Snap for 11383711 from a42fa1bda6faa9ceb676a0ac3bd0d021dc314bf5 to mainline-cellbroadcast-release
Change-Id: Iae9c320aee727d8acf67f74b35ad9e88bba321ab
diff --git a/android/app/res/values-eu/strings.xml b/android/app/res/values-eu/strings.xml
index 64e721a..cfbd841 100644
--- a/android/app/res/values-eu/strings.xml
+++ b/android/app/res/values-eu/strings.xml
@@ -18,9 +18,9 @@
xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
<string name="app_name" msgid="2326164424236203271">"Bluetootha"</string>
<string name="permlab_bluetoothShareManager" msgid="5297865456717871041">"Atzitu deskargen kudeatzailea."</string>
- <string name="permdesc_bluetoothShareManager" msgid="1588034776955941477">"Bluetooth bidezko partekatzeen kudeatzailea atzitzea eta fitxategiak transferitzeko erabiltzeko baimena ematen die aplikazioei."</string>
+ <string name="permdesc_bluetoothShareManager" msgid="1588034776955941477">"Bluetooth bidezko partekatzeen kudeatzailea atzitzea eta fitxategiak transferitzeko erabiltzeko baimena ematen dio aplikazioari."</string>
<string name="permlab_bluetoothAcceptlist" msgid="5785922051395856524">"Ezarri Bluetooth bidezko gailuak onartutakoen zerrendan."</string>
- <string name="permdesc_bluetoothAcceptlist" msgid="259308920158011885">"Bluetooth bidezko gailu bat aldi baterako onartutakoen zerrendan ezartzeko baimena ematen die aplikazioei, gailu honetara fitxategiak bidaltzeko baimena izan dezan, baina gailu honen erabiltzaileari berrespena eskatu beharrik gabe."</string>
+ <string name="permdesc_bluetoothAcceptlist" msgid="259308920158011885">"Bluetooth bidezko gailu bat aldi baterako onartutakoen zerrendan ezartzeko baimena ematen dio aplikazioari, gailu honetara fitxategiak bidaltzeko baimena izan dezan, baina gailu honen erabiltzaileari berrespena eskatu beharrik gabe."</string>
<string name="bt_share_picker_label" msgid="7464438494743777696">"Bluetootha"</string>
<string name="unknown_device" msgid="2317679521750821654">"Identifikatu ezin den gailua"</string>
<string name="unknownNumber" msgid="1245183329830158661">"Ezezaguna"</string>
diff --git a/system/btif/Android.bp b/system/btif/Android.bp
index 6144167..4ac1a85 100644
--- a/system/btif/Android.bp
+++ b/system/btif/Android.bp
@@ -42,22 +42,16 @@
"com.android.btservices",
],
min_sdk_version: "30",
+ shared_libs: [
+ "libstatssocket",
+ ],
+ export_shared_lib_headers: [
+ "libstatssocket",
+ ],
target: {
- android: {
- shared_libs: [
- "libstatssocket",
- ],
- export_shared_lib_headers: [
- "libstatssocket",
- ],
- },
host: {
static_libs: [
"libbase",
- "libstatssocket",
- ],
- export_static_lib_headers: [
- "libstatssocket",
],
},
darwin: {
diff --git a/system/stack/btm/btm_sec.cc b/system/stack/btm/btm_sec.cc
index 645646f..adb4b52 100644
--- a/system/stack/btm/btm_sec.cc
+++ b/system/stack/btm/btm_sec.cc
@@ -260,8 +260,7 @@
bool locally_initiated,
uint16_t security_req) {
return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
- p_dev_rec->is_device_authenticated() &&
- p_dev_rec->is_bond_type_temporary();
+ p_dev_rec->is_bond_type_temporary();
}
/*******************************************************************************
diff --git a/system/stack/gatt/att_protocol.cc b/system/stack/gatt/att_protocol.cc
index 1a9612f..5726fb5 100644
--- a/system/stack/gatt/att_protocol.cc
+++ b/system/stack/gatt/att_protocol.cc
@@ -287,46 +287,80 @@
static BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code,
uint16_t handle, uint16_t offset,
uint16_t len, uint8_t* p_data) {
- uint8_t *p, *pp, pair_len, *p_pair_len;
+ uint8_t *p, *pp, *p_pair_len;
+ size_t pair_len;
+ size_t size_now = 1;
+
+#define CHECK_SIZE() \
+ do { \
+ if (size_now > payload_size) { \
+ LOG_ERROR("payload size too small"); \
+ osi_free(p_buf); \
+ return nullptr; \
+ } \
+ } while (false)
+
BT_HDR* p_buf =
(BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
p = pp = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
+
+ CHECK_SIZE();
UINT8_TO_STREAM(p, op_code);
p_buf->offset = L2CAP_MIN_OFFSET;
- p_buf->len = 1;
if (op_code == GATT_RSP_READ_BY_TYPE) {
- p_pair_len = p;
+ p_pair_len = p++;
pair_len = len + 2;
- UINT8_TO_STREAM(p, pair_len);
- p_buf->len += 1;
+ size_now += 1;
+ CHECK_SIZE();
+ // this field will be backfilled in the end of this function
}
+
if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) {
+ size_now += 2;
+ CHECK_SIZE();
UINT16_TO_STREAM(p, handle);
- p_buf->len += 2;
}
if (op_code == GATT_REQ_PREPARE_WRITE || op_code == GATT_RSP_PREPARE_WRITE) {
+ size_now += 2;
+ CHECK_SIZE();
UINT16_TO_STREAM(p, offset);
- p_buf->len += 2;
}
if (len > 0 && p_data != NULL) {
/* ensure data not exceed MTU size */
- if (payload_size - p_buf->len < len) {
- len = payload_size - p_buf->len;
+ if (payload_size - size_now < len) {
+ len = payload_size - size_now;
/* update handle value pair length */
- if (op_code == GATT_RSP_READ_BY_TYPE) *p_pair_len = (len + 2);
+ if (op_code == GATT_RSP_READ_BY_TYPE) {
+ pair_len = (len + 2);
+ }
LOG(WARNING) << StringPrintf(
"attribute value too long, to be truncated to %d", len);
}
+ size_now += len;
+ CHECK_SIZE();
ARRAY_TO_STREAM(p, p_data, len);
- p_buf->len += len;
}
+ // backfill pair len field
+ if (op_code == GATT_RSP_READ_BY_TYPE) {
+ if (pair_len > UINT8_MAX) {
+ LOG_ERROR("pair_len greater than %d", UINT8_MAX);
+ osi_free(p_buf);
+ return nullptr;
+ }
+
+ *p_pair_len = (uint8_t)pair_len;
+ }
+
+#undef CHECK_SIZE
+
+ p_buf->len = (uint16_t)size_now;
return p_buf;
}