summaryrefslogtreecommitdiffstats
path: root/stack
Commit message (Collapse)AuthorAgeFilesLines
* resolve merge conflicts of ec78d74706c3e81f91eee53e3d9f959f66e5d77f to pi-devHEADreplicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004cm-13.0Hansong Zhang2019-07-072-10/+37
| | | | | | | Bug: None Test: I solemnly swear I tested this conflict resolution. Change-Id: Id658b3485fdc0025bc44850be9f23bb2d2146d9b (cherry picked from commit 6c0f22f324ed0bdf9dea3e803e5ee6176d03fdb4)
* btm_proc_smp_cback: Don't access p_dev_rec if freedHansong Zhang2019-07-071-0/+7
| | | | | | | | | | In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle to prevent use after free Bug: 120612744 Test: Use ASAN build; connect to a LE device and wait for timeout Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac (cherry picked from commit 953dd279502980b1d8d30656eb78c6445a6e31f7)
* Fix buffer overflow in btif_dm_data_copyJakub Pawlowski2019-03-232-50/+44
| | | | | | | | | | | | When we use a union, we should always define variables as the union type, not as one of the field subtypes. If the latter is cast to the union type, buffer overflow can happen. Bug: 110166268 Test: compilation Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd (cherry picked from commit ea90417d9965aec1c475418ca8f8f305af12de2d)
* SDP: Check p_end in save_attr_seq and add_attrMyles Watson2019-02-101-13/+20
| | | | | | | | Bug: 115900043 Test: Sanity pairing and SDP PTS Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11 (cherry picked from commit b8a5081b00fc9730092d8392786f3f4e659cb602) CVE-2018-9590
* Fix possible OOB when AVDT data channel recive ACL dataUgo Yu2019-02-101-3/+57
| | | | | | | | | Bug: 111450156 Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6 (cherry picked from commit b0125caafec2183d73fc899ce5a8aee43a6e54af) (cherry picked from commit ad4098c340b52acdb0f48fd3e2612d810e71f4c4) CVE-2018-9588
* MCAP: Check response length in mca_ccb_hdl_rspMyles Watson2019-02-031-3/+17
| | | | | | | | Bug: 116319076 Test: Send a short MCAP response Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179 (cherry picked from commit 0ab53ca2af26f70126d6d9d6600d090a720758fa) CVE-2018-9592
* Fix possible OOB readJakub Pawlowski2019-01-131-0/+11
| | | | | | Bug: 74249842 Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98 (cherry picked from commit 6e6c347e798bf8195a9a02457edf871a97b1cfad)
* Check data length when parsing AVRCP vendor specific command responsesPavlin Radoslavov2019-01-131-1/+34
| | | | | | | | Bug: 111450531 Bug: 111896861 Test: PoC test program Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa (cherry picked from commit 7439ea940354f65a147c4ecfce3bada49c688047)
* Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()Pavlin Radoslavov2019-01-131-4/+49
| | | | | | | | Bug: 111450417 Test: PoC test program Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163 (cherry picked from commit 1c14e10cac53d5a5724dcf34c5679ad8819f9442) (cherry picked from commit f779ebe368d245c0d9ac954cf7b2b102e7da56be)
* Checks the SMP length to fix OOB readCheney Ni2018-11-181-1/+19
| | | | | | | | Bug: 111937065 Test: manual Change-Id: I330880a6e1671d0117845430db4076dfe1aba688 Merged-In: I330880a6e1671d0117845430db4076dfe1aba688 (cherry picked from commit fceb753bda651c4135f3f93a510e5fcb4c7542b8)
* Add packet length check in smp_proc_master_idUgo Yu2018-11-181-0/+10
| | | | | | | | Bug: 111937027 Test: manual Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075 (cherry picked from commit c8294662d07a98e9b8b1cab1ab681ec0805ce4e8)
* DO NOT MERGE Fix OOB read before buffer length checkUgo Yu2018-11-181-1/+8
| | | | | | | Bug: 111936834 Test: manual Change-Id: Ib98528fb62db0d724ebd9112d071e367f78e369d (cherry picked from commit 4548f34c90803c6544f6bed03399f2eabeab2a8e)
* Add missing AVRCP message length checks inside avrc_msg_cbackPavlin Radoslavov2018-11-181-6/+34
