Loading system/btif/src/btif_dm.cc +53 −24 Original line number Diff line number Diff line Loading @@ -257,6 +257,11 @@ static bool is_empty_128bit(uint8_t* data) { return !memcmp(zero, data, sizeof(zero)); } static bool is_bonding_or_sdp() { return pairing_cb.state == BT_BOND_STATE_BONDING || (pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts); } static void btif_dm_data_copy(uint16_t event, char* dst, char* src) { tBTA_DM_SEC* dst_dm_sec = (tBTA_DM_SEC*)dst; tBTA_DM_SEC* src_dm_sec = (tBTA_DM_SEC*)src; Loading Loading @@ -483,8 +488,6 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr, bt_bond_state_t state) { btif_stats_add_bond_event(bd_addr, BTIF_DM_FUNC_BOND_STATE_CHANGED, state); // Send bonding state only once - based on outgoing/incoming we may receive // duplicates if ((pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING)) { // Cross key pairing so send callback for static address if (!pairing_cb.static_bdaddr.IsEmpty()) { Loading @@ -502,14 +505,18 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr, auto tmp = bd_addr; HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state); if (state == BT_BOND_STATE_BONDING) { int dev_type; if (!btif_get_device_type(bd_addr, &dev_type)) { dev_type = BT_DEVICE_TYPE_BREDR; } if (state == BT_BOND_STATE_BONDING || (state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts > 0)) { // Save state for the device is bonding or SDP. pairing_cb.state = state; pairing_cb.bd_addr = bd_addr; } else { if (!pairing_cb.sdp_attempts) memset(&pairing_cb, 0, sizeof(pairing_cb)); else BTIF_TRACE_DEBUG("%s: BR-EDR service discovery active", __func__); pairing_cb = {}; } } Loading Loading @@ -1135,6 +1142,10 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { /* Trigger SDP on the device */ pairing_cb.sdp_attempts = 1; // Report bonded to Java before start SDP bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED); btif_dm_get_remote_services(bd_addr); } } Loading Loading @@ -1392,9 +1403,9 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) { BTIF_TRACE_DEBUG("%s:(result=0x%x, services 0x%x)", __func__, p_data->disc_res.result, p_data->disc_res.services); if ((p_data->disc_res.result != BTA_SUCCESS) && (pairing_cb.state == BT_BOND_STATE_BONDING) && (pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING)) { if (p_data->disc_res.result != BTA_SUCCESS && pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING) { if (pairing_cb.sdp_attempts) { BTIF_TRACE_WARNING("%s: SDP failed after bonding re-attempting", __func__); Loading @@ -1421,22 +1432,40 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) { /* onUuidChanged requires getBondedDevices to be populated. ** bond_state_changed needs to be sent prior to remote_device_property */ if ((pairing_cb.state == BT_BOND_STATE_BONDING) && if (pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts && (p_data->disc_res.bd_addr == pairing_cb.bd_addr || p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) && pairing_cb.sdp_attempts > 0) { BTIF_TRACE_DEBUG( "%s Remote Service SDP done. Call bond_state_changed_cb BONDED", __func__); p_data->disc_res.bd_addr == pairing_cb.static_bdaddr)) { LOG_INFO(LOG_TAG, "%s Remote Service SDP done.", __func__); pairing_cb.sdp_attempts = 0; // If bonding occured due to cross-key pairing, send bonding callback // If bond occured due to cross-key pairing, send bond state callback // for static address now if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) { bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDING); bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED); } if (pairing_cb.state == BT_BOND_STATE_BONDED) { if (p_data->disc_res.result == BTA_SUCCESS) { // Device is bonded and SDP completed. Clear the pairing control // block. pairing_cb = {}; } else { // Report empty UUID to Java if SDP report negative result while // pairing. bt_property_t prop; Uuid uuid; prop.type = BT_PROPERTY_UUIDS; prop.val = &uuid; prop.len = Uuid::kNumBytes128; /* Send the event to the BTIF */ HAL_CBACK(bt_hal_cbacks, remote_device_properties_cb, BT_STATUS_SUCCESS, &bd_addr, 1, &prop); break; } } } if (p_data->disc_res.num_uuids != 0) { /* Also write this to the NVRAM */ Loading Loading @@ -1630,7 +1659,7 @@ static void btif_dm_upstreams_evt(uint16_t event, char* p_param) { break; case BTA_DM_BOND_CANCEL_CMPL_EVT: if (pairing_cb.state == BT_BOND_STATE_BONDING) { if (is_bonding_or_sdp()) { bd_addr = pairing_cb.bd_addr; btm_set_bond_type_dev(pairing_cb.bd_addr, BOND_TYPE_UNKNOWN); bond_state_changed((bt_status_t)p_data->bond_cancel_cmpl.result, Loading Loading @@ -2273,7 +2302,7 @@ bt_status_t btif_dm_cancel_bond(const RawAddress* bd_addr) { ** 1. Restore scan modes ** 2. special handling for HID devices */ if (pairing_cb.state == BT_BOND_STATE_BONDING) { if (is_bonding_or_sdp()) { if (pairing_cb.is_ssp) { if (pairing_cb.is_le_only) { BTA_DmBleSecurityGrant(*bd_addr, BTA_DM_SEC_PAIR_NOT_SPT); Loading Loading @@ -2471,7 +2500,7 @@ bt_status_t btif_dm_get_remote_services(const RawAddress& remote_addr) { /******************************************************************************* * * Function btif_dm_get_remote_services_transport * Function btif_dm_get_remote_services_by_transport * * Description Start SDP to get remote services by transport * Loading Loading @@ -3168,7 +3197,7 @@ bt_status_t btif_le_test_mode(uint16_t opcode, uint8_t* buf, uint8_t len) { void btif_dm_on_disable() { /* cancel any pending pairing requests */ if (pairing_cb.state == BT_BOND_STATE_BONDING) { if (is_bonding_or_sdp()) { BTIF_TRACE_DEBUG("%s: Cancel pending pairing request", __func__); btif_dm_cancel_bond(&pairing_cb.bd_addr); } Loading system/stack/btm/ble_advertiser_hci_interface.cc +35 −0 Original line number Diff line number Diff line Loading @@ -27,6 +27,7 @@ #include "btm_int_types.h" #include "device/include/controller.h" #include "hcidefs.h" #include "log/log.h" #define BTM_BLE_MULTI_ADV_SET_RANDOM_ADDR_LEN 8 #define BTM_BLE_MULTI_ADV_ENB_LEN 3 Loading Loading @@ -162,6 +163,14 @@ class BleAdvertiserVscHciInterfaceImpl : public BleAdvertiserHciInterface { uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN]; memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN); if (data_length > BTM_BLE_AD_DATA_LEN) { android_errorWriteLog(0x534e4554, "121145627"); LOG(ERROR) << __func__ << ": data_length=" << static_cast<int>(data_length) << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN; data_length = BTM_BLE_AD_DATA_LEN; } uint8_t* pp = param; UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_ADV_DATA); UINT8_TO_STREAM(pp, data_length); Loading @@ -181,6 +190,14 @@ class BleAdvertiserVscHciInterfaceImpl : public BleAdvertiserHciInterface { uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN]; memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN); if (scan_response_data_length > BTM_BLE_AD_DATA_LEN) { android_errorWriteLog(0x534e4554, "121145627"); LOG(ERROR) << __func__ << ": scan_response_data_length=" << static_cast<int>(scan_response_data_length) << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN; scan_response_data_length = BTM_BLE_AD_DATA_LEN; } uint8_t* pp = param; UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_SCAN_RSP_DATA); UINT8_TO_STREAM(pp, scan_response_data_length); Loading Loading @@ -372,6 +389,15 @@ class BleAdvertiserLegacyHciInterfaceImpl : public BleAdvertiserHciInterface { uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1]; if (data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) { android_errorWriteLog(0x534e4554, "121145627"); LOG(ERROR) << __func__ << ": data_length=" << static_cast<int>(data_length) << ", is longer than size limit " << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; } uint8_t* pp = param; memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1); UINT8_TO_STREAM(pp, data_length); Loading @@ -389,6 +415,15 @@ class BleAdvertiserLegacyHciInterfaceImpl : public BleAdvertiserHciInterface { VLOG(1) << __func__; uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1]; if (scan_response_data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) { android_errorWriteLog(0x534e4554, "121145627"); LOG(ERROR) << __func__ << ": scan_response_data_length=" << static_cast<int>(scan_response_data_length) << ", is longer than size limit " << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; scan_response_data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; } uint8_t* pp = param; memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1); UINT8_TO_STREAM(pp, scan_response_data_length); Loading system/stack/btm/btm_ble.cc +7 −0 Original line number Diff line number Diff line Loading @@ -39,6 +39,7 @@ #include "gap_api.h" #include "gatt_api.h" #include "hcimsgs.h" #include "log/log.h" #include "l2c_int.h" #include "osi/include/log.h" #include "osi/include/osi.h" Loading Loading @@ -2086,6 +2087,12 @@ uint8_t btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr, } if (event == SMP_COMPLT_EVT) { p_dev_rec = btm_find_dev(bd_addr); if (p_dev_rec == NULL) { BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__); android_errorWriteLog(0x534e4554, "120612744"); return 0; } BTM_TRACE_DEBUG( "evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level, p_dev_rec->sec_flags); Loading system/stack/l2cap/l2c_main.cc +48 −6 Original line number Diff line number Diff line Loading @@ -455,19 +455,40 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { switch (cfg_code & 0x7F) { case L2CAP_CFG_TYPE_MTU: cfg_info.mtu_present = true; if (p + 2 > p_next_cmd) return; if (cfg_len != 2) { android_errorWriteLog(0x534e4554, "119870451"); return; } if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } STREAM_TO_UINT16(cfg_info.mtu, p); break; case L2CAP_CFG_TYPE_FLUSH_TOUT: cfg_info.flush_to_present = true; if (p + 2 > p_next_cmd) return; if (cfg_len != 2) { android_errorWriteLog(0x534e4554, "119870451"); return; } if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } STREAM_TO_UINT16(cfg_info.flush_to, p); break; case L2CAP_CFG_TYPE_QOS: cfg_info.qos_present = true; if (p + 2 + 5 * 4 > p_next_cmd) return; if (cfg_len != 2 + 5 * 4) { android_errorWriteLog(0x534e4554, "119870451"); return; } if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } STREAM_TO_UINT8(cfg_info.qos.qos_flags, p); STREAM_TO_UINT8(cfg_info.qos.service_type, p); STREAM_TO_UINT32(cfg_info.qos.token_rate, p); Loading @@ -479,7 +500,14 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { case L2CAP_CFG_TYPE_FCR: cfg_info.fcr_present = true; if (p + 3 + 3 * 2 > p_next_cmd) return; if (cfg_len != 3 + 3 * 2) { android_errorWriteLog(0x534e4554, "119870451"); return; } if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } STREAM_TO_UINT8(cfg_info.fcr.mode, p); STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p); STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p); Loading @@ -490,13 +518,27 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { case L2CAP_CFG_TYPE_FCS: cfg_info.fcs_present = true; if (p + 1 > p_next_cmd) return; if (cfg_len != 1) { android_errorWriteLog(0x534e4554, "119870451"); return; } if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } STREAM_TO_UINT8(cfg_info.fcs, p); break; case L2CAP_CFG_TYPE_EXT_FLOW: cfg_info.ext_flow_spec_present = true; if (p + 2 + 2 + 3 * 4 > p_next_cmd) return; if (cfg_len != 2 + 2 + 3 * 4) { android_errorWriteLog(0x534e4554, "119870451"); return; } if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p); STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p); STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p); Loading system/stack/l2cap/l2c_utils.cc +3 −0 Original line number Diff line number Diff line Loading @@ -796,6 +796,9 @@ void l2cu_send_peer_config_rej(tL2C_CCB* p_ccb, uint8_t* p_data, case L2CAP_CFG_TYPE_MTU: case L2CAP_CFG_TYPE_FLUSH_TOUT: case L2CAP_CFG_TYPE_QOS: case L2CAP_CFG_TYPE_FCR: case L2CAP_CFG_TYPE_FCS: case L2CAP_CFG_TYPE_EXT_FLOW: p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD; break; Loading Loading
