system/bt
| Revisão | 91f38752fa70188a33f07342d55c08125f1b0f98 (tree) |
|---|---|
| Hora | 2019-11-26 12:04:10 |
| Autor | Automerger Merge Worker <android-build-automerger-merge-worker@syst...> |
| Commiter | Automerger Merge Worker |
Merge "Revert "Fix potential OOB write in btm_read_remote_ext_features_complete"" into oc-dev am: aa754ed3ec am: 53afb387a4 am: a651e35ad0
Change-Id: Idf9a04bc8291f8e08ca504c373d77750c1280b74
stack/btm/btm_acl.cc (diff)
stack/btm/btm_int.h (diff) stack/btu/btu_hcif.cc (diff) stack/include/hcidefs.h (diff)| @@ -49,7 +49,6 @@ | ||
| 49 | 49 | #include "device/include/interop.h" |
| 50 | 50 | #include "hcidefs.h" |
| 51 | 51 | #include "hcimsgs.h" |
| 52 | -#include "log/log.h" | |
| 53 | 52 | #include "l2c_int.h" |
| 54 | 53 | #include "osi/include/log.h" |
| 55 | 54 | #include "osi/include/osi.h" |
| @@ -1083,7 +1082,7 @@ void btm_read_remote_features_complete(uint8_t* p) { | ||
| 1083 | 1082 | * Returns void |
| 1084 | 1083 | * |
| 1085 | 1084 | ******************************************************************************/ |
| 1086 | -void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | |
| 1085 | +void btm_read_remote_ext_features_complete(uint8_t* p) { | |
| 1087 | 1086 | tACL_CONN* p_acl_cb; |
| 1088 | 1087 | uint8_t page_num, max_page; |
| 1089 | 1088 | uint16_t handle; |
| @@ -1091,14 +1090,6 @@ void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | ||
| 1091 | 1090 | |
| 1092 | 1091 | BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete"); |
| 1093 | 1092 | |
| 1094 | - if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) { | |
| 1095 | - android_errorWriteLog(0x534e4554, "141552859"); | |
| 1096 | - BTM_TRACE_ERROR( | |
| 1097 | - "btm_read_remote_ext_features_complete evt length too short. length=%d", | |
| 1098 | - evt_len); | |
| 1099 | - return; | |
| 1100 | - } | |
| 1101 | - | |
| 1102 | 1093 | ++p; |
| 1103 | 1094 | STREAM_TO_UINT16(handle, p); |
| 1104 | 1095 | STREAM_TO_UINT8(page_num, p); |
| @@ -1118,13 +1109,6 @@ void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | ||
| 1118 | 1109 | return; |
| 1119 | 1110 | } |
| 1120 | 1111 | |
| 1121 | - if (page_num > max_page) { | |
| 1122 | - android_errorWriteLog(0x534e4554, "141552859"); | |
| 1123 | - BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid", | |
| 1124 | - page_num); | |
| 1125 | - return; | |
| 1126 | - } | |
| 1127 | - | |
| 1128 | 1112 | p_acl_cb = &btm_cb.acl_db[acl_idx]; |
| 1129 | 1113 | |
| 1130 | 1114 | /* Copy the received features page */ |
| @@ -118,7 +118,7 @@ extern uint16_t btm_get_acl_disc_reason_code(void); | ||
| 118 | 118 | extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr, |
| 119 | 119 | tBT_TRANSPORT transport); |
| 120 | 120 | extern void btm_read_remote_features_complete(uint8_t* p); |
| 121 | -extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len); | |
| 121 | +extern void btm_read_remote_ext_features_complete(uint8_t* p); | |
| 122 | 122 | extern void btm_read_remote_ext_features_failed(uint8_t status, |
| 123 | 123 | uint16_t handle); |
| 124 | 124 | extern void btm_read_remote_version_complete(uint8_t* p); |
| @@ -71,8 +71,7 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p); | ||
| 71 | 71 | static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len); |
| 72 | 72 | static void btu_hcif_encryption_change_evt(uint8_t* p); |
| 73 | 73 | static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p); |
| 74 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
| 75 | - uint8_t evt_len); | |
| 74 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p); | |
| 76 | 75 | static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p); |
| 77 | 76 | static void btu_hcif_qos_setup_comp_evt(uint8_t* p); |
| 78 | 77 | static void btu_hcif_command_complete_evt(BT_HDR* response, void* context); |
| @@ -196,7 +195,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) { | ||
| 196 | 195 | btu_hcif_read_rmt_features_comp_evt(p); |
| 197 | 196 | break; |
| 198 | 197 | case HCI_READ_RMT_EXT_FEATURES_COMP_EVT: |
| 199 | - btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len); | |
| 198 | + btu_hcif_read_rmt_ext_features_comp_evt(p); | |
| 200 | 199 | break; |
| 201 | 200 | case HCI_READ_RMT_VERSION_COMP_EVT: |
| 202 | 201 | btu_hcif_read_rmt_version_comp_evt(p); |
| @@ -813,8 +812,7 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) { | ||
| 813 | 812 | * Returns void |
| 814 | 813 | * |
| 815 | 814 | ******************************************************************************/ |
| 816 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
| 817 | - uint8_t evt_len) { | |
| 815 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) { | |
| 818 | 816 | uint8_t* p_cur = p; |
| 819 | 817 | uint8_t status; |
| 820 | 818 | uint16_t handle; |
| @@ -822,7 +820,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | ||
| 822 | 820 | STREAM_TO_UINT8(status, p_cur); |
| 823 | 821 | |
| 824 | 822 | if (status == HCI_SUCCESS) |
| 825 | - btm_read_remote_ext_features_complete(p, evt_len); | |
| 823 | + btm_read_remote_ext_features_complete(p); | |
| 826 | 824 | else { |
| 827 | 825 | STREAM_TO_UINT16(handle, p_cur); |
| 828 | 826 | btm_read_remote_ext_features_failed(status, handle); |
| @@ -1322,8 +1322,6 @@ typedef struct { | ||
| 1322 | 1322 | |
| 1323 | 1323 | #define HCI_FEATURE_BYTES_PER_PAGE 8 |
| 1324 | 1324 | |
| 1325 | -#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13 | |
| 1326 | - | |
| 1327 | 1325 | #define HCI_FEATURES_KNOWN(x) \ |
| 1328 | 1326 | (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0) |
| 1329 | 1327 |
Fork