resolve merge conflicts of ec78d74706c3e81f91eee53e3d9f959f66e5d77f to pi-devHEAD replicant-6.0-0004-transition replicant-6.0-0004-rc6 replicant-6.0-0004-rc5-transition replicant-6.0-0004-rc5 replicant-6.0-0004-rc4 replicant-6.0-0004-rc3 replicant-6.0-0004-rc2 replicant-6.0-0004 cm-13.0

Bug: None Test: I solemnly swear I tested this conflict resolution. Change-Id: Id658b3485fdc0025bc44850be9f23bb2d2146d9b (cherry picked from commit 6c0f22f324ed0bdf9dea3e803e5ee6176d03fdb4)
author: Hansong Zhang <hsz@google.com> 2019-02-01 17:45:30 -0800
committer: Tim Schumacher <timschumi@gmx.de> 2019-07-07 14:49:22 +0200
commit: ad7555c9d783be7e360de0edf114f3da8da70b5f (patch)
tree: 30b1de1681c94d68c594b8f6bb8f1c2ea8ec71f1
parent: 3d34ee18a6b5e16ddf77157103a1c3cc5a777d3b (diff)
download: android_system_bt-cm-13.0.tar.gz
android_system_bt-cm-13.0.tar.bz2
android_system_bt-cm-13.0.zip
2 files changed, 37 insertions, 10 deletions
diff --git a/stack/l2cap/l2c_main.c b/stack/l2cap/l2c_main.c
index 0ef1fbb6e..379d7608e 100644
--- a/stack/l2cap/l2c_main.c
+++ b/stack/l2cap/l2c_main.c
@@ -573,7 +573,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
                 {
                 case L2CAP_CFG_TYPE_MTU:
                     cfg_info.mtu_present = TRUE;
-                    if (p + 2 > p_next_cmd) {
+                    if (cfg_len != 2) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -582,7 +586,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_FLUSH_TOUT:
                     cfg_info.flush_to_present = TRUE;
-                    if (p + 2 > p_next_cmd) {
+                    if (cfg_len != 2) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -591,9 +599,13 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_QOS:
                     cfg_info.qos_present = TRUE;
-                    if (p + 2 + 5 * 4 > p_next_cmd) {
-                      android_errorWriteLog(0x534e4554, "74202041");
-                      return;
+                    if (cfg_len != 2 + 5 * 4) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
+                        android_errorWriteLog(0x534e4554, "74202041");
+                        return;
                     }
                     STREAM_TO_UINT8  (cfg_info.qos.qos_flags, p);
                     STREAM_TO_UINT8  (cfg_info.qos.service_type, p);
@@ -606,9 +618,13 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_FCR:
                     cfg_info.fcr_present = TRUE;
-                    if (p + 3 + 3 * 2 > p_next_cmd) {
-                      android_errorWriteLog(0x534e4554, "74202041");
-                      return;
+                    if (cfg_len != 3 + 3 * 2) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
+                        android_errorWriteLog(0x534e4554, "74202041");
+                        return;
                     }
                     STREAM_TO_UINT8 (cfg_info.fcr.mode, p);
                     STREAM_TO_UINT8 (cfg_info.fcr.tx_win_sz, p);
@@ -620,7 +636,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_FCS:
                     cfg_info.fcs_present = TRUE;
-                    if (p + 1 > p_next_cmd) {
+                    if (cfg_len != 1) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -629,7 +649,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_EXT_FLOW:
                     cfg_info.ext_flow_spec_present = TRUE;
-                    if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
+                    if (cfg_len != 2 + 2 + 3 * 4) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
diff --git a/stack/l2cap/l2c_utils.c b/stack/l2cap/l2c_utils.c
index 2c33c7135..d793f8759 100644
--- a/stack/l2cap/l2c_utils.c
+++ b/stack/l2cap/l2c_utils.c
@@ -878,6 +878,9 @@ void l2cu_send_peer_config_rej (tL2C_CCB *p_ccb, UINT8 *p_data, UINT16 data_len,
             case L2CAP_CFG_TYPE_MTU:
             case L2CAP_CFG_TYPE_FLUSH_TOUT:
             case L2CAP_CFG_TYPE_QOS:
+            case L2CAP_CFG_TYPE_FCR:
+            case L2CAP_CFG_TYPE_FCS:
+            case L2CAP_CFG_TYPE_EXT_FLOW:
                 p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
                 break;
author	Hansong Zhang <hsz@google.com>	2019-02-01 17:45:30 -0800
committer	Tim Schumacher <timschumi@gmx.de>	2019-07-07 14:49:22 +0200
commit	ad7555c9d783be7e360de0edf114f3da8da70b5f (patch)
tree	30b1de1681c94d68c594b8f6bb8f1c2ea8ec71f1
parent	3d34ee18a6b5e16ddf77157103a1c3cc5a777d3b (diff)
download	android_system_bt-cm-13.0.tar.gz android_system_bt-cm-13.0.tar.bz2 android_system_bt-cm-13.0.zip