system/btif/src/btif_dm.cc +53 −24 Original line number Diff line number Diff line Loading @@ -257,6 +257,11 @@ static bool is_empty_128bit(uint8_t* data) { return !memcmp(zero, data, sizeof(zero)); } static bool is_bonding_or_sdp() { return pairing_cb.state == BT_BOND_STATE_BONDING || (pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts); } static void btif_dm_data_copy(uint16_t event, char* dst, char* src) { tBTA_DM_SEC* dst_dm_sec = (tBTA_DM_SEC*)dst; tBTA_DM_SEC* src_dm_sec = (tBTA_DM_SEC*)src; Loading Loading @@ -483,8 +488,6 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr, bt_bond_state_t state) { btif_stats_add_bond_event(bd_addr, BTIF_DM_FUNC_BOND_STATE_CHANGED, state); // Send bonding state only once - based on outgoing/incoming we may receive // duplicates if ((pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING)) { // Cross key pairing so send callback for static address if (!pairing_cb.static_bdaddr.IsEmpty()) { Loading @@ -502,14 +505,18 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr, auto tmp = bd_addr; HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state); if (state == BT_BOND_STATE_BONDING) { int dev_type; if (!btif_get_device_type(bd_addr, &dev_type)) { dev_type = BT_DEVICE_TYPE_BREDR; } if (state == BT_BOND_STATE_BONDING || (state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts > 0)) { // Save state for the device is bonding or SDP. pairing_cb.state = state; pairing_cb.bd_addr = bd_addr; } else { if (!pairing_cb.sdp_attempts) memset(&pairing_cb, 0, sizeof(pairing_cb)); else BTIF_TRACE_DEBUG("%s: BR-EDR service discovery active", __func__); pairing_cb = {}; } } Loading Loading @@ -1135,6 +1142,10 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { /* Trigger SDP on the device */ pairing_cb.sdp_attempts = 1; // Report bonded to Java before start SDP bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED); btif_dm_get_remote_services(bd_addr); } } Loading Loading @@ -1392,9 +1403,9 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) { BTIF_TRACE_DEBUG("%s:(result=0x%x, services 0x%x)", __func__, p_data->disc_res.result, p_data->disc_res.services); if ((p_data->disc_res.result != BTA_SUCCESS) && (pairing_cb.state == BT_BOND_STATE_BONDING) && (pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING)) { if (p_data->disc_res.result != BTA_SUCCESS && pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING) { if (pairing_cb.sdp_attempts) { BTIF_TRACE_WARNING("%s: SDP failed after bonding re-attempting", __func__); Loading @@ -1421,22 +1432,40 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) { /* onUuidChanged requires getBondedDevices to be populated. ** bond_state_changed needs to be sent prior to remote_device_property */ if ((pairing_cb.state == BT_BOND_STATE_BONDING) && if (pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts && (p_data->disc_res.bd_addr == pairing_cb.bd_addr || p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) && pairing_cb.sdp_attempts > 0) { BTIF_TRACE_DEBUG( "%s Remote Service SDP done. Call bond_state_changed_cb BONDED", __func__); p_data->disc_res.bd_addr == pairing_cb.static_bdaddr)) { LOG_INFO(LOG_TAG, "%s Remote Service SDP done.", __func__); pairing_cb.sdp_attempts = 0; // If bonding occured due to cross-key pairing, send bonding callback // If bond occured due to cross-key pairing, send bond state callback // for static address now if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) { bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDING); bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED); } if (pairing_cb.state == BT_BOND_STATE_BONDED) { if (p_data->disc_res.result == BTA_SUCCESS) { // Device is bonded and SDP completed. Clear the pairing control // block. pairing_cb = {}; } else { // Report empty UUID to Java if SDP report negative result while // pairing. bt_property_t prop; Uuid uuid; prop.type = BT_PROPERTY_UUIDS; prop.val = &uuid; prop.len = Uuid::kNumBytes128; /* Send the event to the BTIF */ HAL_CBACK(bt_hal_cbacks, remote_device_properties_cb, BT_STATUS_SUCCESS, &bd_addr, 