| | | | | | | | | | | | | Explicitly check the length of the received message before accessing the data. Bug: 111803925 Bug: 79883824 Test: POC scripts Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb (cherry picked from commit 282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f) (cherry picked from commit 007868d05f4b761842c7345161aeda6fd40dd245)
* Add packet length checks in mca_ccb_hdl_reqCheney Ni2018-11-181-1/+11
| | | | | | | Bug: 110791536 Test: manual Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a (cherry picked from commit 4de7ccdd914b7a178df9180d15f675b257ea6e02)
* Fix a wrong check in rfc_parse_dataHansong Zhang2018-11-181-1/+1
| | | | | | | | Bug: 78288018 Bug: 111436796 Test: manual Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a (cherry picked from commit d1ced302cd1066087588c891027b1756be31db46)
* Add bound check for rfc_parse_dataHansong Zhang2018-11-182-8/+13
| | | | | | | Bug: 78288018 Test: manual Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0 (cherry picked from commit 6039cb7225733195192b396ad19c528800feb735)
* Check remaining frame length in rfc_process_mx_messageHansong Zhang2018-11-181-0/+27
| | | | | | | | Bug: 111936792 Bug: 80432928 Test: manual Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79 (cherry picked from commit 0471355c8b035aaa2ce07a33eecad60ad49c5ad0)
* Fix copy length calculation in sdp_copy_raw_dataJakub Pawlowski2018-11-181-0/+8
| | | | | | | Test: compilation Bug: 110216176 Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459 (cherry picked from commit 23aa15743397b345f3d948289fe90efa2a2e2b3e)
* Fix OOB read in avrc_ctrl_pars_vendor_rspHansong Zhang2018-11-181-0/+8
| | | | | | | Bug: 78526423 Test: manual Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91 (cherry picked from commit d945ada503ed9c9ea24e092df51faba57f5d589a)
* Don't use Address after it was deletedJakub Pawlowski2018-11-172-21/+23
| | | | | | | | Bug: 110216173 (cherry picked from commit 9930f6f4e14e64966869b119994126283d645fd0) Change-Id: Id3364cf53153eafed478546d7347ed1673217e91 Backported-By: Vasyl Gello <vasek.gello@gmail.com>
* HID Host: Check L2CAP packet data lengthHansong Zhang2018-10-221-0/+9
| | | | | | | Bug: 80493272 Test: manual Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d (cherry picked from commit ca47a05acb66218ff2123f8d4642961f7f2eb5e2)
* Fix OOB read in process_l2cap_cmdHansong Zhang2018-10-221-0/+1
| | | | | | | Test: manual Bug: 79488381 Change-Id: I723866ed40d3647fed99875f659bb95df96a6969 (cherry picked from commit 5bb66307b555b17d1764e116316ce50c687c9653)
* DO NOT MERGE: SDP: Recalculate param_len after max_list_lenMyles Watson2018-10-221-0/+1
| | | | | | | Bug: 78136869 Test: manual connection to an A2DP device Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1 (cherry picked from commit 9cc9eea21c7868034242b7ab8be750c565e46bfd)
* SDP: return error on offset bigger than atribute lengthJakub Pawlowski2018-10-221-0/+14
| | | | | | | Test: none Bug: 79217770 Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998 (cherry picked from commit 0a74ffa44cbe48f674387cc951e6011c28ca003c)
* Add packet length checks in l2cble_process_sig_cmdJakub Pawlowski2018-10-221-0/+36
| | | | | | | Bug: 80261585 Test: compilation Change-Id: Icf55747dc948bcce140a12658237554938e2d717 (cherry picked from commit 02f47a752c818277b31852e3ff940764d5c7f9c7)
* Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQAjay Panicker2018-10-221-0/+5
| | | | | | Bug: 74121659 Test: Compiles Change-Id: Idf58e7b25b41ae1bd43cdd51de424b18e03cc7e8
* Add PDU size checks in process_service_search_attr_rspJakub Pawlowski2018-09-091-0/+14
| | | | | | | Bug: 79884292 Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25 Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25 (cherry picked from commit 980f6427b183e013958acd6b70e91f58177408a6)
* GATT: Handle too short Error Response PDUJakub Pawlowski2018-09-091-3/+19
| | | | | | | | | | Since the spec is not clear what to do in this case, use one of reserved error codes as a failure reason, and pass it to upper layers. Bug: 79591688 Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f (cherry picked from commit f63c4b652b3231c2b4907bffd13410c6eb2aa760)
* RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)akirilov2018-08-081-1/+6
| | | | | | | Bug: 74075873 Test: manual Change-Id: I9a7035a74aca3256c5712ea67a7435627b139c37 (cherry picked from commit 9d647b201b64949e04eade9b594af76c764dbb96)
* Add checks whether the AVDTP element data length is validPavlin Radoslavov2018-08-081-0/+11
| | | | | | | | | Bug: 78288378 Test: Manual: Python script and extra logging Change-Id: I715b5977c833d33ff798f008fbf244effa13ea1f Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f (cherry picked from commit 9b3f96f50287d8789aff6d6895d7ae02ca6ac619) (cherry picked from commit ee30c88a8d49b30860d35b34a57c3037a4045678)
* RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)akirilov2018-08-081-1/+1
| | | | | | | Bug: 74075873 Test: manual test (poc in bug) Change-Id: I56e87cfdf8731acca00cefac98abb2ba06f6e7ed (cherry picked from commit 3575ba8ca36dccf7dcdb2dbf16ed170d549911d3)
* BNEP: Fix OOB access in bnep_data_indJack He2018-08-081-9/+26
| | | | | | | | | | | | | | | | | | * Stop reading the L2CAP packet if packet length is 0 * Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing the buffer pointer by length of payload * Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero * Move error logging to more appropriate locations at where the OOB access is most likely triggered Bug: 78286118 Bug: 79164722 Test: Send zero length L2CAP packet to BNEP, send invalid BNEP_EXTENSION_CONTROL packet Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e (cherry picked from commit 3c799a6e25abdf6bacb660ff7a06338836cc7356) (cherry picked from commit 0416340ffa61337dbaa2f6602ef85a1c32563ec2)
* Decrease length after reading from array in process_service_attr_reqJakub Pawlowski2018-08-081-0/+2
| | | | | | | Test: compilation Bug: 78136677 Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0 (cherry picked from commit 6cd2e8bf6e5707e8e77e7aca6519c58200ee58db)
* DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_eventHansong Zhang2018-08-081-0/+7
| | | | | | | Bug: 80145946 Test: manual Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53 (cherry picked from commit 519b61392a96fbd45bdcc0bfddc881167c20cc23)
* DO NOT MERGE Fix unexpected behavior in smp_sm_eventHansong Zhang2018-07-161-0/+8
| | | | | | | Bug: 74121126 Test: manual Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53 (cherry picked from commit 652798b2f2d6c90e0fc95c00ccfb91e2870b03d4)
* DO NOT MERGE Fix OOB read in process_l2cap_cmdHansong Zhang2018-06-081-0/+104
| | | | | | | | | | Bug: 74202041 Bug: 74196706 Bug: 74201143 Test: manual Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d (cherry picked from commit ff15adf5150527db1012b9f7777066522835e2db) CVE-2018-9359, CVE-2018-9360, CVE-2018-9361
* DO NOT MERGE Handle bad packet length in gatts_process_read_reqStanley Tng2018-06-081-0/+16
| | | | | | | | | | | | | | | Added error check and handling code in gatts_process_read_req to make sure that the packet length is correct. Please note that there is another earlier CL that is reverted and this is the updated one. Bug: 73172115 Test: Run the test program, poc, that was attached in the bug report Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b (cherry picked from commit cc9c7330d1c3507d745170ae7b2e0546197b7acb) (cherry picked from commit 16f4c21be5bd0ea1968eee8a0f00648b1e326253) CVE-2018-9358
* DO NOT MERGE Add bounds check for BNEP_WriteHansong Zhang2018-06-081-0/+9
| | | | | | | | Bug: 74947856 Test: manual Change-Id: If5db8c6b6e509a330ae74808fc3f0ffac137af14 (cherry picked from commit ae9d06c1dc84db36c0c4a07fc56a1fbf008cd1ce) CVE-2018-9357
* PAN: Always allocate in bta_pan_data_buf_ind_cbackMyles Watson2018-06-082-11/+2
| | | | | | | | | | | | | | Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double free. Move the free call to pan_data_buf_ind_cb(). Free the buffer before every return in pan_data_buf_ind_cb. Bug: 74950468 Test: manual tethering test with DUT sharing its connection Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb (cherry picked from commit 98232b084c66368234d19fafe3076bc1c0f1b578) CVE-2018-9356
