system/bt
| Revisão | 491ce6e711feba11ffec6a9204290eca9aecc5f9 (tree) |
|---|---|
| Hora | 2017-08-25 09:54:41 |
| Autor | android-build-team Robot <android-build-team-robot@goog...> |
| Commiter | android-build-team Robot |
release-request-2c066723-15d1-45c9-8fff-fdeca41661a9-for-git_oc-r6-release-4286358 snap-temp-L42700000096612204
Change-Id: I76758ebf52a405548b1636d64e5d8156c67eccc5
bta/pan/bta_pan_act.cc (diff) stack/avdt/avdt_api.cc (diff) stack/bnep/bnep_main.cc (diff) stack/bnep/bnep_utils.cc (diff) stack/l2cap/l2cap_client.cc (diff) stack/mcap/mca_cact.cc (diff) stack/pan/pan_main.cc (diff) stack/sdp/sdp_server.cc (diff)| @@ -28,6 +28,8 @@ | ||
| 28 | 28 | |
| 29 | 29 | #include <string.h> |
| 30 | 30 | |
| 31 | +#include <cutils/log.h> | |
| 32 | + | |
| 31 | 33 | #include "bt_common.h" |
| 32 | 34 | #include "bta_api.h" |
| 33 | 35 | #include "bta_pan_api.h" |
| @@ -174,6 +176,14 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, BD_ADDR src, | ||
| 174 | 176 | |
| 175 | 177 | if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) { |
| 176 | 178 | /* offset smaller than data structure in front of actual data */ |
| 179 | + if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > | |
| 180 | + PAN_BUF_SIZE) { | |
| 181 | + android_errorWriteLog(0x534e4554, "63146237"); | |
| 182 | + APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, | |
| 183 | + p_buf->len); | |
| 184 | + osi_free(p_buf); | |
| 185 | + return; | |
| 186 | + } | |
| 177 | 187 | p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE); |
| 178 | 188 | memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS), |
| 179 | 189 | (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len); |
| @@ -1042,7 +1042,7 @@ uint16_t AVDT_SendReport(uint8_t handle, AVDT_REPORT_TYPE type, | ||
| 1042 | 1042 | /* build SR - assume fit in one packet */ |
| 1043 | 1043 | p_tbl = avdt_ad_tc_tbl_by_type(AVDT_CHAN_REPORT, p_scb->p_ccb, p_scb); |
| 1044 | 1044 | if (p_tbl->state == AVDT_AD_ST_OPEN) { |
| 1045 | - BT_HDR* p_pkt = (BT_HDR*)osi_malloc(p_tbl->peer_mtu); | |
| 1045 | + BT_HDR* p_pkt = (BT_HDR*)osi_malloc(p_tbl->peer_mtu + sizeof(BT_HDR)); | |
| 1046 | 1046 | |
| 1047 | 1047 | p_pkt->offset = L2CAP_MIN_OFFSET; |
| 1048 | 1048 | p = (uint8_t*)(p_pkt + 1) + p_pkt->offset; |
| @@ -525,7 +525,8 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) { | ||
| 525 | 525 | if (ctrl_type == BNEP_SETUP_CONNECTION_REQUEST_MSG && |
| 526 | 526 | p_bcb->con_state != BNEP_STATE_CONNECTED && extension_present && p && |
| 527 | 527 | rem_len) { |
| 528 | - p_bcb->p_pending_data = (BT_HDR*)osi_malloc(rem_len); | |
| 528 | + osi_free(p_bcb->p_pending_data); | |
| 529 | + p_bcb->p_pending_data = (BT_HDR*)osi_malloc(rem_len + sizeof(BT_HDR)); | |
| 529 | 530 | memcpy((uint8_t*)(p_bcb->p_pending_data + 1), p, rem_len); |
| 530 | 531 | p_bcb->p_pending_data->len = rem_len; |
| 531 | 532 | p_bcb->p_pending_data->offset = 0; |
| @@ -144,7 +144,7 @@ void bnepu_release_bcb(tBNEP_CONN* p_bcb) { | ||
| 144 | 144 | |
