Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4f8c21c1 authored by Archie Pusaka's avatar Archie Pusaka
Browse files

hh: verify uuid is 16 bit before calling As16Bit 

The documentation explicitly says to call Is16Bit before calling
As16Bit. Apparently it's possible to crash the process when we skip
calling Is16Bit.

Bug: 316784874
Test: m -j
Flag: EXEMPT, additional checks, no logical change.
Change-Id: I4f871522524426b3da9bae88ab1a3fdcc0eed674
parent b56b24f9

system/bta/hh/bta_hh_headtracker.cc

+3 −0
Original line number Diff line number Diff line
@@ -188,6 +188,9 @@ uint16_t bta_hh_get_uuid16(tBTA_HH_DEV_CB* p_dev_cb, Uuid uuid) { 
       uuid == ANDROID_HEADTRACKER_CONTROL_CHARAC_UUID ||

       uuid == ANDROID_HEADTRACKER_REPORT_CHARAC_UUID)) {

    return GATT_UUID_HID_REPORT;

  } else if (!uuid.Is16Bit()) {

    log::warn("UUID is not 16 bit");

    return 0;

  } else {

    return uuid.As16Bit();

  }

system/bta/hh/bta_hh_le.cc

+25 −2
Original line number Diff line number Diff line
@@ -658,7 +658,7 @@ static bool bta_hh_le_write_ccc(tBTA_HH_DEV_CB* p_cb, uint16_t char_handle, 


static bool bta_hh_le_write_rpt_clt_cfg(tBTA_HH_DEV_CB* p_cb);



static void write_rpt_ctl_cfg_cb(uint16_t conn_id, tGATT_STATUS status,

static void write_rpt_clt_cfg_cb(uint16_t conn_id, tGATT_STATUS status,

                                 uint16_t handle, uint16_t len,

                                 const uint8_t* value, void* data) {

  uint8_t srvc_inst_id;
@@ -666,6 +666,16 @@ static void write_rpt_ctl_cfg_cb(uint16_t conn_id, tGATT_STATUS status, 
  tBTA_HH_DEV_CB* p_dev_cb = (tBTA_HH_DEV_CB*)data;

  const gatt::Characteristic* characteristic =

      BTA_GATTC_GetOwningCharacteristic(conn_id, handle);

  if (characteristic == nullptr) {

    log::error("Characteristic with handle {} not found clt cfg", handle);

    return;

  }

  if (!characteristic->uuid.Is16Bit()) {

    log::error("Unexpected len characteristic ID clt cfg: {}",

               characteristic->uuid.ToString());

    return;

  }



  uint16_t char_uuid = bta_hh_get_uuid16(p_dev_cb, characteristic->uuid);



  srvc_inst_id = BTA_GATTC_GetOwningService(conn_id, handle)->handle;
@@ -706,7 +716,7 @@ static bool bta_hh_le_write_rpt_clt_cfg(tBTA_HH_DEV_CB* p_cb) { 
    if (p_rpt->rpt_type == BTA_HH_RPTT_INPUT) {

      if (bta_hh_le_write_ccc(p_cb, p_rpt->char_inst_id,

                              GATT_CLT_CONFIG_NOTIFICATION,

                              write_rpt_ctl_cfg_cb, p_cb)) {

                              write_rpt_clt_cfg_cb, p_cb)) {

        p_cb->clt_cfg_idx = i;

        return true;

      }
@@ -1643,6 +1653,11 @@ static void bta_hh_le_input_rpt_notify(tBTA_GATTC_NOTIFY* p_data) { 
  const gatt::Service* p_svc =

      BTA_GATTC_GetOwningService(p_dev_cb->conn_id, p_char->value_handle);



  if (!p_char->uuid.Is16Bit()) {

    log::error("Unexpected characteristic len: {}", p_char->uuid.ToString());

    return;

  }



  p_rpt = bta_hh_le_find_report_entry(p_dev_cb, p_svc->handle,

                                      bta_hh_get_uuid16(p_dev_cb, p_char->uuid),

                                      p_char->value_handle);
@@ -1835,6 +1850,10 @@ static void read_report_cb(uint16_t conn_id, tGATT_STATUS status, 
    log::error("Unknown handle");

    return;

  }

  if (!p_char->uuid.Is16Bit()) {

    log::error("Unexpected characteristic len: {}", p_char->uuid.ToString());

    return;

  }



  uint16_t char_uuid = bta_hh_get_uuid16(p_dev_cb, p_char->uuid);
@@ -1921,6 +1940,10 @@ static void write_report_cb(uint16_t conn_id, tGATT_STATUS status, 
      BTA_GATTC_GetCharacteristic(conn_id, handle);



  if (p_char == nullptr) return;

  if (!p_char->uuid.Is16Bit()) {

    log::error("Unexpected characteristic len: {}", p_char->uuid.ToString());

    return;

  }



  uint16_t uuid16 = bta_hh_get_uuid16(p_dev_cb, p_char->uuid);

  if (uuid16 != GATT_UUID_HID_REPORT && uuid16 != GATT_UUID_HID_BT_KB_INPUT &&