Loading system/bta/av/bta_av_act.cc +7 −1 Original line number Diff line number Diff line Loading @@ -35,6 +35,7 @@ #include "bta_av_api.h" #include "bta_av_int.h" #include "l2c_api.h" #include "log/log.h" #include "osi/include/list.h" #include "osi/include/log.h" #include "osi/include/osi.h" Loading Loading @@ -784,11 +785,16 @@ tBTA_AV_EVT bta_av_proc_meta_cmd(tAVRC_RESPONSE* p_rc_rsp, case AVRC_PDU_GET_CAPABILITIES: /* process GetCapabilities command without reporting the event to app */ evt = 0; if (p_vendor->vendor_len != 5) { android_errorWriteLog(0x534e4554, "111893951"); p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR; break; } u8 = *(p_vendor->p_vendor_data + 4); p = p_vendor->p_vendor_data + 2; p_rc_rsp->get_caps.capability_id = u8; BE_STREAM_TO_UINT16(u16, p); if ((u16 != 1) || (p_vendor->vendor_len != 5)) { if (u16 != 1) { p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR; } else { p_rc_rsp->get_caps.status = AVRC_STS_NO_ERROR; Loading system/stack/avrc/avrc_api.cc +27 −0 Original line number Diff line number Diff line Loading @@ -24,6 +24,8 @@ #include <base/logging.h> #include <string.h> #include <log/log.h> #include "avrc_api.h" #include "avrc_int.h" #include "bt_common.h" Loading Loading @@ -660,6 +662,13 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr, msg.browse.browse_len = p_pkt->len; msg.browse.p_browse_pkt = p_pkt; } else { if (p_pkt->len < AVRC_AVC_HDR_SIZE) { android_errorWriteLog(0x534e4554, "111803925"); AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", __func__, p_pkt->len, AVRC_AVC_HDR_SIZE); osi_free(p_pkt); return; } msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK; AVRC_TRACE_DEBUG("%s handle:%d, ctype:%d, offset:%d, len: %d", __func__, handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len); Loading Loading @@ -693,6 +702,15 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr, p_drop_msg = "auto respond"; } else { /* parse response */ if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) { AVRC_TRACE_WARNING( "%s: message length %d too short: must be at least %d", __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN); android_errorWriteLog(0x534e4554, "79883824"); drop = true; p_drop_msg = "UNIT_INFO_RSP too short"; break; } p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/ msg.unit.unit_type = (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT; Loading Loading @@ -722,6 +740,15 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr, p_drop_msg = "auto responded"; } else { /* parse response */ if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) { AVRC_TRACE_WARNING( "%s: message length %d too short: must be at least %d", __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN); android_errorWriteLog(0x534e4554, "79883824"); drop = true; p_drop_msg = "SUB_UNIT_INFO_RSP too short"; break; } p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */ msg.sub.page = (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK; Loading system/stack/avrc/avrc_pars_ct.cc +5 −0 Original line number Diff line number Diff line Loading @@ -479,6 +479,11 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, break; } BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p); if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE) { android_errorWriteLog(0x534e4554, "78526423"); p_result->list_app_values.num_val = AVRC_MAX_APP_ATTR_SIZE; } AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->list_app_values.num_val); for (int xx = 0; xx < p_result->list_app_values.num_val; xx++) { Loading system/stack/mcap/mca_cact.cc +8 −1 Original line number Diff line number Diff line Loading @@ -22,6 +22,7 @@ * Functions. * ******************************************************************************/ #include <log/log.h> #include <string.h> #include "bt_common.h" #include "bt_target.h" Loading Loading @@ -251,9 +252,15 @@ void mca_ccb_hdl_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) { p_rx_msg = (tMCA_CCB_MSG*)p_pkt; p = (uint8_t*)(p_pkt + 1) + p_pkt->offset; evt_data.hdr.op_code = *p++; BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p); reject_opcode = evt_data.hdr.op_code + 1; if (p_pkt->len >= 3) { BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p); } else { android_errorWriteLog(0x534e4554, "110791536"); evt_data.hdr.mdl_id = 0; } MCA_TRACE_DEBUG("received mdl id: %d ", evt_data.hdr.mdl_id); if (p_ccb->status == MCA_CCB_STAT_PENDING) { MCA_TRACE_DEBUG("received req inpending state"); Loading system/stack/smp/smp_act.cc +27 −1 Original line number Diff line number Diff line Loading @@ -916,6 +916,15 @@ void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { uint8_t* p = p_data->p_data; SMP_TRACE_DEBUG("%s", __func__); if (smp_command_has_invalid_parameters(p_cb)) { tSMP_INT_DATA smp_int_data; smp_int_data.status = SMP_INVALID_PARAMETERS; android_errorWriteLog(0x534e4554, "111937065"); smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); return; } STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN); smp_key_distribution(p_cb, NULL); Loading @@ -929,6 +938,14 @@ void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { tBTM_LE_PENC_KEYS le_key; SMP_TRACE_DEBUG("%s", __func__); if (p_cb->rcvd_cmd_len < 11) { // 1(Code) + 2(EDIV) + 8(Rand) android_errorWriteLog(0x534e4554, "111937027"); SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11", __func__, p_cb->rcvd_cmd_len); return; } smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true); STREAM_TO_UINT16(le_key.ediv, p); Loading @@ -948,13 +965,22 @@ void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { } /******************************************************************************* * Function smp_proc_enc_info * Function smp_proc_id_info * Description process identity information from peer device ******************************************************************************/ void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { uint8_t* p = p_data->p_data; SMP_TRACE_DEBUG("%s", __func__); if (smp_command_has_invalid_parameters(p_cb)) { tSMP_INT_DATA smp_int_data; smp_int_data.status = SMP_INVALID_PARAMETERS; android_errorWriteLog(0x534e4554, "111937065"); smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); return; } STREAM_TO_ARRAY(p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */ smp_key_distribution_by_transport(p_cb, NULL); } Loading Loading
system/bta/av/bta_av_act.cc +7 −1 Original line number Diff line number Diff line Loading @@ -35,6 +35,7 @@ #include "bta_av_api.h" #include "bta_av_int.h" #include "l2c_api.h" #include "log/log.h" #include "osi/include/list.h" #include "osi/include/log.h" #include "osi/include/osi.h" Loading Loading @@ -784,11 +785,16 @@ tBTA_AV_EVT bta_av_proc_meta_cmd(tAVRC_RESPONSE* p_rc_rsp, case AVRC_PDU_GET_CAPABILITIES: /* process GetCapabilities command without reporting the event to app */ evt = 0; if (p_vendor->vendor_len != 5) { android_errorWriteLog(0x534e4554, "111893951"); p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR; break; } u8 = *(p_vendor->p_vendor_data + 4); p = p_vendor->p_vendor_data + 2; p_rc_rsp->get_caps.capability_id = u8; BE_STREAM_TO_UINT16(u16, p); if ((u16 != 1) || (p_vendor->vendor_len != 5)) { if (u16 != 1) { p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR; } else { p_rc_rsp->get_caps.status = AVRC_STS_NO_ERROR; Loading
system/stack/avrc/avrc_api.cc +27 −0 Original line number Diff line number Diff line Loading @@ -24,6 +24,8 @@ #include <base/logging.h> #include <string.h> #include <log/log.h> #include "avrc_api.h" #include "avrc_int.h" #include "bt_common.h" Loading Loading @@ -660,6 +662,13 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr, msg.browse.browse_len = p_pkt->len; msg.browse.p_browse_pkt = p_pkt; } else { if (p_pkt->len < AVRC_AVC_HDR_SIZE) { android_errorWriteLog(0x534e4554, "111803925"); AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", __func__, p_pkt->len, AVRC_AVC_HDR_SIZE); osi_free(p_pkt); return; } msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK; AVRC_TRACE_DEBUG("%s handle:%d, ctype:%d, offset:%d, len: %d", __func__, handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len); Loading Loading @@ -693,6 +702,15 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr, p_drop_msg = "auto respond"; } else { /* parse response */ if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) { AVRC_TRACE_WARNING( "%s: message length %d too short: must be at least %d", __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN); android_errorWriteLog(0x534e4554, "79883824"); drop = true; p_drop_msg = "UNIT_INFO_RSP too short"; break; } p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/ msg.unit.unit_type = (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT; Loading Loading @@ -722,6 +740,15 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr, p_drop_msg = "auto responded"; } else { /* parse response */ if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) { AVRC_TRACE_WARNING( "%s: message length %d too short: must be at least %d", __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN); android_errorWriteLog(0x534e4554, "79883824"); drop = true; p_drop_msg = "SUB_UNIT_INFO_RSP too short"; break; } p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */ msg.sub.page = (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK; Loading
system/stack/avrc/avrc_pars_ct.cc +5 −0 Original line number Diff line number Diff line Loading @@ -479,6 +479,11 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, break; } BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p); if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE) { android_errorWriteLog(0x534e4554, "78526423"); p_result->list_app_values.num_val = AVRC_MAX_APP_ATTR_SIZE; } AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->list_app_values.num_val); for (int xx = 0; xx < p_result->list_app_values.num_val; xx++) { Loading
system/stack/mcap/mca_cact.cc +8 −1 Original line number Diff line number Diff line Loading @@ -22,6 +22,7 @@ * Functions. * ******************************************************************************/ #include <log/log.h> #include <string.h> #include "bt_common.h" #include "bt_target.h" Loading Loading @@ -251,9 +252,15 @@ void mca_ccb_hdl_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) { p_rx_msg = (tMCA_CCB_MSG*)p_pkt; p = (uint8_t*)(p_pkt + 1) + p_pkt->offset; evt_data.hdr.op_code = *p++; BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p); reject_opcode = evt_data.hdr.op_code + 1; if (p_pkt->len >= 3) { BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p); } else { android_errorWriteLog(0x534e4554, "110791536"); evt_data.hdr.mdl_id = 0; } MCA_TRACE_DEBUG("received mdl id: %d ", evt_data.hdr.mdl_id); if (p_ccb->status == MCA_CCB_STAT_PENDING) { MCA_TRACE_DEBUG("received req inpending state"); Loading
system/stack/smp/smp_act.cc +27 −1 Original line number Diff line number Diff line Loading @@ -916,6 +916,15 @@ void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { uint8_t* p = p_data->p_data; SMP_TRACE_DEBUG("%s", __func__); if (smp_command_has_invalid_parameters(p_cb)) { tSMP_INT_DATA smp_int_data; smp_int_data.status = SMP_INVALID_PARAMETERS; android_errorWriteLog(0x534e4554, "111937065"); smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); return; } STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN); smp_key_distribution(p_cb, NULL); Loading @@ -929,6 +938,14 @@ void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { tBTM_LE_PENC_KEYS le_key; SMP_TRACE_DEBUG("%s", __func__); if (p_cb->rcvd_cmd_len < 11) { // 1(Code) + 2(EDIV) + 8(Rand) android_errorWriteLog(0x534e4554, "111937027"); SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11", __func__, p_cb->rcvd_cmd_len); return; } smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true); STREAM_TO_UINT16(le_key.ediv, p); Loading @@ -948,13 +965,22 @@ void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { } /******************************************************************************* * Function smp_proc_enc_info * Function smp_proc_id_info * Description process identity information from peer device ******************************************************************************/ void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { uint8_t* p = p_data->p_data; SMP_TRACE_DEBUG("%s", __func__); if (smp_command_has_invalid_parameters(p_cb)) { tSMP_INT_DATA smp_int_data; smp_int_data.status = SMP_INVALID_PARAMETERS; android_errorWriteLog(0x534e4554, "111937065"); smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); return; } STREAM_TO_ARRAY(p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */ smp_key_distribution_by_transport(p_cb, NULL); } Loading
