Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b2e32466 authored by Hui Peng's avatar Hui Peng Committed by Android (Google) Code Review
Browse files

Merge changes I03522897,I938467ca,Ia5871919 into tm-dev 

* changes:
  Relax the validation on sdp attr size
  Add validation on attr type and size in a2dp_api.cc
  Add tests for the following change
parents ee7aff61 8ecede4b

system/bta/sdp/bta_sdp_act.cc

+17 −17
Original line number Diff line number Diff line
@@ -50,7 +50,7 @@ static void bta_create_mns_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_MAP_SUPPORTED_FEATURES);

  if (p_attr != NULL) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 4) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 4) {

      record->mns.supported_features = p_attr->attr_value.v.u32;

    } else {

      LOG_ERROR("ATTR_ID_MAP_SUPPORTED_FEATURES attr type or size wrong!!");
@@ -84,7 +84,7 @@ static void bta_create_mns_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_GOEP_L2CAP_PSM);

  if (p_attr != NULL) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 2) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

      record->mns.hdr.l2cap_psm = p_attr->attr_value.v.u16;

    } else {

      LOG_ERROR("ATTR_ID_GOEP_L2CAP_PSM attr type or len wrong!!");
@@ -113,7 +113,7 @@ static void bta_create_mas_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_MAS_INSTANCE_ID);

  if (p_attr != NULL) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 1) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1) {

      record->mas.mas_instance_id = p_attr->attr_value.v.u8;

    } else {

      LOG_ERROR("ATTR_ID_MAS_INSTANCE_ID attr type or len wrong!!");
@@ -125,7 +125,7 @@ static void bta_create_mas_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_SUPPORTED_MSG_TYPE);

  if (p_attr != NULL) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 1) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1) {

      record->mas.supported_message_types = p_attr->attr_value.v.u8;

    } else {

      LOG_ERROR("ATTR_ID_SUPPORTED_MSG_TYPE attr type or len wrong!!");
@@ -137,7 +137,7 @@ static void bta_create_mas_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_MAP_SUPPORTED_FEATURES);

  if (p_attr != NULL) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 4) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 4) {

      record->mas.supported_features = p_attr->attr_value.v.u32;

    } else {

      LOG_ERROR("ATTR_ID_MAP_SUPPORTED_FEATURES attr type or len wrong!!");
@@ -171,7 +171,7 @@ static void bta_create_mas_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_GOEP_L2CAP_PSM);

  if (p_attr != NULL) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 2) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

      record->mas.hdr.l2cap_psm = p_attr->attr_value.v.u16;

    } else {

      LOG_ERROR("ATTR_ID_GOEP_L2CAP_PSM attr type or len wrong!!");
@@ -199,7 +199,7 @@ static void bta_create_pse_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_SUPPORTED_REPOSITORIES);

  if (p_attr != NULL) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 1) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1) {

      record->pse.supported_repositories = p_attr->attr_value.v.u8;

    } else {

      LOG_ERROR("ATTR_ID_SUPPORTED_REPOSITORIES attr type or len wrong!!");
@@ -210,7 +210,7 @@ static void bta_create_pse_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_PBAP_SUPPORTED_FEATURES);

  if (p_attr != NULL) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 4) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 4) {

      record->pse.supported_features = p_attr->attr_value.v.u32;

    } else {

      LOG_ERROR("ATTR_ID_PBAP_SUPPORTED_FEATURES attr type or len wrong!!");
@@ -245,7 +245,7 @@ static void bta_create_pse_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_GOEP_L2CAP_PSM);

  if (p_attr != NULL) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 2) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

      record->pse.hdr.l2cap_psm = p_attr->attr_value.v.u16;

    } else {

      LOG_ERROR("ATTR_ID_GOEP_L2CAP_PSM attr type or len wrong!!");
@@ -294,7 +294,7 @@ static void bta_create_ops_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_GOEP_L2CAP_PSM);

  if (p_attr != NULL) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 2) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

      record->ops.hdr.l2cap_psm = p_attr->attr_value.v.u16;

    } else {

      LOG_ERROR("ATTR_ID_GOEP_L2CAP_PSM attr type or len wrong!!");
@@ -322,7 +322,7 @@ static void bta_create_ops_sdp_record(bluetooth_sdp_record* record, 
      for (p_sattr = p_attr->attr_value.v.p_sub_attr; p_sattr != NULL;

           p_sattr = p_sattr->p_next_attr) {

        if ((SDP_DISC_ATTR_TYPE(p_sattr->attr_len_type) == UINT_DESC_TYPE) &&

            (SDP_DISC_ATTR_LEN(p_sattr->attr_len_type) == 1)) {

            (SDP_DISC_ATTR_LEN(p_sattr->attr_len_type) >= 1)) {

          if (count == sizeof(record->ops.supported_formats_list)) {

            APPL_TRACE_ERROR(

                "%s() - supported_formats_list - count overflow - "
@@ -407,7 +407,7 @@ static void bta_create_dip_sdp_record(bluetooth_sdp_record* record, 
      SDP_FindAttributeInRec(p_rec, ATTR_ID_SPECIFICATION_ID);

  if (p_attr != nullptr) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 2) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

      record->dip.spec_id = p_attr->attr_value.v.u16;

    } else {

      LOG_ERROR("ATTR_ID_SPECIFICATION_ID attr type or len wrong!!");
@@ -419,7 +419,7 @@ static void bta_create_dip_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_VENDOR_ID);

  if (p_attr != nullptr) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 2) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

      record->dip.vendor = p_attr->attr_value.v.u16;

