summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* resolve merge conflicts of ec78d74706c3e81f91eee53e3d9f959f66e5d77f to pi-devHEADreplicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004cm-13.0Hansong Zhang2019-07-072-10/+37
| | | | | | | Bug: None Test: I solemnly swear I tested this conflict resolution. Change-Id: Id658b3485fdc0025bc44850be9f23bb2d2146d9b (cherry picked from commit 6c0f22f324ed0bdf9dea3e803e5ee6176d03fdb4)
* btm_proc_smp_cback: Don't access p_dev_rec if freedHansong Zhang2019-07-071-0/+7
| | | | | | | | | | In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle to prevent use after free Bug: 120612744 Test: Use ASAN build; connect to a LE device and wait for timeout Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac (cherry picked from commit 953dd279502980b1d8d30656eb78c6445a6e31f7)
* Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfmJakub Pawlowski2019-03-232-7/+6
| | | | | | | Bug: 116222069 Test: compilation Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d (cherry picked from commit 889efd5b9165ed7641fcd75eabbbef56be2ef5df)
* Fix buffer overflow in btif_dm_data_copyJakub Pawlowski2019-03-232-50/+44
| | | | | | | | | | | | When we use a union, we should always define variables as the union type, not as one of the field subtypes. If the latter is cast to the union type, buffer overflow can happen. Bug: 110166268 Test: compilation Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd (cherry picked from commit ea90417d9965aec1c475418ca8f8f305af12de2d)
* HFP: Check AT command buffer boundary during parsingChienyuan2019-02-105-22/+54
| | | | | | | | | | | | | | | * add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback and bta_ag_at_hfp_cback to indicate effective data range of p_arg * add checks for buffer copy overflow in bta_ag_at_hsp_cback and bta_ag_at_hfp_cback * add packet legnth checks with p_end in bta_ag_parse_cmer * add packet length checks with p_end in bta_ag_parse_bac Bug: 112860487 Test: testplans/details/218593/3975 Change-Id: I6bbbc2ba29ad025c7d3ba023d8191af6a11c4aa9 (cherry picked from commit 28ddbe904bd15c9636063f5431a9360d8e9df8b9) CVE-2018-9583
* SDP: Check p_end in save_attr_seq and add_attrMyles Watson2019-02-101-13/+20
| | | | | | | | Bug: 115900043 Test: Sanity pairing and SDP PTS Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11 (cherry picked from commit b8a5081b00fc9730092d8392786f3f4e659cb602) CVE-2018-9590
* Fix possible OOB when AVDT data channel recive ACL dataUgo Yu2019-02-101-3/+57
| | | | | | | | | Bug: 111450156 Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6 (cherry picked from commit b0125caafec2183d73fc899ce5a8aee43a6e54af) (cherry picked from commit ad4098c340b52acdb0f48fd3e2612d810e71f4c4) CVE-2018-9588
* MCAP: Check response length in mca_ccb_hdl_rspMyles Watson2019-02-031-3/+17
| | | | | | | | Bug: 116319076 Test: Send a short MCAP response Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179 (cherry picked from commit 0ab53ca2af26f70126d6d9d6600d090a720758fa) CVE-2018-9592
* HH: Check parameter length in bta_hh_ctrl_dat_actMyles Watson2019-02-031-0/+8
| | | | | | | | Bug: 116108738 Test: send a malformed GET_IDLE command with no parameters Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c (cherry picked from commit b8fbe73f0d32686e8393bfe07a84b6f0e8829caf) CVE-2018-9591
* Fix possible OOB readJakub Pawlowski2019-01-131-0/+11
| | | | | | Bug: 74249842 Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98 (cherry picked from commit 6e6c347e798bf8195a9a02457edf871a97b1cfad)
* Check data length when parsing AVRCP vendor specific command responsesPavlin Radoslavov2019-01-131-1/+34
| | | | | | | | Bug: 111450531 Bug: 111896861 Test: PoC test program Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa (cherry picked from commit 7439ea940354f65a147c4ecfce3bada49c688047)
* Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()Pavlin Radoslavov2019-01-131-4/+49
