android_system_bt, branch cm-13.0 Unnamed repository; edit this file 'description' to name the repository. resolve merge conflicts of ec78d74706c3e81f91eee53e3d9f959f66e5d77f to pi-dev 2019-07-07T12:49:22+00:00 Hansong Zhang hsz@google.com 2019-02-02T01:45:30+00:00 ad7555c9d783be7e360de0edf114f3da8da70b5f Bug: None Test: I solemnly swear I tested this conflict resolution. Change-Id: Id658b3485fdc0025bc44850be9f23bb2d2146d9b (cherry picked from commit 6c0f22f324ed0bdf9dea3e803e5ee6176d03fdb4) 
Bug: None
Test: I solemnly swear I tested this conflict resolution.
Change-Id: Id658b3485fdc0025bc44850be9f23bb2d2146d9b
(cherry picked from commit 6c0f22f324ed0bdf9dea3e803e5ee6176d03fdb4)
btm_proc_smp_cback: Don't access p_dev_rec if freed 2019-07-07T12:40:23+00:00 Hansong Zhang hsz@google.com 2019-01-10T02:18:17+00:00 3d34ee18a6b5e16ddf77157103a1c3cc5a777d3b In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle to prevent use after free Bug: 120612744 Test: Use ASAN build; connect to a LE device and wait for timeout Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac (cherry picked from commit 953dd279502980b1d8d30656eb78c6445a6e31f7) 
In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free

Bug: 120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
(cherry picked from commit 953dd279502980b1d8d30656eb78c6445a6e31f7)
Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm 2019-03-23T14:57:06+00:00 Jakub Pawlowski jpawlowski@google.com 2018-11-20T21:31:31+00:00 1ce2f0f57ce8d450ff16c177f51304b3d3736319 Bug: 116222069 Test: compilation Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d (cherry picked from commit 889efd5b9165ed7641fcd75eabbbef56be2ef5df) 
Bug: 116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit 889efd5b9165ed7641fcd75eabbbef56be2ef5df)
Fix buffer overflow in btif_dm_data_copy 2019-03-23T14:50:54+00:00 Jakub Pawlowski jpawlowski@google.com 2018-11-27T17:22:22+00:00 4363f8407fb8dfe628b4e34eda4d1ed443461b0d When we use a union, we should always define variables as the union type, not as one of the field subtypes. If the latter is cast to the union type, buffer overflow can happen. Bug: 110166268 Test: compilation Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd (cherry picked from commit ea90417d9965aec1c475418ca8f8f305af12de2d) 
When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.

Bug: 110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
(cherry picked from commit ea90417d9965aec1c475418ca8f8f305af12de2d)
HFP: Check AT command buffer boundary during parsing 2019-02-10T11:18:19+00:00 Chienyuan chienyuanhuang@google.com 2018-09-18T09:13:16+00:00 108912d72017f3273081c1106acd539bf8be7a6c * add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback and bta_ag_at_hfp_cback to indicate effective data range of p_arg * add checks for buffer copy overflow in bta_ag_at_hsp_cback and bta_ag_at_hfp_cback * add packet legnth checks with p_end in bta_ag_parse_cmer * add packet length checks with p_end in bta_ag_parse_bac Bug: 112860487 Test: testplans/details/218593/3975 Change-Id: I6bbbc2ba29ad025c7d3ba023d8191af6a11c4aa9 (cherry picked from commit 28ddbe904bd15c9636063f5431a9360d8e9df8b9) CVE-2018-9583 
* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
  and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
  bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac

Bug: 112860487
Test: testplans/details/218593/3975
Change-Id: I6bbbc2ba29ad025c7d3ba023d8191af6a11c4aa9
(cherry picked from commit 28ddbe904bd15c9636063f5431a9360d8e9df8b9)
CVE-2018-9583
SDP: Check p_end in save_attr_seq and add_attr 2019-02-10T11:16:59+00:00 Myles Watson mylesgw@google.com 2018-10-25T00:05:12+00:00 4258d0b4170bc75d0658911aa805e032b9642ef1 Bug: 115900043 Test: Sanity pairing and SDP PTS Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11 (cherry picked from commit b8a5081b00fc9730092d8392786f3f4e659cb602) CVE-2018-9590 
Bug: 115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit b8a5081b00fc9730092d8392786f3f4e659cb602)
CVE-2018-9590
Fix possible OOB when AVDT data channel recive ACL data 2019-02-10T11:16:09+00:00 Ugo Yu ugoyu@google.com 2018-10-29T17:57:06+00:00 07e8472579a29d17b630d1c43735245934ba51dd Bug: 111450156 Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6 (cherry picked from commit b0125caafec2183d73fc899ce5a8aee43a6e54af) (cherry picked from commit ad4098c340b52acdb0f48fd3e2612d810e71f4c4) CVE-2018-9588 
Bug: 111450156

Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit ad4098c340b52acdb0f48fd3e2612d810e71f4c4)
CVE-2018-9588
MCAP: Check response length in mca_ccb_hdl_rsp 2019-02-03T11:40:00+00:00 Myles Watson mylesgw@google.com 2018-10-25T22:27:03+00:00 409e6b9b92ed7104ce03ffb9842f1960461db6b7 Bug: 116319076 Test: Send a short MCAP response Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179 (cherry picked from commit 0ab53ca2af26f70126d6d9d6600d090a720758fa) CVE-2018-9592 
Bug: 116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit 0ab53ca2af26f70126d6d9d6600d090a720758fa)
CVE-2018-9592
HH: Check parameter length in bta_hh_ctrl_dat_act 2019-02-03T11:39:53+00:00 Myles Watson mylesgw@google.com 2018-10-25T21:33:33+00:00 2f5769c8a107197c3c3692a0cb8cf6b8795d0c0e Bug: 116108738 Test: send a malformed GET_IDLE command with no parameters Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c (cherry picked from commit b8fbe73f0d32686e8393bfe07a84b6f0e8829caf) CVE-2018-9591 
Bug: 116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit b8fbe73f0d32686e8393bfe07a84b6f0e8829caf)
CVE-2018-9591
Fix possible OOB read 2019-01-13T17:05:58+00:00 Jakub Pawlowski jpawlowski@google.com 2018-10-10T17:35:37+00:00 ca40fc59e97f6faa6974a6a6c0d54dbf81688242 Bug: 74249842 Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98 (cherry picked from commit 6e6c347e798bf8195a9a02457edf871a97b1cfad) 
Bug: 74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit 6e6c347e798bf8195a9a02457edf871a97b1cfad)