| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Bug: None
Test: I solemnly swear I tested this conflict resolution.
Change-Id: Id658b3485fdc0025bc44850be9f23bb2d2146d9b
(cherry picked from commit 6c0f22f324ed0bdf9dea3e803e5ee6176d03fdb4)
|
|
|
|
|
|
|
|
|
|
| |
In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free
Bug: 120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
(cherry picked from commit 953dd279502980b1d8d30656eb78c6445a6e31f7)
|
|
|
|
|
|
|
| |
Bug: 116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit 889efd5b9165ed7641fcd75eabbbef56be2ef5df)
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.
Bug: 110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
(cherry picked from commit ea90417d9965aec1c475418ca8f8f305af12de2d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac
Bug: 112860487
Test: testplans/details/218593/3975
Change-Id: I6bbbc2ba29ad025c7d3ba023d8191af6a11c4aa9
(cherry picked from commit 28ddbe904bd15c9636063f5431a9360d8e9df8b9)
CVE-2018-9583
|
|
|
|
|
|
|
|
| |
Bug: 115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit b8a5081b00fc9730092d8392786f3f4e659cb602)
CVE-2018-9590
|
|
|
|
|
|
|
|
|
| |
Bug: 111450156
Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit ad4098c340b52acdb0f48fd3e2612d810e71f4c4)
CVE-2018-9588
|
|
|
|
|
|
|
|
| |
Bug: 116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit 0ab53ca2af26f70126d6d9d6600d090a720758fa)
CVE-2018-9592
|
|
|
|
|
|
|
|
| |
Bug: 116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit b8fbe73f0d32686e8393bfe07a84b6f0e8829caf)
CVE-2018-9591
|
|
|
|
|
|
| |
Bug: 74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit 6e6c347e798bf8195a9a02457edf871a97b1cfad)
|
|
|
|
|
|
|
|
| |
Bug: 111450531
Bug: 111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit 7439ea940354f65a147c4ecfce3bada49c688047)
|
|
|
|
|
|
|
|
| |
Bug: 111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit 1c14e10cac53d5a5724dcf34c5679ad8819f9442)
(cherry picked from commit f779ebe368d245c0d9ac954cf7b2b102e7da56be)
|
|
|
|
|
|
|
|
| |
Bug: 111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit fceb753bda651c4135f3f93a510e5fcb4c7542b8)
|
|
|
|
|
|
|
|
| |
Bug: 111937027
Test: manual
Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075
(cherry picked from commit c8294662d07a98e9b8b1cab1ab681ec0805ce4e8)
|
|
|
|
|
|
|
| |
Bug: 111936834
Test: manual
Change-Id: Ib98528fb62db0d724ebd9112d071e367f78e369d
(cherry picked from commit 4548f34c90803c6544f6bed03399f2eabeab2a8e)
|
|
|
|
|
|
|
| |
Bug: 111893951
Test: manual - connect A2DP
Change-Id: Ibbf347863dfd29ea3385312e9dde1082bc90d2f3
(cherry picked from commit ed51887f921263219bcd2fbf6650ead5ec8d334e)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Explicitly check the length of the received message before
accessing the data.
Bug: 111803925
Bug: 79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit 282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit 007868d05f4b761842c7345161aeda6fd40dd245)
|
|
|
|
|
|
|
| |
Bug: 110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
(cherry picked from commit 4de7ccdd914b7a178df9180d15f675b257ea6e02)
|
|
|
|
|
|
|
|
| |
Bug: 78288018
Bug: 111436796
Test: manual
Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a
(cherry picked from commit d1ced302cd1066087588c891027b1756be31db46)
|
|
|
|
|
|
|
| |
Bug: 78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit 6039cb7225733195192b396ad19c528800feb735)
|
|
|
|
|
|
|
|
| |
Bug: 111936792
Bug: 80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
(cherry picked from commit 0471355c8b035aaa2ce07a33eecad60ad49c5ad0)
|
|
|
|
|
|
|
| |
Test: compilation
Bug: 110216176
Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
(cherry picked from commit 23aa15743397b345f3d948289fe90efa2a2e2b3e)
|
|
|
|
|
|
|
| |
Bug: 78526423
Test: manual
Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91
(cherry picked from commit d945ada503ed9c9ea24e092df51faba57f5d589a)
|
|
|
|
|
|
|
|
| |
Bug: 110216173
(cherry picked from commit 9930f6f4e14e64966869b119994126283d645fd0)
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
Backported-By: Vasyl Gello <vasek.gello@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
PhoneStateChange method
Bug: 79431031
Bug: 79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df
(cherry picked from commit 82371c1204cc0b48941ec1d41c516c4b40093879)
|
|
|
|
|
|
|
| |
Bug: 80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit ca47a05acb66218ff2123f8d4642961f7f2eb5e2)
|
|
|
|
|
|
|
| |
Test: manual
Bug: 79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
(cherry picked from commit 5bb66307b555b17d1764e116316ce50c687c9653)
|
|
|
|
|
|
|
| |
Bug: 78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit 9cc9eea21c7868034242b7ab8be750c565e46bfd)
|
|
|
|
|
|
|
| |
Test: none
Bug: 79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit 0a74ffa44cbe48f674387cc951e6011c28ca003c)
|
|
|
|
|
|
|
| |
Bug: 80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit 02f47a752c818277b31852e3ff940764d5c7f9c7)
|
|
|
|
|
|
| |
Bug: 74121659
Test: Compiles
Change-Id: Idf58e7b25b41ae1bd43cdd51de424b18e03cc7e8
|
|
|
|
|
|
|
| |
Bug: 79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit 980f6427b183e013958acd6b70e91f58177408a6)
|
|
|
|
|
|
|
|
|
|
| |
Since the spec is not clear what to do in this case, use one of
reserved error codes as a failure reason, and pass it to upper layers.
