Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3046dc56 authored by Myles Watson's avatar Myles Watson
Browse files

ACL: Drop broadcasts 

Bug: 169327567
Test: compiles
Tag: #security
Change-Id: Id4231fd7a142d630a2ada0f41a90e01afc011045
Merged-In: Id4231fd7a142d630a2ada0f41a90e01afc011045
parent db169d7e

system/hci/src/packet_fragmenter.cc

+10 −0
Original line number Diff line number Diff line
@@ -35,10 +35,12 @@ 
#define APPLY_START_FLAG(handle) (((handle)&0xCFFF) | 0x2000)

#define SUB_EVENT(event) ((event)&MSG_SUB_EVT_MASK)

#define GET_BOUNDARY_FLAG(handle) (((handle) >> 12) & 0x0003)

#define GET_BROADCAST_FLAG(handle) (((handle) >> 14) & 0x0003)



#define HANDLE_MASK 0x0FFF

#define START_PACKET_BOUNDARY 2

#define CONTINUATION_PACKET_BOUNDARY 1

#define POINT_TO_POINT 0

#define L2CAP_HEADER_SIZE 4



// Our interface and callbacks
@@ -131,8 +133,16 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) { 
    CHECK(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);



    uint8_t boundary_flag = GET_BOUNDARY_FLAG(handle);

    uint8_t broadcast_flag = GET_BROADCAST_FLAG(handle);

    handle = handle & HANDLE_MASK;



    if (broadcast_flag != POINT_TO_POINT) {

      LOG_WARN(LOG_TAG, "dropping broadcast packet");

      android_errorWriteLog(0x534e4554, "169327567");

      buffer_allocator->free(packet);

      return;

    }



    if (boundary_flag == START_PACKET_BOUNDARY) {

      auto map_iter = partial_packets.find(handle);

      if (map_iter != partial_packets.end()) {