Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 62156f43 authored by Brian Delwiche's avatar Brian Delwiche Committed by Android Build Coastguard Worker
Browse files

Check for existing discovery database in bta_hf_client_cb_init 

Researcher finds an RCE related to HF client discovery database.

Changes against the related issue b/291281168 (guarded by flag below)
partially resolve this issue, but it is necessary to add a check in
another location.

Bug: 374746961
Bug: 356201480
Test: m libbluetooth
Test: researcher POC
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:00c8b2a9cd94d0a2c71ccf4985b1789526310fce)
Merged-In: I69b2e80f0dd8682dcc8862b4b9aa7845c48c3bb8
Change-Id: I69b2e80f0dd8682dcc8862b4b9aa7845c48c3bb8
parent 0f350902

system/bta/Android.bp

+5 −3
Original line number Diff line number Diff line
@@ -161,6 +161,7 @@ cc_test { 
    test_suites: ["device-tests"],

    srcs: [

        ":TestMockStackBtm",

        ":TestMockStackSdp",

        ":TestCommonMockFunctions",

        "test/bta_hf_client_test.cc",

        "test/bta_dm_cust_uuid_test.cc",
@@ -227,6 +228,7 @@ cc_test { 
        "libbt-common",

    ],

}



cc_test {

    name: "bt_host_test_bta",

    defaults: [

system/bta/hf_client/bta_hf_client_main.cc

+8 −0
Original line number Diff line number Diff line
@@ -305,6 +305,14 @@ void bta_hf_client_cb_init(tBTA_HF_CLIENT_CB* client_cb, uint16_t handle) { 
  client_cb->enabled_hf_indicators.clear();

  client_cb->peer_hf_indicators.clear();



  if (client_cb->p_disc_db) {

    if (!SDP_CancelServiceSearch(client_cb->p_disc_db)) {

      APPL_TRACE_WARNING("Unable to cancel SDP service discovery peer: %s",

                         client_cb->peer_addr.ToString().c_str());

    }

    osi_free_and_reset((void**)&client_cb->p_disc_db);

  }



  // Memset the rest of the block

  // memset(client_cb, 0, sizeof(tBTA_HF_CLIENT_CB));

  *client_cb = {};

system/bta/test/bta_dip_test.cc

+0 −1
Original line number Diff line number Diff line
@@ -20,7 +20,6 @@ 


#include "bta/sdp/bta_sdp_act.cc"

#include "main/shim/metrics_api.h"

#include "stack/sdp/sdp_api.cc"

#include "types/bluetooth/uuid.h"

#include "types/raw_address.h"