Merge "Fix an OOB bug in btm_ble_read_remote_features_complete" into tm-dev... (7191bcc4) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/btm/btm_ble_gap.cc

+16 −1

Original line number	Diff line number	Diff line
		@@ -3196,9 +3196,14 @@ static void btm_ble_observer_timer_timeout(UNUSED_ATTR void* data) {
		* Returns void
		*
		******************************************************************************/
		void btm_ble_read_remote_features_complete(uint8_t* p) {
		void btm_ble_read_remote_features_complete(uint8_t* p, uint8_t length) {
		uint16_t handle;
		uint8_t status;

		if (length < 3) {
		goto err_out;
		}

		STREAM_TO_UINT8(status, p);
		STREAM_TO_UINT16(handle, p);
		handle = handle & 0x0FFF; // only 12 bits meaningful
		@@ -3213,6 +3218,12 @@ void btm_ble_read_remote_features_complete(uint8_t* p) {
		}

		if (status == HCI_SUCCESS) {
		// BD_FEATURES_LEN additional bytes are read
		// in acl_set_peer_le_features_from_handle
		if (length < 3 + BD_FEATURES_LEN) {
		goto err_out;
		}

		if (!acl_set_peer_le_features_from_handle(handle, p)) {
		LOG_ERROR(
		"Unable to find existing connection after read remote features");
		@@ -3221,6 +3232,10 @@ void btm_ble_read_remote_features_complete(uint8_t* p) {
		}

		btsnd_hcic_rmt_ver_req(handle);
		return;

		err_out:
		LOG_ERROR("bogus event packet, too short");
		}

		/*******************************************************************************

+1 −1

Original line number	Diff line number	Diff line
		@@ -343,7 +343,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id,
		btu_ble_ll_conn_param_upd_evt(p, ble_evt_len);
		break;
		case HCI_BLE_READ_REMOTE_FEAT_CMPL_EVT:
		btm_ble_read_remote_features_complete(p);
		btm_ble_read_remote_features_complete(p, ble_evt_len);
		break;
		case HCI_BLE_LTK_REQ_EVT: /* received only at peripheral device */
		btu_ble_proc_ltk_req(p);

+1 −1

Original line number	Diff line number	Diff line
		@@ -27,7 +27,7 @@
		void btm_ble_process_adv_pkt(uint8_t len, const uint8_t* p);
		void btm_ble_process_ext_adv_pkt(uint8_t len, const uint8_t* p);
		void btm_ble_process_phy_update_pkt(uint8_t len, uint8_t* p);
		void btm_ble_read_remote_features_complete(uint8_t* p);
		void btm_ble_read_remote_features_complete(uint8_t* p, uint8_t length);
		void btm_le_on_advertising_set_terminated(uint8_t* p, uint16_t length);
		extern void btm_ble_write_adv_enable_complete(uint8_t* p, uint16_t evt_len);
		extern void btm_ble_create_ll_conn_complete(tHCI_STATUS status);

+1 −1

Original line number	Diff line number	Diff line
		@@ -190,7 +190,7 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, const uint8_t* data) {
		void btm_ble_process_phy_update_pkt(uint8_t len, uint8_t* data) {
		mock_function_count_map[__func__]++;
		}
		void btm_ble_read_remote_features_complete(uint8_t* p) {
		void btm_ble_read_remote_features_complete(uint8_t* p, uint8_t length) {
		mock_function_count_map[__func__]++;
		}
		void btm_ble_read_remote_name_cmpl(bool status, const RawAddress& bda,