Merge "Fix an OOB bug in btm_read_link_quality_complete" into tm-dev am: 8855f6c4b7 am: aa9c1908b7 (9b2fd421) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/acl/btm_acl.cc

+14 −1

Original line number	Diff line number	Diff line
		@@ -1983,7 +1983,7 @@ void btm_read_link_quality_timeout(UNUSED_ATTR void* data) {
		* Returns void
		*
		******************************************************************************/
		void btm_read_link_quality_complete(uint8_t* p) {
		void btm_read_link_quality_complete(uint8_t* p, uint16_t evt_len) {
		tBTM_CMPL_CB* p_cb = btm_cb.devcb.p_link_qual_cmpl_cb;
		tBTM_LINK_QUALITY_RESULT result;

		@@ -1992,12 +1992,20 @@ void btm_read_link_quality_complete(uint8_t* p) {

		/* If there was a registered callback, call it */
		if (p_cb) {
		if (evt_len < 1) {
		goto err_out;
		}

		STREAM_TO_UINT8(result.hci_status, p);

		if (result.hci_status == HCI_SUCCESS) {
		uint16_t handle;
		result.status = BTM_SUCCESS;

		if (evt_len < 4) {
		goto err_out;
		}

		STREAM_TO_UINT16(handle, p);

		STREAM_TO_UINT8(result.link_quality, p);
		@@ -2016,6 +2024,11 @@ void btm_read_link_quality_complete(uint8_t* p) {

		(*p_cb)(&result);
		}

		return;

		err_out:
		LOG_ERROR("Bogus Link Quality event packet, size: %d", evt_len);
		}

		/*******************************************************************************

+1 −1

Original line number	Diff line number	Diff line
		@@ -1193,7 +1193,7 @@ static void btu_hcif_hdl_command_complete(uint16_t opcode, uint8_t* p,
		break;

		case HCI_GET_LINK_QUALITY:
		btm_read_link_quality_complete(p);
		btm_read_link_quality_complete(p, evt_len);
		break;

		case HCI_READ_RSSI:

+1 −1

Original line number	Diff line number	Diff line
		@@ -52,7 +52,7 @@ void btm_pm_proc_mode_change(tHCI_STATUS hci_status, uint16_t hci_handle,
		void btm_pm_proc_ssr_evt(uint8_t* p, uint16_t evt_len);
		void btm_read_automatic_flush_timeout_complete(uint8_t* p);
		void btm_read_failed_contact_counter_complete(uint8_t* p);
		void btm_read_link_quality_complete(uint8_t* p);
		void btm_read_link_quality_complete(uint8_t* p, uint16_t evt_len);
		void btm_read_remote_ext_features_complete_raw(uint8_t* p, uint8_t evt_len);
		void btm_read_remote_ext_features_complete(uint16_t handle, uint8_t page_num,
		uint8_t max_page, uint8_t* features);

+2 −2

Original line number	Diff line number	Diff line
		@@ -621,9 +621,9 @@ void btm_read_failed_contact_counter_timeout(UNUSED_ATTR void* data) {
		mock_function_count_map[__func__]++;
		test::mock::stack_acl::btm_read_failed_contact_counter_timeout(data);
		}
		void btm_read_link_quality_complete(uint8_t* p) {
		void btm_read_link_quality_complete(uint8_t* p, uint16_t evt_len) {
		mock_function_count_map[__func__]++;
		test::mock::stack_acl::btm_read_link_quality_complete(p);
		test::mock::stack_acl::btm_read_link_quality_complete(p, evt_len);
		}
		void btm_read_link_quality_timeout(UNUSED_ATTR void* data) {
		mock_function_count_map[__func__]++;

+2 −2

Original line number	Diff line number	Diff line
		@@ -1091,8 +1091,8 @@ extern struct btm_read_failed_contact_counter_timeout
		// Params: uint8_t* p
		// Returns: void
		struct btm_read_link_quality_complete {
		std::function<void(uint8_t* p)> body{[](uint8_t* p) { ; }};
		void operator()(uint8_t* p) { body(p); };
		std::function<void(uint8_t* p, uint16_t evt_len)> body{[](uint8_t* p, uint16_t evt_len) { ; }};
		void operator()(uint8_t* p, uint16_t evt_len) { body(p, evt_len); };
		};
		extern struct btm_read_link_quality_complete btm_read_link_quality_complete;
		// Name: btm_read_link_quality_timeout