| 145 | 145 | /* Drop any response pointer we may be holding */ |
| 146 | 146 | p_bcb->con_state = BNEP_STATE_IDLE; |
| 147 | - p_bcb->p_pending_data = NULL; | |
| 147 | + osi_free_and_reset((void**)&p_bcb->p_pending_data); | |
| 148 | 148 | |
| 149 | 149 | /* Free transmit queue */ |
| 150 | 150 | while (!fixed_queue_is_empty(p_bcb->xmit_q)) { |
| @@ -714,25 +714,41 @@ void bnep_process_setup_conn_responce(tBNEP_CONN* p_bcb, uint8_t* p_setup) { | ||
| 714 | 714 | uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, |
| 715 | 715 | uint16_t* rem_len, bool is_ext) { |
| 716 | 716 | uint8_t control_type; |
| 717 | - bool bad_pkt = false; | |
| 718 | 717 | uint16_t len, ext_len = 0; |
| 719 | 718 | |
| 719 | + if (p == NULL || rem_len == NULL) { | |
| 720 | + if (rem_len != NULL) *rem_len = 0; | |
| 721 | + BNEP_TRACE_DEBUG("%s: invalid packet: p = %p rem_len = %p", __func__, p, | |
| 722 | + rem_len); | |
| 723 | + return NULL; | |
| 724 | + } | |
| 725 | + uint16_t rem_len_orig = *rem_len; | |
| 726 | + | |
| 720 | 727 | if (is_ext) { |
| 728 | + if (*rem_len < 1) goto bad_packet_length; | |
| 721 | 729 | ext_len = *p++; |
| 722 | 730 | *rem_len = *rem_len - 1; |
| 723 | 731 | } |
| 724 | 732 | |
| 733 | + if (*rem_len < 1) goto bad_packet_length; | |
| 725 | 734 | control_type = *p++; |
| 726 | 735 | *rem_len = *rem_len - 1; |
| 727 | 736 | |
| 728 | 737 | BNEP_TRACE_EVENT( |
| 729 | - "BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", | |
| 730 | - *rem_len, is_ext, control_type); | |
| 738 | + "%s: BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", | |
| 739 | + __func__, *rem_len, is_ext, control_type); | |
| 731 | 740 | |
| 732 | 741 | switch (control_type) { |
| 733 | 742 | case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD: |
| 734 | - BNEP_TRACE_ERROR("BNEP Received Cmd not understood for ctl pkt type: %d", | |
| 735 | - *p); | |
| 743 | + if (*rem_len < 1) { | |
| 744 | + BNEP_TRACE_ERROR( | |
| 745 | + "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD with bad length", | |
| 746 | + __func__); | |
| 747 | + goto bad_packet_length; | |
| 748 | + } | |
| 749 | + BNEP_TRACE_ERROR( | |
| 750 | + "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD for pkt type: %d", | |
| 751 | + __func__, *p); | |
| 736 | 752 | p++; |
| 737 | 753 | *rem_len = *rem_len - 1; |
| 738 | 754 | break; |
| @@ -740,9 +756,10 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, | ||
| 740 | 756 | case BNEP_SETUP_CONNECTION_REQUEST_MSG: |
| 741 | 757 | len = *p++; |
| 742 | 758 | if (*rem_len < ((2 * len) + 1)) { |
| 743 | - bad_pkt = true; | |
| 744 | - BNEP_TRACE_ERROR("BNEP Received Setup message with bad length"); | |
| 745 | - break; | |
| 759 | + BNEP_TRACE_ERROR( | |
| 760 | + "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", | |
| 761 | + __func__); | |
| 762 | + goto bad_packet_length; | |
| 746 | 763 | } |
| 747 | 764 | if (!is_ext) bnep_process_setup_conn_req(p_bcb, p, (uint8_t)len); |
| 748 | 765 | p += (2 * len); |
| @@ -750,6 +767,12 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, | ||
