 | 2305 | BTA_DmBleSecurityGrant(*bd_addr, BTA_DM_SEC_PAIR_NOT_SPT); |
@@ -2469,7 +2491,7 @@ bt_status_t btif_dm_get_remote_services(const RawAddress& remote_addr) { | ||
2469 | 2491 | |
2470 | 2492 | /******************************************************************************* |
2471 | 2493 | * |
2472 | - * Function btif_dm_get_remote_services_transport | |
2494 | + * Function btif_dm_get_remote_services_by_transport | |
2473 | 2495 | * |
2474 | 2496 | * Description Start SDP to get remote services by transport |
2475 | 2497 | * |
@@ -2838,7 +2860,7 @@ static void btif_dm_ble_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { | ||
2838 | 2860 | btif_storage_remove_bonded_device(&bdaddr); |
2839 | 2861 | state = BT_BOND_STATE_NONE; |
2840 | 2862 | } else { |
2841 | - btif_dm_save_ble_bonding_keys(); | |
2863 | + btif_dm_save_ble_bonding_keys(bdaddr); | |
2842 | 2864 | BTA_GATTC_Refresh(bd_addr); |
2843 | 2865 | btif_dm_get_remote_services_by_transport(&bd_addr, BTA_GATT_TRANSPORT_LE); |
2844 | 2866 | } |
@@ -2861,6 +2883,10 @@ static void btif_dm_ble_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { | ||
2861 | 2883 | break; |
2862 | 2884 | } |
2863 | 2885 | } |
2886 | + if (state == BT_BOND_STATE_BONDED && bd_addr != pairing_cb.static_bdaddr) { | |
2887 | + // Report RPA bonding state to Java in crosskey paring | |
2888 | + bond_state_changed(status, bd_addr, BT_BOND_STATE_BONDING); | |
2889 | + } | |
2864 | 2890 | bond_state_changed(status, bd_addr, state); |
2865 | 2891 | } |
2866 | 2892 |
@@ -2907,11 +2933,9 @@ void btif_dm_get_ble_local_keys(tBTA_DM_BLE_LOCAL_KEY_MASK* p_key_mask, | ||
2907 | 2933 | BTIF_TRACE_DEBUG("%s *p_key_mask=0x%02x", __func__, *p_key_mask); |
2908 | 2934 | } |
2909 | 2935 | |
2910 | -void btif_dm_save_ble_bonding_keys(void) { | |
2936 | +void btif_dm_save_ble_bonding_keys(RawAddress& bd_addr) { | |
2911 | 2937 | BTIF_TRACE_DEBUG("%s", __func__); |
2912 | 2938 | |
2913 | - RawAddress bd_addr = pairing_cb.bd_addr; | |
2914 | - | |
2915 | 2939 | if (pairing_cb.ble.is_penc_key_rcvd) { |
2916 | 2940 | btif_storage_add_ble_bonding_key(&bd_addr, (char*)&pairing_cb.ble.penc_key, |
2917 | 2941 | BTIF_DM_LE_KEY_PENC, |
@@ -3171,7 +3195,7 @@ bt_status_t btif_le_test_mode(uint16_t opcode, uint8_t* buf, uint8_t len) { | ||
3171 | 3195 | |
3172 | 3196 | void btif_dm_on_disable() { |
3173 | 3197 | /* cancel any pending pairing requests */ |
3174 | - if (pairing_cb.state == BT_BOND_STATE_BONDING) { | |
3198 | + if (is_bonding_or_sdp()) { | |
3175 | 3199 | BTIF_TRACE_DEBUG("%s: Cancel pending pairing request", __func__); |
3176 | 3200 | btif_dm_cancel_bond(&pairing_cb.bd_addr); |
3177 | 3201 | } |
@@ -212,7 +212,8 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) { | ||
212 | 212 | "%s got packet which would exceed expected length of %d. " |
213 | 213 | "Truncating.", |
214 | 214 | __func__, partial_packet->len); |
215 | - packet->len = partial_packet->len - partial_packet->offset; | |
215 | + packet->len = | |
216 | + (partial_packet->len - partial_packet->offset) + packet->offset; | |
216 | 217 | projected_offset = partial_packet->len; |
217 | 218 | } |
218 | 219 |
@@ -188,8 +188,8 @@ void LowEnergyClient::MtuChangedCallback( | ||
188 | 188 | |
189 | 189 | if (!bda) return; |
190 | 190 | |
191 | - const char* addr = BtAddrString(bda).c_str(); | |
192 | - if (delegate_) delegate_->OnMtuChanged(this, status, addr, mtu); | |
191 | + std::string addr = BtAddrString(bda); | |
192 | + if (delegate_) delegate_->OnMtuChanged(this, status, addr.c_str(), mtu); | |
193 | 193 | } |
194 | 194 | |
195 | 195 | // LowEnergyClientFactory implementation |
@@ -47,6 +47,7 @@ | ||
47 | 47 | #include "device/include/interop.h" |
48 | 48 | #include "hcidefs.h" |
49 | 49 | #include "hcimsgs.h" |
50 | +#include "log/log.h" | |
50 | 51 | #include "l2c_int.h" |
51 | 52 | #include "osi/include/osi.h" |
52 | 53 |
@@ -1062,7 +1063,7 @@ void btm_read_remote_features_complete(uint8_t* p) { | ||
