Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8b02203c authored by Henri Chataing's avatar Henri Chataing
Browse files

avct: Potentially invalid PID sent in response packet 

Issue could be triggered in avct_bcb_msg_ind, avct_lcb_msg_ind
with the flag A2dp::src_sink_coexist enabled

Test: m com.android.btservices
Bug: 306672534
Change-Id: Ieb224f2f063cd6dddc01c370b770911b80ace82b
parent 9fab9d58

system/stack/avct/avct_bcb_act.cc

+3 −2
Original line number Diff line number Diff line
@@ -539,6 +539,8 @@ void avct_bcb_msg_ind(tAVCT_BCB* p_bcb, tAVCT_LCB_EVT* p_data) { 


  /* parse header byte */

  AVCT_PARSE_HDR(p, label, type, cr_ipid);

  /* parse PID */

  BE_STREAM_TO_UINT16(pid, p);



  /* check for invalid cr_ipid */

  if (cr_ipid == AVCT_CR_IPID_INVALID) {
@@ -556,8 +558,7 @@ void avct_bcb_msg_ind(tAVCT_BCB* p_bcb, tAVCT_LCB_EVT* p_data) { 
  } else

#endif

  {

    /* parse and lookup PID */

    BE_STREAM_TO_UINT16(pid, p);

    /* lookup PID */

    p_ccb = avct_lcb_has_pid(p_lcb, pid);

    if (p_ccb) {

      /* PID found; send msg up, adjust bt hdr and call msg callback */

system/stack/avct/avct_lcb_act.cc

+3 −2
Original line number Diff line number Diff line
@@ -676,6 +676,8 @@ void avct_lcb_msg_ind(tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { 


  /* parse header byte */

  AVCT_PARSE_HDR(p, label, type, cr_ipid);

  /* parse PID */

  BE_STREAM_TO_UINT16(pid, p);



  /* check for invalid cr_ipid */

  if (cr_ipid == AVCT_CR_IPID_INVALID) {
@@ -693,8 +695,7 @@ void avct_lcb_msg_ind(tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { 
  } else

#endif

  {

    /* parse and lookup PID */

    BE_STREAM_TO_UINT16(pid, p);

    /* lookup PID */

    p_ccb = avct_lcb_has_pid(p_lcb, pid);

    if (p_ccb) {

      /* PID found; send msg up, adjust bt hdr and call msg callback */