| 750 | 767 | break; |
| 751 | 768 | |
| 752 | 769 | case BNEP_SETUP_CONNECTION_RESPONSE_MSG: |
| 770 | + if (*rem_len < 2) { | |
| 771 | + BNEP_TRACE_ERROR( | |
| 772 | + "%s: Received BNEP_SETUP_CONNECTION_RESPONSE_MSG with bad length", | |
| 773 | + __func__); | |
| 774 | + goto bad_packet_length; | |
| 775 | + } | |
| 753 | 776 | if (!is_ext) bnep_process_setup_conn_responce(p_bcb, p); |
| 754 | 777 | p += 2; |
| 755 | 778 | *rem_len = *rem_len - 2; |
| @@ -758,9 +781,10 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, | ||
| 758 | 781 | case BNEP_FILTER_NET_TYPE_SET_MSG: |
| 759 | 782 | BE_STREAM_TO_UINT16(len, p); |
| 760 | 783 | if (*rem_len < (len + 2)) { |
| 761 | - bad_pkt = true; | |
| 762 | - BNEP_TRACE_ERROR("BNEP Received Filter set message with bad length"); | |
| 763 | - break; | |
| 784 | + BNEP_TRACE_ERROR( | |
| 785 | + "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length", | |
| 786 | + __func__); | |
| 787 | + goto bad_packet_length; | |
| 764 | 788 | } |
| 765 | 789 | bnepu_process_peer_filter_set(p_bcb, p, len); |
| 766 | 790 | p += len; |
| @@ -768,6 +792,12 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, | ||
| 768 | 792 | break; |
| 769 | 793 | |
| 770 | 794 | case BNEP_FILTER_NET_TYPE_RESPONSE_MSG: |
| 795 | + if (*rem_len < 2) { | |
| 796 | + BNEP_TRACE_ERROR( | |
| 797 | + "%s: Received BNEP_FILTER_NET_TYPE_RESPONSE_MSG with bad length", | |
| 798 | + __func__); | |
| 799 | + goto bad_packet_length; | |
| 800 | + } | |
| 771 | 801 | bnepu_process_peer_filter_rsp(p_bcb, p); |
| 772 | 802 | p += 2; |
| 773 | 803 | *rem_len = *rem_len - 2; |
| @@ -776,10 +806,10 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, | ||
| 776 | 806 | case BNEP_FILTER_MULTI_ADDR_SET_MSG: |
| 777 | 807 | BE_STREAM_TO_UINT16(len, p); |
| 778 | 808 | if (*rem_len < (len + 2)) { |
| 779 | - bad_pkt = true; | |
| 780 | 809 | BNEP_TRACE_ERROR( |
| 781 | - "BNEP Received Multicast Filter Set message with bad length"); | |
| 782 | - break; | |
| 810 | + "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length", | |
| 811 | + __func__); | |
| 812 | + goto bad_packet_length; | |
| 783 | 813 | } |
| 784 | 814 | bnepu_process_peer_multicast_filter_set(p_bcb, p, len); |
| 785 | 815 | p += len; |
| @@ -787,28 +817,37 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, | ||
| 787 | 817 | break; |
| 788 | 818 | |
| 789 | 819 | case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG: |
| 820 | + if (*rem_len < 2) { | |
| 821 | + BNEP_TRACE_ERROR( | |
| 822 | + "%s: Received BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG with bad length", | |
| 823 | + __func__); | |
| 824 | + goto bad_packet_length; | |
| 825 | + } | |
| 790 | 826 | bnepu_process_multicast_filter_rsp(p_bcb, p); |
| 791 | 827 | p += 2; |
| 792 | 828 | *rem_len = *rem_len - 2; |
| 793 | 829 | break; |
| 794 | 830 | |
| 795 | 831 | default: |
| 796 | - BNEP_TRACE_ERROR("BNEP - bad ctl pkt type: %d", control_type); | |
| 832 | + BNEP_TRACE_ERROR("%s: BNEP - bad ctl pkt type: %d", __func__, | |
