system/bt
Revisão | a651e35ad0081de5559a196c151ff0a3ff64ee67 (tree) |
---|---|
Hora | 2019-11-26 11:55:04 |
Autor | Automerger Merge Worker <android-build-automerger-merge-worker@syst...> |
Commiter | Automerger Merge Worker |
Merge "Revert "Fix potential OOB write in btm_read_remote_ext_features_complete"" into oc-dev am: aa754ed3ec am: 53afb387a4
Change-Id: I22fb89a33d6265470d4dc82a19d3ff66ce1ad9fa
@@ -47,7 +47,6 @@ | ||
47 | 47 | #include "device/include/interop.h" |
48 | 48 | #include "hcidefs.h" |
49 | 49 | #include "hcimsgs.h" |
50 | -#include "log/log.h" | |
51 | 50 | #include "l2c_int.h" |
52 | 51 | #include "osi/include/osi.h" |
53 | 52 |
@@ -1063,7 +1062,7 @@ void btm_read_remote_features_complete(uint8_t* p) { | ||
1063 | 1062 | * Returns void |
1064 | 1063 | * |
1065 | 1064 | ******************************************************************************/ |
1066 | -void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | |
1065 | +void btm_read_remote_ext_features_complete(uint8_t* p) { | |
1067 | 1066 | tACL_CONN* p_acl_cb; |
1068 | 1067 | uint8_t page_num, max_page; |
1069 | 1068 | uint16_t handle; |
@@ -1071,14 +1070,6 @@ void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | ||
1071 | 1070 | |
1072 | 1071 | BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete"); |
1073 | 1072 | |
1074 | - if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) { | |
1075 | - android_errorWriteLog(0x534e4554, "141552859"); | |
1076 | - BTM_TRACE_ERROR( | |
1077 | - "btm_read_remote_ext_features_complete evt length too short. length=%d", | |
1078 | - evt_len); | |
1079 | - return; | |
1080 | - } | |
1081 | - | |
1082 | 1073 | ++p; |
1083 | 1074 | STREAM_TO_UINT16(handle, p); |
1084 | 1075 | STREAM_TO_UINT8(page_num, p); |
@@ -1098,13 +1089,6 @@ void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | ||
1098 | 1089 | return; |
1099 | 1090 | } |
1100 | 1091 | |
1101 | - if (page_num > max_page) { | |
1102 | - android_errorWriteLog(0x534e4554, "141552859"); | |
1103 | - BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid", | |
1104 | - page_num); | |
1105 | - return; | |
1106 | - } | |
1107 | - | |
1108 | 1092 | p_acl_cb = &btm_cb.acl_db[acl_idx]; |
1109 | 1093 | |
1110 | 1094 | /* Copy the received features page */ |
@@ -117,7 +117,7 @@ extern uint16_t btm_get_acl_disc_reason_code(void); | ||
117 | 117 | extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr, |
118 | 118 | tBT_TRANSPORT transport); |
119 | 119 | extern void btm_read_remote_features_complete(uint8_t* p); |
120 | -extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len); | |
120 | +extern void btm_read_remote_ext_features_complete(uint8_t* p); | |
121 | 121 | extern void btm_read_remote_ext_features_failed(uint8_t status, |
122 | 122 | uint16_t handle); |
123 | 123 | extern void btm_read_remote_version_complete(uint8_t* p); |
@@ -70,8 +70,7 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p); | ||
70 | 70 | static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len); |
71 | 71 | static void btu_hcif_encryption_change_evt(uint8_t* p); |
72 | 72 | static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p); |
73 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
74 | - uint8_t evt_len); | |
73 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p); | |
75 | 74 | static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p); |
76 | 75 | static void btu_hcif_qos_setup_comp_evt(uint8_t* p); |
77 | 76 | static void btu_hcif_command_complete_evt(BT_HDR* response, void* context); |
@@ -195,7 +194,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) { | ||
195 | 194 | btu_hcif_read_rmt_features_comp_evt(p); |
196 | 195 | break; |
197 | 196 | case HCI_READ_RMT_EXT_FEATURES_COMP_EVT: |
198 | - btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len); | |
197 | + btu_hcif_read_rmt_ext_features_comp_evt(p); | |
199 | 198 | break; |
200 | 199 | case HCI_READ_RMT_VERSION_COMP_EVT: |
201 | 200 | btu_hcif_read_rmt_version_comp_evt(p); |
@@ -792,8 +791,7 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) { | ||
792 | 791 | * Returns void |
793 | 792 | * |
794 | 793 | ******************************************************************************/ |
795 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
796 | - uint8_t evt_len) { | |
794 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) { | |
797 | 795 | uint8_t* p_cur = p; |
798 | 796 | uint8_t status; |
799 | 797 | uint16_t handle; |
@@ -801,7 +799,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | ||
801 | 799 | STREAM_TO_UINT8(status, p_cur); |
802 | 800 | |
803 | 801 | if (status == HCI_SUCCESS) |
804 | - btm_read_remote_ext_features_complete(p, evt_len); | |
802 | + btm_read_remote_ext_features_complete(p); | |
805 | 803 | else { |
806 | 804 | STREAM_TO_UINT16(handle, p_cur); |
807 | 805 | btm_read_remote_ext_features_failed(status, handle); |
@@ -1296,8 +1296,6 @@ typedef struct { | ||
1296 | 1296 | |
1297 | 1297 | #define HCI_FEATURE_BYTES_PER_PAGE 8 |
1298 | 1298 | |
1299 | -#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13 | |
1300 | - | |
1301 | 1299 | #define HCI_FEATURES_KNOWN(x) \ |
1302 | 1300 | (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0) |
1303 | 1301 |