1, &prop); break; } } } if (p_data->disc_res.num_uuids != 0) { /* Also write this to the NVRAM */ Loading Loading @@ -1630,7 +1659,7 @@ static void btif_dm_upstreams_evt(uint16_t event, char* p_param) { break; case BTA_DM_BOND_CANCEL_CMPL_EVT: if (pairing_cb.state == BT_BOND_STATE_BONDING) { if (is_bonding_or_sdp()) { bd_addr = pairing_cb.bd_addr; btm_set_bond_type_dev(pairing_cb.bd_addr, BOND_TYPE_UNKNOWN); bond_state_changed((bt_status_t)p_data->bond_cancel_cmpl.result, Loading Loading @@ -2273,7 +2302,7 @@ bt_status_t btif_dm_cancel_bond(const RawAddress* bd_addr) { ** 1. Restore scan modes ** 2. special handling for HID devices */ if (pairing_cb.state == BT_BOND_STATE_BONDING) { if (is_bonding_or_sdp()) { if (pairing_cb.is_ssp) { if (pairing_cb.is_le_only) { BTA_DmBleSecurityGrant(*bd_addr, BTA_DM_SEC_PAIR_NOT_SPT); Loading Loading @@ -2471,7 +2500,7 @@ bt_status_t btif_dm_get_remote_services(const RawAddress& remote_addr) { /******************************************************************************* * * Function btif_dm_get_remote_services_transport * Function btif_dm_get_remote_services_by_transport * * Description Start SDP to get remote services by transport * Loading Loading @@ -3168,7 +3197,7 @@ bt_status_t btif_le_test_mode(uint16_t opcode, uint8_t* buf, uint8_t len) { void btif_dm_on_disable() { /* cancel any pending pairing requests */ if (pairing_cb.state == BT_BOND_STATE_BONDING) { if (is_bonding_or_sdp()) { BTIF_TRACE_DEBUG("%s: Cancel pending pairing request", __func__); btif_dm_cancel_bond(&pairing_cb.bd_addr); } Loading
system/stack/btm/ble_advertiser_hci_interface.cc +35 −0 Original line number Diff line number Diff line Loading @@ -27,6 +27,7 @@ #include "btm_int_types.h" #include "device/include/controller.h" #include "hcidefs.h" #include "log/log.h" #define BTM_BLE_MULTI_ADV_SET_RANDOM_ADDR_LEN 8 #define BTM_BLE_MULTI_ADV_ENB_LEN 3 Loading Loading @@ -162,6 +163,14 @@ class BleAdvertiserVscHciInterfaceImpl : public BleAdvertiserHciInterface { uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN]; memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN); if (data_length > BTM_BLE_AD_DATA_LEN) { android_errorWriteLog(0x534e4554, "121145627"); LOG(ERROR) << __func__ << ": data_length=" << static_cast<int>(data_length) << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN; data_length = BTM_BLE_AD_DATA_LEN; } uint8_t* pp = param; UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_ADV_DATA); UINT8_TO_STREAM(pp, data_length); Loading @@ -181,6 +190,14 @@ class BleAdvertiserVscHciInterfaceImpl : public BleAdvertiserHciInterface { uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN]; memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN); if (scan_response_data_length > BTM_BLE_AD_DATA_LEN) { android_errorWriteLog(0x534e4554, "121145627"); LOG(ERROR) << __func__ << ": scan_response_data_length=" << static_cast<int>(scan_response_data_length) << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN; scan_response_data_length = BTM_BLE_AD_DATA_LEN; } uint8_t* pp = param; UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_SCAN_RSP_DATA); UINT8_TO_STREAM(pp, scan_response_data_length); Loading Loading @@ -372,6 +389,15 @@ class BleAdvertiserLegacyHciInterfaceImpl : public BleAdvertiserHciInterface { uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1]; if (data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) { android_errorWriteLog(0x534e4554, "121145627"); LOG(ERROR) << __func__ << ": data_length=" << static_cast<int>(data_length) << ", is longer than size limit " << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; } uint8_t* pp = param; memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1); UINT8_TO_STREAM(pp, data_length); Loading @@ -389,6 +415,15 @@ class BleAdvertiserLegacyHciInterfaceImpl : public BleAdvertiserHciInterface { VLOG(1) << __func__; uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1]; if (scan_response_data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) { android_errorWriteLog(0x534e4554, "121145627"); LOG(ERROR) << __func__ << ": scan_response_data_length=" << static_cast<int>(scan_response_data_length) << ", is longer than size limit " << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; scan_response_data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; } uint8_t* pp = param; memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1); UINT8_TO_STREAM(pp, scan_response_data_length); Loading
