Merge cherrypicks of ['googleplex-android-review.googlesource.com/29553782',... (b23312a5) · Commits · e / os / android_packages_modules_Bluetooth

system/bta/hf_client/bta_hf_client_sdp.cc

+13 −0

Original line number	Diff line number	Diff line
		@@ -319,6 +319,19 @@ void bta_hf_client_do_disc(tBTA_HF_CLIENT_CB* client_cb) {
		uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_AG_HANDSFREE);
		}

		/* If we already have a non-null discovery database at this point, we can get
		* into a race condition leading to UAF once this connection is closed.
		* This should only happen with malicious modifications to a client. */
		if (client_cb->p_disc_db != NULL) {
		APPL_TRACE_ERROR(
		"Tried to set up a HF client with a preexisting discovery database.");
		client_cb->p_disc_db = NULL;
		// We manually set the state here because it's possible to call this from an
		// OPEN state, in which case the discovery fail event will be ignored.
		client_cb->state = 0; // BTA_HF_CLIENT_INIT_ST
		return;
		}

		/* allocate buffer for sdp database */
		client_cb->p_disc_db = (tSDP_DISCOVERY_DB*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);

+4 −2

Original line number	Diff line number	Diff line
		@@ -62,9 +62,11 @@ void AVCT_Register() {
		/* initialize AVCTP data structures */
		memset(&avct_cb, 0, sizeof(tAVCT_CB));

		uint16_t sec = BTA_SEC_AUTHENTICATE \| BTA_SEC_ENCRYPT;

		/* register PSM with L2CAP */
		L2CA_Register2(AVCT_PSM, avct_l2c_appl, true /* enable_snoop */, nullptr,
		kAvrcMtu, 0, BTA_SEC_AUTHENTICATE);
		kAvrcMtu, 0, sec);

		/* Include the browsing channel which uses eFCR */
		tL2CAP_ERTM_INFO ertm_info;
		@@ -72,7 +74,7 @@ void AVCT_Register() {

		L2CA_Register2(AVCT_BR_PSM, avct_l2c_br_appl, true /enable_snoop/,
		&ertm_info, kAvrcBrMtu, AVCT_MIN_BROWSE_MTU,
		BTA_SEC_AUTHENTICATE);
		sec);

		avct_cb.trace_level = avct_trace_level;
		}

+3 −2

Original line number	Diff line number	Diff line
		@@ -113,8 +113,9 @@ void avct_bcb_chnl_open(tAVCT_BCB* p_bcb, UNUSED_ATTR tAVCT_LCB_EVT* p_data) {

		/* call l2cap connect req */
		p_bcb->ch_state = AVCT_CH_CONN;
		p_bcb->ch_lcid =
		L2CA_ConnectReq2(AVCT_BR_PSM, p_lcb->peer_addr, BTA_SEC_AUTHENTICATE);
		p_bcb->ch_lcid = L2CA_ConnectReq2(AVCT_BR_PSM, p_lcb->peer_addr,
		BTA_SEC_AUTHENTICATE \| BTA_SEC_ENCRYPT);

		if (p_bcb->ch_lcid == 0) {
		/* if connect req failed, send ourselves close event */
		tAVCT_LCB_EVT avct_lcb_evt;

+2 −1

Original line number	Diff line number	Diff line
		@@ -185,7 +185,8 @@ void avct_lcb_chnl_open(tAVCT_LCB* p_lcb, UNUSED_ATTR tAVCT_LCB_EVT* p_data) {

		p_lcb->ch_state = AVCT_CH_CONN;
		p_lcb->ch_lcid =
		L2CA_ConnectReq2(AVCT_PSM, p_lcb->peer_addr, BTA_SEC_AUTHENTICATE);
		L2CA_ConnectReq2(AVCT_PSM, p_lcb->peer_addr,
		BTA_SEC_AUTHENTICATE \| BTA_SEC_ENCRYPT);
		if (p_lcb->ch_lcid == 0) {
		/* if connect req failed, send ourselves close event */
		tAVCT_LCB_EVT avct_lcb_evt;

+2 −1

Original line number	Diff line number	Diff line
		@@ -547,7 +547,8 @@ void avdt_ad_open_req(uint8_t type, AvdtpCcb* p_ccb, AvdtpScb* p_scb,

		/* call l2cap connect req */
		lcid =
		L2CA_ConnectReq2(AVDT_PSM, p_ccb->peer_addr, BTM_SEC_OUT_AUTHENTICATE);
		L2CA_ConnectReq2(AVDT_PSM, p_ccb->peer_addr,
		BTM_SEC_OUT_AUTHENTICATE \| BTM_SEC_OUT_ENCRYPT);
		if (lcid != 0) {
		/* if connect req ok, store tcid in lcid table */
		avdtp_cb.ad.lcid_tbl[lcid] = avdt_ad_tc_tbl_to_idx(p_tbl);