Merge cherrypicks of ['googleplex-android-review.googlesource.com/25493876', 'googleplex-android-review.googlesource.com/25532305', 'googleplex-android-review.googlesource.com/25658058', 'googleplex-android-review.googlesource.com/25677226', 'googleplex-android-review.googlesource.com/25842506'] into sc-platform-release.
Change-Id: I22a16cf986e39bdf6e1b98ef74b8bdcc0a9d56c0
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index bfb045c..e53a914 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -218,8 +218,7 @@
bool locally_initiated,
uint16_t security_req) {
return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
- btm_dev_authenticated(p_dev_rec) &&
- p_dev_rec->is_bond_type_temporary();
+ p_dev_rec->is_bond_type_temporary();
}
/*******************************************************************************
diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
index e7d22c5..ddb9ad6 100644
--- a/stack/gatt/att_protocol.cc
+++ b/stack/gatt/att_protocol.cc
@@ -281,46 +281,80 @@
static BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code,
uint16_t handle, uint16_t offset,
uint16_t len, uint8_t* p_data) {
- uint8_t *p, *pp, pair_len, *p_pair_len;
+ uint8_t *p, *pp, *p_pair_len;
+ size_t pair_len;
+ size_t size_now = 1;
+
+#define CHECK_SIZE() \
+ do { \
+ if (size_now > payload_size) { \
+ LOG_ERROR("payload size too small"); \
+ osi_free(p_buf); \
+ return nullptr; \
+ } \
+ } while (false)
+
BT_HDR* p_buf =
(BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
p = pp = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
+
+ CHECK_SIZE();
UINT8_TO_STREAM(p, op_code);
p_buf->offset = L2CAP_MIN_OFFSET;
- p_buf->len = 1;
if (op_code == GATT_RSP_READ_BY_TYPE) {
- p_pair_len = p;
+ p_pair_len = p++;
pair_len = len + 2;
- UINT8_TO_STREAM(p, pair_len);
- p_buf->len += 1;
+ size_now += 1;
+ CHECK_SIZE();
+ // this field will be backfilled in the end of this function
}
+
if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) {
+ size_now += 2;
+ CHECK_SIZE();
UINT16_TO_STREAM(p, handle);
- p_buf->len += 2;
}
if (op_code == GATT_REQ_PREPARE_WRITE || op_code == GATT_RSP_PREPARE_WRITE) {
+ size_now += 2;
+ CHECK_SIZE();
UINT16_TO_STREAM(p, offset);
- p_buf->len += 2;
}
if (len > 0 && p_data != NULL) {
/* ensure data not exceed MTU size */
- if (payload_size - p_buf->len < len) {
- len = payload_size - p_buf->len;
+ if (payload_size - size_now < len) {
+ len = payload_size - size_now;
/* update handle value pair length */
- if (op_code == GATT_RSP_READ_BY_TYPE) *p_pair_len = (len + 2);
+ if (op_code == GATT_RSP_READ_BY_TYPE) {
+ pair_len = (len + 2);
+ }
LOG(WARNING) << StringPrintf(
"attribute value too long, to be truncated to %d", len);
}
+ size_now += len;
+ CHECK_SIZE();
ARRAY_TO_STREAM(p, p_data, len);
- p_buf->len += len;
}
+ // backfill pair len field
+ if (op_code == GATT_RSP_READ_BY_TYPE) {
+ if (pair_len > UINT8_MAX) {
+ LOG_ERROR("pair_len greater than %d", UINT8_MAX);
+ osi_free(p_buf);
+ return nullptr;
+ }
+
+ *p_pair_len = (uint8_t)pair_len;
+ }
+
+#undef CHECK_SIZE
+
+ p_buf->len = (uint16_t)size_now;
return p_buf;
}
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index 3afae8b..84bb823 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -432,6 +432,13 @@
* Description process security request.
******************************************************************************/
void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+ if (smp_command_has_invalid_length(p_cb)) {
+ tSMP_INT_DATA smp_int_data;
+ smp_int_data.status = SMP_INVALID_PARAMETERS;
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+ return;
+ }
+
tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data;
tBTM_BLE_SEC_REQ_ACT sec_req_act;