| | | | | | | | Bug: 111450417 Test: PoC test program Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163 (cherry picked from commit 1c14e10cac53d5a5724dcf34c5679ad8819f9442) (cherry picked from commit f779ebe368d245c0d9ac954cf7b2b102e7da56be)
* Checks the SMP length to fix OOB readCheney Ni2018-11-181-1/+19
| | | | | | | | Bug: 111937065 Test: manual Change-Id: I330880a6e1671d0117845430db4076dfe1aba688 Merged-In: I330880a6e1671d0117845430db4076dfe1aba688 (cherry picked from commit fceb753bda651c4135f3f93a510e5fcb4c7542b8)
* Add packet length check in smp_proc_master_idUgo Yu2018-11-181-0/+10
| | | | | | | | Bug: 111937027 Test: manual Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075 (cherry picked from commit c8294662d07a98e9b8b1cab1ab681ec0805ce4e8)
* DO NOT MERGE Fix OOB read before buffer length checkUgo Yu2018-11-181-1/+8
| | | | | | | Bug: 111936834 Test: manual Change-Id: Ib98528fb62db0d724ebd9112d071e367f78e369d (cherry picked from commit 4548f34c90803c6544f6bed03399f2eabeab2a8e)
* Check packet length in bta_av_proc_meta_cmdChienyuan2018-11-181-1/+8
| | | | | | | Bug: 111893951 Test: manual - connect A2DP Change-Id: Ibbf347863dfd29ea3385312e9dde1082bc90d2f3 (cherry picked from commit ed51887f921263219bcd2fbf6650ead5ec8d334e)
* Add missing AVRCP message length checks inside avrc_msg_cbackPavlin Radoslavov2018-11-181-6/+34
| | | | | | | | | | | | | Explicitly check the length of the received message before accessing the data. Bug: 111803925 Bug: 79883824 Test: POC scripts Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb (cherry picked from commit 282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f) (cherry picked from commit 007868d05f4b761842c7345161aeda6fd40dd245)
* Add packet length checks in mca_ccb_hdl_reqCheney Ni2018-11-181-1/+11
| | | | | | | Bug: 110791536 Test: manual Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a (cherry picked from commit 4de7ccdd914b7a178df9180d15f675b257ea6e02)
* Fix a wrong check in rfc_parse_dataHansong Zhang2018-11-181-1/+1
| | | | | | | | Bug: 78288018 Bug: 111436796 Test: manual Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a (cherry picked from commit d1ced302cd1066087588c891027b1756be31db46)
* Add bound check for rfc_parse_dataHansong Zhang2018-11-182-8/+13
| | | | | | | Bug: 78288018 Test: manual Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0 (cherry picked from commit 6039cb7225733195192b396ad19c528800feb735)
* Check remaining frame length in rfc_process_mx_messageHansong Zhang2018-11-181-0/+27
| | | | | | | | Bug: 111936792 Bug: 80432928 Test: manual Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79 (cherry picked from commit 0471355c8b035aaa2ce07a33eecad60ad49c5ad0)
* Fix copy length calculation in sdp_copy_raw_dataJakub Pawlowski2018-11-181-0/+8
| | | | | | | Test: compilation Bug: 110216176 Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459 (cherry picked from commit 23aa15743397b345f3d948289fe90efa2a2e2b3e)
* Fix OOB read in avrc_ctrl_pars_vendor_rspHansong Zhang2018-11-181-0/+8
| | | | | | | Bug: 78526423 Test: manual Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91 (cherry picked from commit d945ada503ed9c9ea24e092df51faba57f5d589a)
* Don't use Address after it was deletedJakub Pawlowski2018-11-173-24/+30
| | | | | | | | Bug: 110216173 (cherry picked from commit 9930f6f4e14e64966869b119994126283d645fd0) Change-Id: Id3364cf53153eafed478546d7347ed1673217e91 Backported-By: Vasyl Gello <vasek.gello@gmail.com>
* DO NOT MERGE HFP: Fix out of bound access in phone number processingJack He2018-11-171-4/+21
| | | | | | | | | | | | | | * Write at most sizeof(dialnum) chars into dialnum array in ClccResponse method * Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in PhoneStateChange method Bug: 79431031 Bug: 79266386 Test: make call with super long phone numbers Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df (cherry picked from commit 82371c1204cc0b48941ec1d41c516c4b40093879)
* HID Host: Check L2CAP packet data lengthHansong Zhang2018-10-221-0/+9