1062 | 1063 | * Returns void |
1063 | 1064 | * |
1064 | 1065 | ******************************************************************************/ |
1065 | -void btm_read_remote_ext_features_complete(uint8_t* p) { | |
1066 | +void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | |
1066 | 1067 | tACL_CONN* p_acl_cb; |
1067 | 1068 | uint8_t page_num, max_page; |
1068 | 1069 | uint16_t handle; |
@@ -1070,6 +1071,14 @@ void btm_read_remote_ext_features_complete(uint8_t* p) { | ||
1070 | 1071 | |
1071 | 1072 | BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete"); |
1072 | 1073 | |
1074 | + if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) { | |
1075 | + android_errorWriteLog(0x534e4554, "141552859"); | |
1076 | + BTM_TRACE_ERROR( | |
1077 | + "btm_read_remote_ext_features_complete evt length too short. length=%d", | |
1078 | + evt_len); | |
1079 | + return; | |
1080 | + } | |
1081 | + | |
1073 | 1082 | ++p; |
1074 | 1083 | STREAM_TO_UINT16(handle, p); |
1075 | 1084 | STREAM_TO_UINT8(page_num, p); |
@@ -1089,6 +1098,19 @@ void btm_read_remote_ext_features_complete(uint8_t* p) { | ||
1089 | 1098 | return; |
1090 | 1099 | } |
1091 | 1100 | |
1101 | + if (page_num > HCI_EXT_FEATURES_PAGE_MAX) { | |
1102 | + android_errorWriteLog(0x534e4554, "141552859"); | |
1103 | + BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid", | |
1104 | + page_num); | |
1105 | + return; | |
1106 | + } | |
1107 | + | |
1108 | + if (page_num > max_page) { | |
1109 | + BTM_TRACE_WARNING( | |
1110 | + "btm_read_remote_ext_features_complete num_page=%d, max_page=%d " | |
1111 | + "invalid", page_num, max_page); | |
1112 | + } | |
1113 | + | |
1092 | 1114 | p_acl_cb = &btm_cb.acl_db[acl_idx]; |
1093 | 1115 | |
1094 | 1116 | /* Copy the received features page */ |
@@ -117,7 +117,7 @@ extern uint16_t btm_get_acl_disc_reason_code(void); | ||
117 | 117 | extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr, |
118 | 118 | tBT_TRANSPORT transport); |
119 | 119 | extern void btm_read_remote_features_complete(uint8_t* p); |
120 | -extern void btm_read_remote_ext_features_complete(uint8_t* p); | |
120 | +extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len); | |
121 | 121 | extern void btm_read_remote_ext_features_failed(uint8_t status, |
122 | 122 | uint16_t handle); |
123 | 123 | extern void btm_read_remote_version_complete(uint8_t* p); |
@@ -70,7 +70,8 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p); | ||
70 | 70 | static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len); |
71 | 71 | static void btu_hcif_encryption_change_evt(uint8_t* p); |
72 | 72 | static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p); |
73 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p); | |
73 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
74 | + uint8_t evt_len); | |
74 | 75 | static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p); |
75 | 76 | static void btu_hcif_qos_setup_comp_evt(uint8_t* p); |
76 | 77 | static void btu_hcif_command_complete_evt(BT_HDR* response, void* context); |
@@ -194,7 +195,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) { | ||
194 | 195 | btu_hcif_read_rmt_features_comp_evt(p); |
195 | 196 | break; |
196 | 197 | case HCI_READ_RMT_EXT_FEATURES_COMP_EVT: |
197 | - btu_hcif_read_rmt_ext_features_comp_evt(p); | |
198 | + btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len); | |
198 | 199 | break; |
199 | 200 | case HCI_READ_RMT_VERSION_COMP_EVT: |
200 | 201 | btu_hcif_read_rmt_version_comp_evt(p); |
@@ -791,7 +792,8 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) { | ||
791 | 792 | * Returns void |
792 | 793 | * |
793 | 794 | ******************************************************************************/ |
794 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) { | |
795 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
796 | + uint8_t evt_len) { | |
795 | 797 | uint8_t* p_cur = p; |
796 | 798 | uint8_t status; |
797 | 799 | uint16_t handle; |
