Merge "Fix potential OOB write in btm_read_remote_ext_features_complete" into...

#include "device/include/interop.h"

#include "hcidefs.h"

#include "hcimsgs.h"

#include "log/log.h"

#include "l2c_int.h"

#include "osi/include/osi.h"

 * Returns          void

 *

 ******************************************************************************/

void btm_read_remote_ext_features_complete(uint8_t* p) {

void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {

  tACL_CONN* p_acl_cb;

  uint8_t page_num, max_page;

  uint16_t handle;

  BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete");

  if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) {

    android_errorWriteLog(0x534e4554, "141552859");

    BTM_TRACE_ERROR(

        "btm_read_remote_ext_features_complete evt length too short. length=%d",

        evt_len);

    return;

  }

  ++p;

  STREAM_TO_UINT16(handle, p);

  STREAM_TO_UINT8(page_num, p);

    return;

  }

  if (page_num > HCI_EXT_FEATURES_PAGE_MAX) {

    android_errorWriteLog(0x534e4554, "141552859");

    BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid",

                    page_num);

    return;

  }

  if (page_num > max_page) {

    BTM_TRACE_WARNING(

        "btm_read_remote_ext_features_complete num_page=%d, max_page=%d "

        "invalid", page_num, max_page);

  }

  p_acl_cb = &btm_cb.acl_db[acl_idx];

  /* Copy the received features page */

extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr,

                                  tBT_TRANSPORT transport);

extern void btm_read_remote_features_complete(uint8_t* p);

extern void btm_read_remote_ext_features_complete(uint8_t* p);

extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len);

extern void btm_read_remote_ext_features_failed(uint8_t status,

                                                uint16_t handle);

extern void btm_read_remote_version_complete(uint8_t* p);

static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len);

static void btu_hcif_encryption_change_evt(uint8_t* p);

static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p);

static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p);

static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,

                                                    uint8_t evt_len);

static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p);

static void btu_hcif_qos_setup_comp_evt(uint8_t* p);

static void btu_hcif_command_complete_evt(BT_HDR* response, void* context);

      btu_hcif_read_rmt_features_comp_evt(p);

      break;

    case HCI_READ_RMT_EXT_FEATURES_COMP_EVT:

      btu_hcif_read_rmt_ext_features_comp_evt(p);

      btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len);

      break;

    case HCI_READ_RMT_VERSION_COMP_EVT:

      btu_hcif_read_rmt_version_comp_evt(p);

 * Returns          void

 *

 ******************************************************************************/

static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {

static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,

                                                    uint8_t evt_len) {

  uint8_t* p_cur = p;

  uint8_t status;

  uint16_t handle;

  STREAM_TO_UINT8(status, p_cur);

  if (status == HCI_SUCCESS)

    btm_read_remote_ext_features_complete(p);

    btm_read_remote_ext_features_complete(p, evt_len);

  else {

    STREAM_TO_UINT16(handle, p_cur);

    btm_read_remote_ext_features_failed(status, handle);

#define HCI_FEATURE_BYTES_PER_PAGE 8

#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13

#define HCI_FEATURES_KNOWN(x) \

  (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0)