| 833 | + control_type); | |
| 797 | 834 | bnep_send_command_not_understood(p_bcb, control_type); |
| 798 | - if (is_ext) { | |
| 835 | + if (is_ext && (ext_len > 0)) { | |
| 836 | + if (*rem_len < (ext_len - 1)) { | |
| 837 | + goto bad_packet_length; | |
| 838 | + } | |
| 799 | 839 | p += (ext_len - 1); |
| 800 | 840 | *rem_len -= (ext_len - 1); |
| 801 | 841 | } |
| 802 | 842 | break; |
| 803 | 843 | } |
| 804 | - | |
| 805 | - if (bad_pkt) { | |
| 806 | - BNEP_TRACE_ERROR("BNEP - bad ctl pkt length: %d", *rem_len); | |
| 807 | - *rem_len = 0; | |
| 808 | - return NULL; | |
| 809 | - } | |
| 810 | - | |
| 811 | 844 | return p; |
| 845 | + | |
| 846 | +bad_packet_length: | |
| 847 | + BNEP_TRACE_ERROR("%s: bad control packet length: original=%d remaining=%d", | |
| 848 | + __func__, rem_len_orig, *rem_len); | |
| 849 | + *rem_len = 0; | |
| 850 | + return NULL; | |
| 812 | 851 | } |
| 813 | 852 | |
| 814 | 853 | /******************************************************************************* |
| @@ -393,7 +393,7 @@ static void fragment_packet(l2cap_client_t* client, buffer_t* packet) { | ||
| 393 | 393 | |
| 394 | 394 | // TODO(sharvil): eliminate copy into BT_HDR. |
| 395 | 395 | BT_HDR* bt_packet = static_cast<BT_HDR*>( |
| 396 | - osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET)); | |
| 396 | + osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET + sizeof(BT_HDR))); | |
| 397 | 397 | bt_packet->offset = L2CAP_MIN_OFFSET; |
| 398 | 398 | bt_packet->len = buffer_length(packet); |
| 399 | 399 | memcpy(bt_packet->data + bt_packet->offset, buffer_ptr(packet), |
| @@ -408,8 +408,8 @@ static void fragment_packet(l2cap_client_t* client, buffer_t* packet) { | ||
| 408 | 408 | break; |
| 409 | 409 | } |
| 410 | 410 | |
| 411 | - BT_HDR* fragment = | |
| 412 | - static_cast<BT_HDR*>(osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET)); | |
| 411 | + BT_HDR* fragment = static_cast<BT_HDR*>( | |
| 412 | + osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET + sizeof(BT_HDR))); | |
| 413 | 413 | fragment->offset = L2CAP_MIN_OFFSET; |
| 414 | 414 | fragment->len = client->remote_mtu; |
| 415 | 415 | memcpy(fragment->data + fragment->offset, |
| @@ -117,7 +117,7 @@ void mca_ccb_snd_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) { | ||
| 117 | 117 | if ((!p_ccb->p_tx_req) || is_abort) { |
| 118 | 118 | p_ccb->p_tx_req = p_msg; |
| 119 | 119 | if (!p_ccb->cong) { |
| 120 | - BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU); | |
| 120 | + BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR)); | |
| 121 | 121 | |
| 122 | 122 | p_pkt->offset = L2CAP_MIN_OFFSET; |
| 123 | 123 | p = p_start = (uint8_t*)(p_pkt + 1) + L2CAP_MIN_OFFSET; |
| @@ -154,7 +154,7 @@ void mca_ccb_snd_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) { | ||
| 154 | 154 | void mca_ccb_snd_rsp(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) { |
| 155 | 155 | tMCA_CCB_MSG* p_msg = (tMCA_CCB_MSG*)p_data; |
| 156 | 156 | uint8_t *p, *p_start; |
| 157 | - BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU); | |