system/stack/btm/btm_ble.cc +7 −0 Original line number Diff line number Diff line Loading @@ -39,6 +39,7 @@ #include "gap_api.h" #include "gatt_api.h" #include "hcimsgs.h" #include "log/log.h" #include "l2c_int.h" #include "osi/include/log.h" #include "osi/include/osi.h" Loading Loading @@ -2086,6 +2087,12 @@ uint8_t btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr, } if (event == SMP_COMPLT_EVT) { p_dev_rec = btm_find_dev(bd_addr); if (p_dev_rec == NULL) { BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__); android_errorWriteLog(0x534e4554, "120612744"); return 0; } BTM_TRACE_DEBUG( "evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level, p_dev_rec->sec_flags); Loading
system/stack/l2cap/l2c_main.cc +48 −6 Original line number Diff line number Diff line Loading @@ -455,19 +455,40 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { switch (cfg_code & 0x7F) { case L2CAP_CFG_TYPE_MTU: cfg_info.mtu_present = true; if (p + 2 > p_next_cmd) return; if (cfg_len != 2) { android_errorWriteLog(0x534e4554, "119870451"); return; } if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } STREAM_TO_UINT16(cfg_info.mtu, p); break; case L2CAP_CFG_TYPE_FLUSH_TOUT: cfg_info.flush_to_present = true; if (p + 2 > p_next_cmd) return; if (cfg_len != 2) { android_errorWriteLog(0x534e4554, "119870451"); return; } if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } STREAM_TO_UINT16(cfg_info.flush_to, p); break; case L2CAP_CFG_TYPE_QOS: cfg_info.qos_present = true; if (p + 2 + 5 * 4 > p_next_cmd) return; if (cfg_len != 2 + 5 * 4) { android_errorWriteLog(0x534e4554, "119870451"); return; } if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } STREAM_TO_UINT8(cfg_info.qos.qos_flags, p); STREAM_TO_UINT8(cfg_info.qos.service_type, p); STREAM_TO_UINT32(cfg_info.qos.token_rate, p); Loading @@ -479,7 +500,14 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { case L2CAP_CFG_TYPE_FCR: cfg_info.fcr_present = true; if (p + 3 + 3 * 2 > p_next_cmd) return; if (cfg_len != 3 + 3 * 2) { android_errorWriteLog(0x534e4554, "119870451"); return; } if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } STREAM_TO_UINT8(cfg_info.fcr.mode, p); STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p); STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p); Loading @@ -490,13 +518,27 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { case L2CAP_CFG_TYPE_FCS: cfg_info.fcs_present = true; if (p + 1 > p_next_cmd) return; if (cfg_len != 1) { android_errorWriteLog(0x534e4554, "119870451"); return; } if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } STREAM_TO_UINT8(cfg_info.fcs, p); break; case L2CAP_CFG_TYPE_EXT_FLOW: cfg_info.ext_flow_spec_present = true; if (p + 2 + 2 + 3 * 4 > p_next_cmd) return; if (cfg_len != 2 + 2 + 3 * 4) { android_errorWriteLog(0x534e4554, "119870451"); return; } if (p + cfg_len > p_next_cmd) { android_errorWriteLog(0x534e4554, "74202041"); return; } STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p); STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p); STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p); Loading
system/stack/l2cap/l2c_utils.cc +3 −0 Original line number Diff line number Diff line Loading @@ -796,6 +796,9 @@ void l2cu_send_peer_config_rej(tL2C_CCB* p_ccb, uint8_t* p_data, case L2CAP_CFG_TYPE_MTU: case L2CAP_CFG_TYPE_FLUSH_TOUT: case L2CAP_CFG_TYPE_QOS: case L2CAP_CFG_TYPE_FCR: case L2CAP_CFG_TYPE_FCS: case L2CAP_CFG_TYPE_EXT_FLOW: p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD; break; Loading
