Merge tag 'android-security-13.0.0_r24' into staging/lineage-20.0_android-security-13.0.0_r24 (76e912f0) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/acl/btm_acl.cc

+11 −0

Original line number	Diff line number	Diff line
		@@ -1082,6 +1082,17 @@ void StackAclBtmAcl::btm_establish_continue(tACL_CONN* p_acl) {
		PRIVATE_ADDRESS(p_acl->RemoteAddress()));
		}
		btm_set_link_policy(p_acl, btm_cb.acl_cb_.DefaultLinkPolicy());
		} else if (p_acl->is_transport_ble()) {
		tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_acl->remote_addr);

		if (p_dev_rec == nullptr) {
		LOG_WARN("No security record for %s",
		PRIVATE_ADDRESS(p_acl->RemoteAddress()));
		} else if (p_dev_rec->is_le_link_key_known()) {
		btm_ble_set_encryption(
		p_acl->remote_addr, BTM_BLE_SEC_ENCRYPT,
		p_dev_rec->role_central ? HCI_ROLE_CENTRAL : HCI_ROLE_PERIPHERAL);
		}
		}
		NotifyAclLinkUp(*p_acl);
		}

system/stack/eatt/eatt.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -99,6 +99,7 @@ class EattChannel {

		void EattChannelSetTxMTU(uint16_t tx_mtu) {
		this->tx_mtu_ = std::min<uint16_t>(tx_mtu, EATT_MAX_TX_MTU);
		this->tx_mtu_ = std::max<uint16_t>(this->tx_mtu_, EATT_MIN_MTU_MPS);
		}
		};

system/stack/gatt/gatt_sr.cc

+29 −1

Original line number	Diff line number	Diff line
		@@ -148,6 +148,13 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
		uint8_t* p;
		bool is_overflow = false;

		// We need at least one extra byte for the opcode
		if (mtu == 0) {
		LOG(ERROR) << "Invalid MTU";
		p_cmd->status = GATT_ILLEGAL_PARAMETER;
		return;
		}

		len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu;
		BT_HDR* p_buf = (BT_HDR*)osi_calloc(len);
		p_buf->offset = L2CAP_MIN_OFFSET;
		@@ -191,7 +198,7 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {

		len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);

		if (len == 0) {
		if (total_len == mtu && p_rsp->attr_value.len > 0) {
		VLOG(1) << "Buffer space not enough for this data item, skipping";
		break;
		}
		@@ -726,6 +733,11 @@ void gatts_process_primary_service_req(tGATT_TCB& tcb, uint16_t cid,

		uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, cid);

		// This can happen if the channel is already closed.
		if (payload_size == 0) {
		return;
		}

		uint16_t msg_len =
		(uint16_t)(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
		BT_HDR* p_msg = (BT_HDR*)osi_calloc(msg_len);
		@@ -761,6 +773,12 @@ static void gatts_process_find_info(tGATT_TCB& tcb, uint16_t cid,
		}

		uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, cid);

		// This can happen if the channel is already closed.
		if (payload_size == 0) {
		return;
		}

		uint16_t buf_len =
		(uint16_t)(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);

		@@ -895,6 +913,11 @@ static void gatts_process_read_by_type_req(tGATT_TCB& tcb, uint16_t cid,

		uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, cid);

		// This can happen if the channel is already closed.
		if (payload_size == 0) {
		return;
		}

		size_t msg_len = sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET;
		BT_HDR* p_msg = (BT_HDR*)osi_calloc(msg_len);
		uint8_t* p = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET;
		@@ -1042,6 +1065,11 @@ static void gatts_process_read_req(tGATT_TCB& tcb, uint16_t cid,
		uint8_t* p_data) {
		uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, cid);

		// This can happen if the channel is already closed.
		if (payload_size == 0) {
		return;
		}

		size_t buf_len = sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET;
		uint16_t offset = 0;