| 157 | + BT_HDR* p_pkt = (BT_HDR*)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR)); | |
| 158 | 158 | |
| 159 | 159 | MCA_TRACE_DEBUG("%s cong=%d req=%d", __func__, p_ccb->cong, p_msg->op_code); |
| 160 | 160 | /* assume that API functions verified the parameters */ |
| @@ -367,7 +367,7 @@ void mca_ccb_hdl_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) { | ||
| 367 | 367 | if (((reject_code != MCA_RSP_SUCCESS) && |
| 368 | 368 | (evt_data.hdr.op_code != MCA_OP_SYNC_INFO_IND)) || |
| 369 | 369 | send_rsp) { |
| 370 | - BT_HDR* p_buf = (BT_HDR*)osi_malloc(MCA_CTRL_MTU); | |
| 370 | + BT_HDR* p_buf = (BT_HDR*)osi_malloc(MCA_CTRL_MTU + sizeof(BT_HDR)); | |
| 371 | 371 | p_buf->offset = L2CAP_MIN_OFFSET; |
| 372 | 372 | p = p_start = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; |
| 373 | 373 | *p++ = reject_opcode; |
| @@ -214,6 +214,39 @@ void pan_conn_ind_cb(uint16_t handle, BD_ADDR p_bda, tBT_UUID* remote_uuid, | ||
| 214 | 214 | return; |
| 215 | 215 | } |
| 216 | 216 | |
| 217 | + /* Check for valid interactions between the three PAN profile roles */ | |
| 218 | + /* | |
| 219 | + * For reference, see Table 1 in PAN Profile v1.0 spec. | |
| 220 | + * Note: the remote is the initiator. | |
| 221 | + */ | |
| 222 | + bool is_valid_interaction = false; | |
| 223 | + switch (remote_uuid->uu.uuid16) { | |
| 224 | + case UUID_SERVCLASS_NAP: | |
| 225 | + case UUID_SERVCLASS_GN: | |
| 226 | + if (local_uuid->uu.uuid16 == UUID_SERVCLASS_PANU) | |
| 227 | + is_valid_interaction = true; | |
| 228 | + break; | |
| 229 | + case UUID_SERVCLASS_PANU: | |
| 230 | + is_valid_interaction = true; | |
| 231 | + break; | |
| 232 | + } | |
| 233 | + /* | |
| 234 | + * Explicitly disable connections to the local PANU if the remote is | |
| 235 | + * not PANU. | |
| 236 | + */ | |
| 237 | + if ((local_uuid->uu.uuid16 == UUID_SERVCLASS_PANU) && | |
| 238 | + (remote_uuid->uu.uuid16 != UUID_SERVCLASS_PANU)) { | |
| 239 | + is_valid_interaction = false; | |
| 240 | + } | |
| 241 | + if (!is_valid_interaction) { | |
| 242 | + PAN_TRACE_ERROR( | |
| 243 | + "PAN Connection failed because of invalid PAN profile roles " | |
| 244 | + "interaction: Remote UUID 0x%x Local UUID 0x%x", | |
| 245 | + remote_uuid->uu.uuid16, local_uuid->uu.uuid16); | |
| 246 | + BNEP_ConnectResp(handle, BNEP_CONN_FAILED_SRC_UUID); | |
| 247 | + return; | |
| 248 | + } | |
| 249 | + | |
| 217 | 250 | /* Requested destination role is */ |
| 218 | 251 | if (local_uuid->uu.uuid16 == UUID_SERVCLASS_PANU) |
| 219 | 252 | req_role = PAN_ROLE_CLIENT; |
| @@ -218,7 +218,7 @@ static void process_service_search(tCONN_CB* p_ccb, uint16_t trans_num, | ||
| 218 | 218 | } |
| 219 | 219 | BE_STREAM_TO_UINT16(cont_offset, p_req); |
| 220 | 220 | |
| 221 | - if (cont_offset != p_ccb->cont_offset) { | |
| 221 | + if (cont_offset != p_ccb->cont_offset || num_rsp_handles < cont_offset) { | |
| 222 | 222 | sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE, |
| 223 | 223 | SDP_TEXT_BAD_CONT_INX); |
| 224 | 224 | return; |
Fork