Commit 91da560b authored Dec 27, 2018 by Manoj Babulal

SMP: Fix invalid auth_req in LE Security Request handler

Due to wrong pointer de-reference, auth_req value read
in smp_proc_sec_req (LE Security Request packet handler)
was invalid.

Logcat trace shows invalid auth_req value:
.. bt_smp  : smp_proc_sec_req: auth_req=0xf9
   ....
.. bt_smp  : smp_proc_sec_req: auth_req=0xe9

After the fix, auth_req value is correct:
.. bt_smp  : smp_proc_sec_req: auth_req=0x1
   ....
.. bt_smp  : smp_proc_sec_req: auth_req=0x5

This data flow can be traced in code on this path:
smp_data_received -> smp_sm_event -> smp_proc_sec_req

Issue seen after following change:
https://android-review.googlesource.com/c/platform/system/bt/+/492442

Issue was discovered during execution of PTS test
cases GAP/SEC/AUT/BV-13-C and GAP/SEC/AUT/BV-14-C.

Fixes: 122066779

Test: Verified logcat trace shows valid auth_req
value prints from smp_proc_sec_req() function

Change-Id: I072b4794fb56a05b7ac7f2f4ca606514d7524550

parent abeb161e

system/stack/smp/smp_act.cc

+1 −1

Original line number	Diff line number	Diff line
		@@ -423,7 +423,7 @@ void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
		* Description process security request.
		******************************************************************************/
		void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
		tBTM_LE_AUTH_REQ auth_req = (tBTM_LE_AUTH_REQ)p_data;
		tBTM_LE_AUTH_REQ auth_req = (tBTM_LE_AUTH_REQ)p_data->p_data;
		tBTM_BLE_SEC_REQ_ACT sec_req_act;

		SMP_TRACE_DEBUG("%s: auth_req=0x%x", __func__, auth_req);