Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aa9c1908 authored by Hui Peng's avatar Hui Peng Committed by Automerger Merge Worker
Browse files

Merge "Fix an OOB bug in btm_read_link_quality_complete" into tm-dev am: 8855f6c4 

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20699491



Change-Id: I9ca9e7944aa8949f86eddbeb5806c762d6afc6df
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 0261346d 8855f6c4

system/stack/acl/btm_acl.cc

+14 −1
Original line number Original line Diff line number Diff line
@@ -1985,7 +1985,7 @@ void btm_read_link_quality_timeout(UNUSED_ATTR void* data) { 
 * Returns          void

 * Returns          void

 *

 *

 ******************************************************************************/

 ******************************************************************************/

void btm_read_link_quality_complete(uint8_t* p) {

void btm_read_link_quality_complete(uint8_t* p, uint16_t evt_len) {

  tBTM_CMPL_CB* p_cb = btm_cb.devcb.p_link_qual_cmpl_cb;

  tBTM_CMPL_CB* p_cb = btm_cb.devcb.p_link_qual_cmpl_cb;

  tBTM_LINK_QUALITY_RESULT result;

  tBTM_LINK_QUALITY_RESULT result;
@@ -1994,12 +1994,20 @@ void btm_read_link_quality_complete(uint8_t* p) { 




  /* If there was a registered callback, call it */

  /* If there was a registered callback, call it */

  if (p_cb) {

  if (p_cb) {

    if (evt_len < 1) {

      goto err_out;

    }



    STREAM_TO_UINT8(result.hci_status, p);

    STREAM_TO_UINT8(result.hci_status, p);





    if (result.hci_status == HCI_SUCCESS) {

    if (result.hci_status == HCI_SUCCESS) {

      uint16_t handle;

      uint16_t handle;

      result.status = BTM_SUCCESS;

      result.status = BTM_SUCCESS;





      if (evt_len < 4) {

        goto err_out;

      }



      STREAM_TO_UINT16(handle, p);

      STREAM_TO_UINT16(handle, p);





      STREAM_TO_UINT8(result.link_quality, p);

      STREAM_TO_UINT8(result.link_quality, p);
@@ -2018,6 +2026,11 @@ void btm_read_link_quality_complete(uint8_t* p) { 




    (*p_cb)(&result);

    (*p_cb)(&result);

  }

  }



  return;



err_out:

  LOG_ERROR("Bogus Link Quality event packet, size: %d", evt_len);

}

}





/*******************************************************************************

/*******************************************************************************

system/stack/btu/btu_hcif.cc

+1 −1
Original line number Original line Diff line number Diff line
@@ -1196,7 +1196,7 @@ static void btu_hcif_hdl_command_complete(uint16_t opcode, uint8_t* p, 
      break;

      break;





    case HCI_GET_LINK_QUALITY:

    case HCI_GET_LINK_QUALITY:

      btm_read_link_quality_complete(p);

      btm_read_link_quality_complete(p, evt_len);

      break;

      break;





    case HCI_READ_RSSI:

    case HCI_READ_RSSI:

system/stack/include/acl_hci_link_interface.h

+1 −1
Original line number Original line Diff line number Diff line
@@ -52,7 +52,7 @@ void btm_pm_proc_mode_change(tHCI_STATUS hci_status, uint16_t hci_handle, 
void btm_pm_proc_ssr_evt(uint8_t* p, uint16_t evt_len);

void btm_pm_proc_ssr_evt(uint8_t* p, uint16_t evt_len);

void btm_read_automatic_flush_timeout_complete(uint8_t* p);

void btm_read_automatic_flush_timeout_complete(uint8_t* p);

void btm_read_failed_contact_counter_complete(uint8_t* p);

void btm_read_failed_contact_counter_complete(uint8_t* p);

void btm_read_link_quality_complete(uint8_t* p);

void btm_read_link_quality_complete(uint8_t* p, uint16_t evt_len);

void btm_read_remote_ext_features_complete_raw(uint8_t* p, uint8_t evt_len);

void btm_read_remote_ext_features_complete_raw(uint8_t* p, uint8_t evt_len);

void btm_read_remote_ext_features_complete(uint16_t handle, uint8_t page_num,

void btm_read_remote_ext_features_complete(uint16_t handle, uint8_t page_num,

                                           uint8_t max_page, uint8_t* features);

                                           uint8_t max_page, uint8_t* features);

system/test/mock/mock_stack_acl.cc

+2 −2
Original line number Original line Diff line number Diff line
@@ -626,9 +626,9 @@ void btm_read_failed_contact_counter_timeout(UNUSED_ATTR void* data) { 
  mock_function_count_map[__func__]++;

  mock_function_count_map[__func__]++;

  test::mock::stack_acl::btm_read_failed_contact_counter_timeout(data);

  test::mock::stack_acl::btm_read_failed_contact_counter_timeout(data);

}

}

void btm_read_link_quality_complete(uint8_t* p) {

void btm_read_link_quality_complete(uint8_t* p, uint16_t evt_len) {

  mock_function_count_map[__func__]++;

  mock_function_count_map[__func__]++;

  test::mock::stack_acl::btm_read_link_quality_complete(p);

  test::mock::stack_acl::btm_read_link_quality_complete(p, evt_len);

}

}

void btm_read_link_quality_timeout(UNUSED_ATTR void* data) {

void btm_read_link_quality_timeout(UNUSED_ATTR void* data) {

  mock_function_count_map[__func__]++;

  mock_function_count_map[__func__]++;

system/test/mock/mock_stack_acl.h

+2 −2
Original line number Original line Diff line number Diff line
@@ -1100,8 +1100,8 @@ extern struct btm_read_failed_contact_counter_timeout 
// Params: uint8_t* p

// Params: uint8_t* p

// Returns: void

// Returns: void

struct btm_read_link_quality_complete {

struct btm_read_link_quality_complete {

  std::function<void(uint8_t* p)> body{[](uint8_t* p) { ; }};

  std::function<void(uint8_t* p, uint16_t evt_len)> body{[](uint8_t* p, uint16_t evt_len) { ; }};

  void operator()(uint8_t* p) { body(p); };

  void operator()(uint8_t* p, uint16_t evt_len) { body(p, evt_len); };

};

};

extern struct btm_read_link_quality_complete btm_read_link_quality_complete;

extern struct btm_read_link_quality_complete btm_read_link_quality_complete;

// Name: btm_read_link_quality_timeout

// Name: btm_read_link_quality_timeout