Bug: 79591688
Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
(cherry picked from commit f63c4b652b3231c2b4907bffd13410c6eb2aa760)
|
|
|
|
|
|
|
| |
Bug: 74075873
Test: manual
Change-Id: I9a7035a74aca3256c5712ea67a7435627b139c37
(cherry picked from commit 9d647b201b64949e04eade9b594af76c764dbb96)
|
|
|
|
|
|
|
|
|
| |
Bug: 78288378
Test: Manual: Python script and extra logging
Change-Id: I715b5977c833d33ff798f008fbf244effa13ea1f
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit 9b3f96f50287d8789aff6d6895d7ae02ca6ac619)
(cherry picked from commit ee30c88a8d49b30860d35b34a57c3037a4045678)
|
|
|
|
|
|
|
| |
Bug: 74075873
Test: manual test (poc in bug)
Change-Id: I56e87cfdf8731acca00cefac98abb2ba06f6e7ed
(cherry picked from commit 3575ba8ca36dccf7dcdb2dbf16ed170d549911d3)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
is most likely triggered
Bug: 78286118
Bug: 79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
BNEP_EXTENSION_CONTROL packet
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit 3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit 0416340ffa61337dbaa2f6602ef85a1c32563ec2)
|
|
|
|
|
|
|
| |
Test: compilation
Bug: 78136677
Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0
(cherry picked from commit 6cd2e8bf6e5707e8e77e7aca6519c58200ee58db)
|
|
|
|
|
|
|
| |
Bug: 80145946
Test: manual
Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53
(cherry picked from commit 519b61392a96fbd45bdcc0bfddc881167c20cc23)
|
|
|
|
|
|
|
| |
Bug: 73963551
Test: manual
Change-Id: I5f7a583aad150ebf9e3d492181d80ca935c8aa3f
(cherry picked from commit e8d311224277e9db5dc94cb94929125992f546f3)
|
|
|
|
|
|
|
| |
Bug: 74121126
Test: manual
Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53
(cherry picked from commit 652798b2f2d6c90e0fc95c00ccfb91e2870b03d4)
|
|
|
|
|
|
|
|
|
|
| |
Bug: 74202041
Bug: 74196706
Bug: 74201143
Test: manual
Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d
(cherry picked from commit ff15adf5150527db1012b9f7777066522835e2db)
CVE-2018-9359, CVE-2018-9360, CVE-2018-9361
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.
Bug: 73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit 16f4c21be5bd0ea1968eee8a0f00648b1e326253)
CVE-2018-9358
|
|
|
|
|
|
|
|
| |
Bug: 74947856
Test: manual
Change-Id: If5db8c6b6e509a330ae74808fc3f0ffac137af14
(cherry picked from commit ae9d06c1dc84db36c0c4a07fc56a1fbf008cd1ce)
CVE-2018-9357
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free. Move the free call to pan_data_buf_ind_cb().
Free the buffer before every return in pan_data_buf_ind_cb.
Bug: 74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit 98232b084c66368234d19fafe3076bc1c0f1b578)
CVE-2018-9356
|
|
|
|
|
|
|
|
|
|
| |
Check the number of UUIDs from remote device
Bug: 74016921
Test: manual
Change-Id: I1ca1f66bfc935f5fd219e8147511bdac7d2789ef
(cherry picked from commit 67ec216daa43f71adf103de6c4156c5a892c1460)
CVE-2018-9355
|
|
|
|
|
|
|
|
| |
Bug: 69384124
Test: Connect a headset
Change-Id: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
Merged-In: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
(cherry picked from commit dd856fbc4ade8f7d78873db3533b4c9fd7c6d612)
|
|
|
|
|
|
|
|
|
| |
[Reworked for C support]
Bug: 70808273
Test: test with a device with newline character in name
Change-Id: I8729e12ad5851ee1ffbcb7c08e9a659f768ffc21
(cherry picked from commit dd9bbfc2458569d9fecf35f7503d1b89b4c69aa0)
|
|
|
|
|
|
|
| |
Test: Builds
Bug: 69479009
Change-Id: I184ddfdb56c15c2b07d52a2624240738efb4d207
(cherry picked from commit 6313da35abc93fcfb783c68f2e02427df9928ecf)
|
|
|
|
|
|
|
|
| |
Bug: 68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
(cherry picked from commit b910734a55fd3babf71b049d5638bf86f81d7c1e)
CVE-2017-13269
|