* SDP: Check p_req_end before reading from p_reqMyles Watson2018-04-142-26/+68
| | | | | | | | Bug: 69384124 Test: Connect a headset Change-Id: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe Merged-In: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe (cherry picked from commit dd856fbc4ade8f7d78873db3533b4c9fd7c6d612)
* AVRCP: Check the number of text value attributes requestedAjay Panicker2018-04-061-0/+5
| | | | | | | Test: Builds Bug: 69479009 Change-Id: I184ddfdb56c15c2b07d52a2624240738efb4d207 (cherry picked from commit 6313da35abc93fcfb783c68f2e02427df9928ecf)
* BNEP: Check received frame typeMyles Watson2018-03-301-0/+7
| | | | | | | | Bug: 68818034 Test: build Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019 (cherry picked from commit b910734a55fd3babf71b049d5638bf86f81d7c1e) CVE-2017-13269
* Remove memory reference to invalid mem in error logStanley Tng2018-03-301-2/+1
| | | | | | | | | | | | | | Remove the memory reference to an invalid memory inside an error log message. Test: Edit code to force the error condition and make sure the new error log does not crashed. Bug: 67058064 Merged-In: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0 Change-Id: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0 (cherry picked from commit 11cd7277a1d0da9013a8381cddbfc096e9adaed6) (cherry picked from commit d10bc94f5ec64122382ed73a261c5f4d0a0fa195) CVE-2017-13268
* SDP: Include the offset in sdp_disc_server_rspMyles Watson2018-03-301-1/+1
| | | | | | | | | | | | | | | | The commit SDP: Pass the bounds to process_service_*_rsp with the change ID Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3 omitted the offset when calculating the end of the message. Bug: 68161546 Test: Connect a headset Change-Id: I6266b51e3871ed6ce9932161e4ab66de90af4ce6 (cherry picked from commit 1ff9151b7de9cff6aab3919d151542e7244cc0e5) Merged-In: I6266b51e3871ed6ce9932161e4ab66de90af4ce6 (cherry picked from commit c379fc0f7a158e7028771bcf9dea19987f771a8e) CVE-2017-13259
* SDP: Pass the bounds to process_service_*_rspMyles Watson2018-03-301-15/+38
| | | | | | | | Test: build Bug: 68161546 Change-Id: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3 (cherry picked from commit 3c7bd5a8453110a7bd1351648c5a4001b99afa70) CVE-2017-13259
* Fix unexpected behavior in reading BNEP packetsHansong Zhang2018-03-302-6/+32
| | | | | | | | | | | Bug: 67863755 Bug: 69177251 Bug: 69177292 Bug: 69271284 Test: BNEP still works Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372 (cherry picked from commit 9844ddac4c0aaf217326c56f2814d145c11eb042) CVE-2017-13258, CVE-2017-13260, CVE-2017-13261, CVE-2017-13262
* PAN: Fix Use-after-free in bta_pan_data_buf_ind_cbackMyles Watson2018-03-301-0/+1
| | | | | | | | | | Patch from b/67078939 Test: build Bug: 67110692 Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a (cherry picked from commit 2a18e724b2bf101ea38a5b089de56842107c8369) CVE-2017-13257
* AVRCP: Check the number of text attributes requestedAjay Panicker2018-03-301-0/+8
| | | | | | | | Test: Build Bug: 69478941 Change-Id: Ibc456511c8d7339213f08b07d70f5e25be140d68 (cherry picked from commit 249bb665b1020e81547246f5b29ed9040d696388) CVE-2017-13266
* Fix unexpected behavior in SDPHansong Zhang2018-03-301-0/+15
| | | | | | | | | Bug: 68776054 Bug: 68817966 Test: Bluetooth SDP still works Change-Id: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9 (cherry picked from commit 5d6b1b1316afecebd939f77e3d01ab0a400e68a9) CVE-2017-13255 / CVE-2017-13256
* Fix changes from September 2017 ASBAndreas Blaesius2018-03-304-57/+50
| | | | | | | | | - fix formatting difference and use official 6.0.1 patches from r81 (e.g. commit 33427d54f31adaf5b9c697f5ce642fda1dc01946 and commit 7f17ba1f8e475706727df7c50bc31ffb191d1f9d don't match googles patches for 6.0.1) Change-Id: I3187d1be2bcbc896a60100eda7c42d0e7bb5131f
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-09 21:17:33 +0000