system/bt
| Revisão | db7ae0ecc0c908178a9f0250e3c81b163f171e80 (tree) |
|---|---|
| Hora | 2019-11-26 11:37:43 |
| Autor | Ted Wang <tedwang@goog...> |
| Commiter | Android (Google) Code Review |
Merge "Revert "Fix potential OOB write in btm_read_remote_ext_features_complete"" into qt-dev
stack/btm/btm_acl.cc (diff)
stack/btm/btm_int.h (diff) stack/btu/btu_hcif.cc (diff) stack/include/hcidefs.h (diff)| @@ -1085,7 +1085,7 @@ void btm_read_remote_features_complete(uint8_t* p) { | ||
| 1085 | 1085 | * Returns void |
| 1086 | 1086 | * |
| 1087 | 1087 | ******************************************************************************/ |
| 1088 | -void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | |
| 1088 | +void btm_read_remote_ext_features_complete(uint8_t* p) { | |
| 1089 | 1089 | tACL_CONN* p_acl_cb; |
| 1090 | 1090 | uint8_t page_num, max_page; |
| 1091 | 1091 | uint16_t handle; |
| @@ -1093,14 +1093,6 @@ void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | ||
| 1093 | 1093 | |
| 1094 | 1094 | BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete"); |
| 1095 | 1095 | |
| 1096 | - if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) { | |
| 1097 | - android_errorWriteLog(0x534e4554, "141552859"); | |
| 1098 | - BTM_TRACE_ERROR( | |
| 1099 | - "btm_read_remote_ext_features_complete evt length too short. length=%d", | |
| 1100 | - evt_len); | |
| 1101 | - return; | |
| 1102 | - } | |
| 1103 | - | |
| 1104 | 1096 | ++p; |
| 1105 | 1097 | STREAM_TO_UINT16(handle, p); |
| 1106 | 1098 | STREAM_TO_UINT8(page_num, p); |
| @@ -1120,13 +1112,6 @@ void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | ||
| 1120 | 1112 | return; |
| 1121 | 1113 | } |
| 1122 | 1114 | |
| 1123 | - if (page_num > max_page) { | |
| 1124 | - android_errorWriteLog(0x534e4554, "141552859"); | |
| 1125 | - BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid", | |
| 1126 | - page_num); | |
| 1127 | - return; | |
| 1128 | - } | |
| 1129 | - | |
| 1130 | 1115 | p_acl_cb = &btm_cb.acl_db[acl_idx]; |
| 1131 | 1116 | |
| 1132 | 1117 | /* Copy the received features page */ |
| @@ -119,7 +119,7 @@ extern uint16_t btm_get_acl_disc_reason_code(void); | ||
| 119 | 119 | extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr, |
| 120 | 120 | tBT_TRANSPORT transport); |
| 121 | 121 | extern void btm_read_remote_features_complete(uint8_t* p); |
| 122 | -extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len); | |
| 122 | +extern void btm_read_remote_ext_features_complete(uint8_t* p); | |
| 123 | 123 | extern void btm_read_remote_ext_features_failed(uint8_t status, |
| 124 | 124 | uint16_t handle); |
| 125 | 125 | extern void btm_read_remote_version_complete(uint8_t* p); |
| @@ -75,8 +75,7 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p); | ||
| 75 | 75 | static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len); |
| 76 | 76 | static void btu_hcif_encryption_change_evt(uint8_t* p); |
| 77 | 77 | static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p); |
| 78 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
| 79 | - uint8_t evt_len); | |
| 78 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p); | |
| 80 | 79 | static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p); |
| 81 | 80 | static void btu_hcif_qos_setup_comp_evt(uint8_t* p); |
| 82 | 81 | static void btu_hcif_command_complete_evt(BT_HDR* response, void* context); |
| @@ -296,7 +295,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) { | ||
| 296 | 295 | btu_hcif_read_rmt_features_comp_evt(p); |
| 297 | 296 | break; |
| 298 | 297 | case HCI_READ_RMT_EXT_FEATURES_COMP_EVT: |
| 299 | - btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len); | |
| 298 | + btu_hcif_read_rmt_ext_features_comp_evt(p); | |
| 300 | 299 | break; |
| 301 | 300 | case HCI_READ_RMT_VERSION_COMP_EVT: |
| 302 | 301 | btu_hcif_read_rmt_version_comp_evt(p); |
| @@ -1212,8 +1211,7 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) { | ||
| 1212 | 1211 | * Returns void |
| 1213 | 1212 | * |
| 1214 | 1213 | ******************************************************************************/ |
| 1215 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
| 1216 | - uint8_t evt_len) { | |
| 1214 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) { | |
| 1217 | 1215 | uint8_t* p_cur = p; |
| 1218 | 1216 | uint8_t status; |
| 1219 | 1217 | uint16_t handle; |
| @@ -1221,7 +1219,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | ||
| 1221 | 1219 | STREAM_TO_UINT8(status, p_cur); |
| 1222 | 1220 | |
| 1223 | 1221 | if (status == HCI_SUCCESS) |
| 1224 | - btm_read_remote_ext_features_complete(p, evt_len); | |
| 1222 | + btm_read_remote_ext_features_complete(p); | |
| 1225 | 1223 | else { |
| 1226 | 1224 | STREAM_TO_UINT16(handle, p_cur); |
| 1227 | 1225 | btm_read_remote_ext_features_failed(status, handle); |
| @@ -1323,8 +1323,6 @@ typedef struct { | ||
| 1323 | 1323 | |
| 1324 | 1324 | #define HCI_FEATURE_BYTES_PER_PAGE 8 |
| 1325 | 1325 | |
| 1326 | -#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13 | |
| 1327 | - | |
| 1328 | 1326 | #define HCI_FEATURES_KNOWN(x) \ |
| 1329 | 1327 | (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0) |
| 1330 | 1328 |
Fork