| | | | | | | Bug: 80493272 Test: manual Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d (cherry picked from commit ca47a05acb66218ff2123f8d4642961f7f2eb5e2)
* Fix OOB read in process_l2cap_cmdHansong Zhang2018-10-221-0/+1
| | | | | | | Test: manual Bug: 79488381 Change-Id: I723866ed40d3647fed99875f659bb95df96a6969 (cherry picked from commit 5bb66307b555b17d1764e116316ce50c687c9653)
* DO NOT MERGE: SDP: Recalculate param_len after max_list_lenMyles Watson2018-10-221-0/+1
| | | | | | | Bug: 78136869 Test: manual connection to an A2DP device Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1 (cherry picked from commit 9cc9eea21c7868034242b7ab8be750c565e46bfd)
* SDP: return error on offset bigger than atribute lengthJakub Pawlowski2018-10-221-0/+14
| | | | | | | Test: none Bug: 79217770 Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998 (cherry picked from commit 0a74ffa44cbe48f674387cc951e6011c28ca003c)
* Add packet length checks in l2cble_process_sig_cmdJakub Pawlowski2018-10-221-0/+36
| | | | | | | Bug: 80261585 Test: compilation Change-Id: Icf55747dc948bcce140a12658237554938e2d717 (cherry picked from commit 02f47a752c818277b31852e3ff940764d5c7f9c7)
* Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQAjay Panicker2018-10-221-0/+5
| | | | | | Bug: 74121659 Test: Compiles Change-Id: Idf58e7b25b41ae1bd43cdd51de424b18e03cc7e8
* Add PDU size checks in process_service_search_attr_rspJakub Pawlowski2018-09-091-0/+14
| | | | | | | Bug: 79884292 Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25 Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25 (cherry picked from commit 980f6427b183e013958acd6b70e91f58177408a6)
* GATT: Handle too short Error Response PDUJakub Pawlowski2018-09-091-3/+19
| | | | | | | | | | Since the spec is not clear what to do in this case, use one of reserved error codes as a failure reason, and pass it to upper layers. Bug: 79591688 Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f (cherry picked from commit f63c4b652b3231c2b4907bffd13410c6eb2aa760)
* RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)akirilov2018-08-081-1/+6
| | | | | | | Bug: 74075873 Test: manual Change-Id: I9a7035a74aca3256c5712ea67a7435627b139c37 (cherry picked from commit 9d647b201b64949e04eade9b594af76c764dbb96)
* Add checks whether the AVDTP element data length is validPavlin Radoslavov2018-08-081-0/+11
| | | | | | | | | Bug: 78288378 Test: Manual: Python script and extra logging Change-Id: I715b5977c833d33ff798f008fbf244effa13ea1f Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f (cherry picked from commit 9b3f96f50287d8789aff6d6895d7ae02ca6ac619) (cherry picked from commit ee30c88a8d49b30860d35b34a57c3037a4045678)
* RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)akirilov2018-08-081-1/+1
| | | | | | | Bug: 74075873 Test: manual test (poc in bug) Change-Id: I56e87cfdf8731acca00cefac98abb2ba06f6e7ed (cherry picked from commit 3575ba8ca36dccf7dcdb2dbf16ed170d549911d3)
* BNEP: Fix OOB access in bnep_data_indJack He2018-08-081-9/+26
| | | | | | | | | | | | | | | | | | * Stop reading the L2CAP packet if packet length is 0 * Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing the buffer pointer by length of payload * Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero * Move error logging to more appropriate locations at where the OOB access is most likely triggered Bug: 78286118 Bug: 79164722 Test: Send zero length L2CAP packet to BNEP, send invalid BNEP_EXTENSION_CONTROL packet Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e (cherry picked from commit 3c799a6e25abdf6bacb660ff7a06338836cc7356) (cherry picked from commit 0416340ffa61337dbaa2f6602ef85a1c32563ec2)
* Decrease length after reading from array in process_service_attr_reqJakub Pawlowski2018-08-081-0/+2
| | | | | | | Test: compilation Bug: 78136677 Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0 (cherry picked from commit 6cd2e8bf6e5707e8e77e7aca6519c58200ee58db)
* DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_eventHansong Zhang2018-08-081-0/+7
| | | | | | | Bug: 80145946 Test: manual Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53 (cherry picked from commit 519b61392a96fbd45bdcc0bfddc881167c20cc23)
* DO NOT MERGE Prevent stack overflow in btif_storagereplicant-6.0-0004-rc1Hansong Zhang2018-07-161-0/+4
| | | | | | | Bug: 73963551 Test: manual Change-Id: I5f7a583aad150ebf9e3d492181d80ca935c8aa3f (cherry picked from commit e8d311224277e9db5dc94cb94929125992f546f3)
* DO NOT MERGE Fix unexpected behavior in smp_sm_eventHansong Zhang2018-07-161-0/+8
| | | | | | | Bug: 74121126 Test: manual Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53 (cherry picked from commit 652798b2f2d6c90e0fc95c00ccfb91e2870b03d4)
* DO NOT MERGE Fix OOB read in process_l2cap_cmdHansong Zhang2018-06-081-0/+104
| | | | | | | | | | Bug: 74202041 Bug: 74196706 Bug: 74201143 Test: manual Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d (cherry picked from commit ff15adf5150527db1012b9f7777066522835e2db) CVE-2018-9359, CVE-2018-9360, CVE-2018-9361
* DO NOT MERGE Handle bad packet length in gatts_process_read_reqStanley Tng2018-06-081-0/+16
| | | | | | | | | | | | | | | Added error check and handling code in gatts_process_read_req to make sure that the packet length is correct. Please note that there is another earlier CL that is reverted and this is the updated one. Bug: 73172115 Test: Run the test program, poc, that was attached in the bug report Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b (cherry picked from commit cc9c7330d1c3507d745170ae7b2e0546197b7acb) (cherry picked from commit 16f4c21be5bd0ea1968eee8a0f00648b1e326253) CVE-2018-9358
* DO NOT MERGE Add bounds check for BNEP_WriteHansong Zhang2018-06-081-0/+9
| | | | | | | | Bug: 74947856 Test: manual Change-Id: If5db8c6b6e509a330ae74808fc3f0ffac137af14 (cherry picked from commit ae9d06c1dc84db36c0c4a07fc56a1fbf008cd1ce) CVE-2018-9357
* PAN: Always allocate in bta_pan_data_buf_ind_cbackMyles Watson2018-06-083-39/+21
| | | | | | | | | | | | | | Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double free. Move the free call to pan_data_buf_ind_cb(). Free the buffer before every return in pan_data_buf_ind_cb. Bug: 74950468 Test: manual tethering test with DUT sharing its connection Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb (cherry picked from commit 98232b084c66368234d19fafe3076bc1c0f1b578) CVE-2018-9356
* DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_resultHansong Zhang2018-06-081-5/+16
| | | | | | | | | | Check the number of UUIDs from remote device Bug: 74016921 Test: manual Change-Id: I1ca1f66bfc935f5fd219e8147511bdac7d2789ef (cherry picked from commit 67ec216daa43f71adf103de6c4156c5a892c1460) CVE-2018-9355
* SDP: Check p_req_end before reading from p_reqMyles Watson2018-04-142-26/+68
| | | | | | | | Bug: 69384124 Test: Connect a headset Change-Id: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe Merged-In: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe (cherry picked from commit dd856fbc4ade8f7d78873db3533b4c9fd7c6d612)
* DO NOT MERGE Truncate new line characters when adding string to configHansong Zhang2018-04-141-2/+25
| | | | | | | | | [Reworked for C support] Bug: 70808273 Test: test with a device with newline character in name Change-Id: I8729e12ad5851ee1ffbcb7c08e9a659f768ffc21 (cherry picked from commit dd9bbfc2458569d9fecf35f7503d1b89b4c69aa0)
* AVRCP: Check the number of text value attributes requestedAjay Panicker2018-04-061-0/+5
| | | | | | | Test: Builds Bug: 69479009 Change-Id: I184ddfdb56c15c2b07d52a2624240738efb4d207 (cherry picked from commit 6313da35abc93fcfb783c68f2e02427df9928ecf)
* BNEP: Check received frame typeMyles Watson2018-03-301-0/+7
| | | | | | | | Bug: 68818034 Test: build Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019 (cherry picked from commit b910734a55fd3babf71b049d5638bf86f81d7c1e) CVE-2017-13269
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 10:04:25 +0000