@@ -799,7 +801,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) { | ||
799 | 801 | STREAM_TO_UINT8(status, p_cur); |
800 | 802 | |
801 | 803 | if (status == HCI_SUCCESS) |
802 | - btm_read_remote_ext_features_complete(p); | |
804 | + btm_read_remote_ext_features_complete(p, evt_len); | |
803 | 805 | else { |
804 | 806 | STREAM_TO_UINT16(handle, p_cur); |
805 | 807 | btm_read_remote_ext_features_failed(status, handle); |
@@ -1296,6 +1296,8 @@ typedef struct { | ||
1296 | 1296 | |
1297 | 1297 | #define HCI_FEATURE_BYTES_PER_PAGE 8 |
1298 | 1298 | |
1299 | +#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13 | |
1300 | + | |
1299 | 1301 | #define HCI_FEATURES_KNOWN(x) \ |
1300 | 1302 | (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0) |
1301 | 1303 |
@@ -338,11 +338,13 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, | ||
338 | 338 | * Description copy the raw data |
339 | 339 | * |
340 | 340 | * |
341 | - * Returns void | |
341 | + * Returns bool | |
342 | + * true if successful | |
343 | + * false if not copied | |
342 | 344 | * |
343 | 345 | ******************************************************************************/ |
344 | 346 | #if (SDP_RAW_DATA_INCLUDED == TRUE) |
345 | -static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) { | |
347 | +static bool sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) { | |
346 | 348 | unsigned int cpy_len, rem_len; |
347 | 349 | uint32_t list_len; |
348 | 350 | uint8_t* p; |
@@ -373,11 +375,11 @@ static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) { | ||
373 | 375 | p = sdpu_get_len_from_type(p, p_end, type, &list_len); |
374 | 376 | if (p == NULL || (p + list_len) > p_end) { |
375 | 377 | SDP_TRACE_WARNING("%s: bad length", __func__); |
376 | - return; | |
378 | + return false; | |
377 | 379 | } |
378 | 380 | if ((int)cpy_len < (p - old_p)) { |
379 | 381 | SDP_TRACE_WARNING("%s: no bytes left for data", __func__); |
380 | - return; | |
382 | + return false; | |
381 | 383 | } |
382 | 384 | cpy_len -= (p - old_p); |
383 | 385 | } |
@@ -397,6 +399,7 @@ static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) { | ||
397 | 399 | memcpy(&p_ccb->p_db->raw_data[p_ccb->p_db->raw_used], p, cpy_len); |
398 | 400 | p_ccb->p_db->raw_used += cpy_len; |
399 | 401 | } |
402 | + return true; | |
400 | 403 | } |
401 | 404 | #endif |
402 | 405 |
@@ -465,7 +468,12 @@ static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, | ||
465 | 468 | } else { |
466 | 469 | #if (SDP_RAW_DATA_INCLUDED == TRUE) |
467 | 470 | SDP_TRACE_WARNING("process_service_attr_rsp"); |
468 | - sdp_copy_raw_data(p_ccb, false); | |
471 | + if (!sdp_copy_raw_data(p_ccb, false)) { | |
472 | + SDP_TRACE_ERROR("sdp_copy_raw_data failed"); | |
473 | + sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER); | |
474 | + return; | |
475 | + } | |
476 | + | |
469 | 477 | #endif |
470 | 478 | |
471 | 479 | /* Save the response in the database. Stop on any error */ |
@@ -690,7 +698,11 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, | ||
690 | 698 | |
691 | 699 | #if (SDP_RAW_DATA_INCLUDED == TRUE) |
692 | 700 | SDP_TRACE_WARNING("process_service_search_attr_rsp"); |
693 | - sdp_copy_raw_data(p_ccb, true); | |
701 | + if (!sdp_copy_raw_data(p_ccb, true)) { | |
702 | + SDP_TRACE_ERROR("sdp_copy_raw_data failed"); | |
703 | + sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER); | |
704 | + return; | |
705 | + } | |
694 | 706 | #endif |
695 | 707 | |
696 | 708 | p = &p_ccb->rsp_list[0]; |
@@ -705,6 +717,7 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, | ||
705 | 717 | p = sdpu_get_len_from_type(p, p + p_ccb->list_len, type, &seq_len); |
706 | 718 | if (p == NULL || (p + seq_len) > (p + p_ccb->list_len)) { |
707 | 719 | SDP_TRACE_WARNING("%s: bad length", __func__); |
720 | + sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER); | |
708 | 721 | return; |
709 | 722 | } |
710 | 723 | p_end = &p_ccb->rsp_list[p_ccb->list_len]; |