Merge "Fix an OOB bug in btm_ble_ltk_request" into tm-dev am: 9e1c96299a (70331592) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/btu/btu_hcif.cc

+15 −3

Original line number	Diff line number	Diff line
		@@ -93,7 +93,7 @@ static void btu_hcif_esco_connection_chg_evt(uint8_t* p);
		static void btu_hcif_io_cap_request_evt(const uint8_t* p);

		static void btu_ble_ll_conn_param_upd_evt(uint8_t* p, uint16_t evt_len);
		static void btu_ble_proc_ltk_req(uint8_t* p);
		static void btu_ble_proc_ltk_req(uint8_t* p, uint16_t evt_len);
		static void btu_hcif_encryption_key_refresh_cmpl_evt(uint8_t* p);
		static void btu_ble_data_length_change_evt(uint8_t* p, uint16_t evt_len);
		static void btu_ble_rc_param_req_evt(uint8_t* p, uint8_t len);
		@@ -349,7 +349,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id,
		btm_ble_read_remote_features_complete(p, ble_evt_len);
		break;
		case HCI_BLE_LTK_REQ_EVT: /* received only at peripheral device */
		btu_ble_proc_ltk_req(p);
		btu_ble_proc_ltk_req(p, ble_evt_len);
		break;
		case HCI_BLE_RC_PARAM_REQ_EVT:
		btu_ble_rc_param_req_evt(p, ble_evt_len);
		@@ -1664,10 +1664,22 @@ static void btu_ble_ll_conn_param_upd_evt(uint8_t* p, uint16_t evt_len) {
		interval, latency, timeout);
		}

		static void btu_ble_proc_ltk_req(uint8_t* p) {
		static void btu_ble_proc_ltk_req(uint8_t* p, uint16_t evt_len) {
		uint16_t ediv, handle;
		uint8_t* pp;

		// following the spec in Core_v5.3/Vol 4/Part E
		// / 7.7.65.5 LE Long Term Key Request event
		// A BLE Long Term Key Request event contains:
		// - 1-byte subevent (already consumed in btu_hcif_process_event)
		// - 2-byte connection handler
		// - 8-byte random number
		// - 2 byte Encrypted_Diversifier
		if (evt_len < 2 + 8 + 2) {
		LOG_ERROR("Event packet too short");
		return;
		}

		STREAM_TO_UINT16(handle, p);
		pp = p + 8;
		STREAM_TO_UINT16(ediv, pp);