    } else {

      LOG_ERROR("ATTR_ID_VENDOR_ID attr type or len wrong!!");
@@ -432,7 +432,7 @@ static void bta_create_dip_sdp_record(bluetooth_sdp_record* record, 
      SDP_FindAttributeInRec(p_rec, ATTR_ID_VENDOR_ID_SOURCE);

  if (p_attr != nullptr) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 2) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

      record->dip.vendor_id_source = p_attr->attr_value.v.u16;

    } else {

      LOG_ERROR("ATTR_ID_VENDOR_ID_SOURCE attr type or len wrong!!");
@@ -444,7 +444,7 @@ static void bta_create_dip_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_PRODUCT_ID);

  if (p_attr != nullptr) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 2) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

      record->dip.product = p_attr->attr_value.v.u16;

    } else {

      LOG_ERROR("ATTR_ID_PRODUCT_ID attr type or len wrong!!");
@@ -458,7 +458,7 @@ static void bta_create_dip_sdp_record(bluetooth_sdp_record* record, 


  if (p_attr != nullptr) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 2) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

      record->dip.version = p_attr->attr_value.v.u16;

    } else {

      LOG_ERROR("ATTR_ID_PRODUCT_VERSION attr type or len wrong!!");
@@ -470,7 +470,7 @@ static void bta_create_dip_sdp_record(bluetooth_sdp_record* record, 
  p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_PRIMARY_RECORD);

  if (p_attr != nullptr) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 1) {

        SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1) {

      record->dip.primary_record = !(!p_attr->attr_value.v.u8);

    } else {

      LOG_ERROR("ATTR_ID_PRIMARY_RECORD attr type or len wrong!!");

system/bta/test/bta_dip_test.cc

+70 −0
Original line number Diff line number Diff line
@@ -123,6 +123,76 @@ TEST_F(BtaDipTest, test_bta_create_dip_sdp_record) { 
  ASSERT_EQ(record.dip.primary_record, true);

}



// test for b/263958603

TEST_F(BtaDipTest, test_invalid_type_checks) {

  bluetooth_sdp_record record{};



  // here we provide the wrong types of records

  // and verify that the provided values are not accepted

  g_attr_spec_id.attr_len_type = (BOOLEAN_DESC_TYPE<<12)|1;

  g_attr_spec_id.attr_value.v.u16 = 0x0103;



  g_attr_vendor_id.attr_len_type = (BOOLEAN_DESC_TYPE<<12)|2;

  g_attr_vendor_id.attr_value.v.u16 = 0x18d1;



  g_attr_vendor_id_src.attr_len_type = (BOOLEAN_DESC_TYPE<<12)|2;

  g_attr_vendor_id_src.attr_value.v.u16 = 1;



  g_attr_vendor_product_id.attr_len_type = (BOOLEAN_DESC_TYPE<<12)|2;

  g_attr_vendor_product_id.attr_value.v.u16 = 0x1234;



  g_attr_vendor_product_version.attr_len_type = (BOOLEAN_DESC_TYPE<<12)|2;

  g_attr_vendor_product_version.attr_value.v.u16 = 0x0100;



  g_attr_vendor_product_primary_record.attr_len_type = (UINT_DESC_TYPE<<12)|1;

  g_attr_vendor_product_primary_record.attr_value.v.u8 = 1;



  bta_create_dip_sdp_record(&record, &g_rec);



  ASSERT_EQ(record.dip.spec_id, 0);

  ASSERT_EQ(record.dip.vendor, 0);

  ASSERT_EQ(record.dip.vendor_id_source, 0);

  ASSERT_EQ(record.dip.product, 0);

  ASSERT_EQ(record.dip.version, 0);

  ASSERT_EQ(record.dip.primary_record, false);

}



// test for b/263958603

TEST_F(BtaDipTest, test_invalid_size_checks) {

  bluetooth_sdp_record record{};



  // here we provide the wrong sizes of records

  // and verify that the provided values are not accepted

  g_attr_spec_id.attr_len_type = (UINT_DESC_TYPE<<12)|1;

  g_attr_spec_id.attr_value.v.u16 = 0x0103;



  g_attr_vendor_id.attr_len_type = (UINT_DESC_TYPE<<12)|1;

  g_attr_vendor_id.attr_value.v.u16 = 0x18d1;



  g_attr_vendor_id_src.attr_len_type = (UINT_DESC_TYPE<<12)|1;

  g_attr_vendor_id_src.attr_value.v.u16 = 1;



  g_attr_vendor_product_id.attr_len_type = (UINT_DESC_TYPE<<12)|1;

  g_attr_vendor_product_id.attr_value.v.u16 = 0x1234;



  g_attr_vendor_product_version.attr_len_type = (UINT_DESC_TYPE<<12)|1;

  g_attr_vendor_product_version.attr_value.v.u16 = 0x0100;



  // size greater than 1 is accepted

  g_attr_vendor_product_primary_record.attr_len_type = (BOOLEAN_DESC_TYPE<<12)|2;

  g_attr_vendor_product_primary_record.attr_value.v.u8 = 1;



  bta_create_dip_sdp_record(&record, &g_rec);



  ASSERT_EQ(record.dip.spec_id, 0);

  ASSERT_EQ(record.dip.vendor, 0);

  ASSERT_EQ(record.dip.vendor_id_source, 0);

  ASSERT_EQ(record.dip.product, 0);

  ASSERT_EQ(record.dip.version, 0);

  ASSERT_EQ(record.dip.primary_record, true);

}





TEST_F(BtaDipTest, test_bta_sdp_search_cback) {

  Uuid* userdata = (Uuid*)malloc(sizeof(Uuid));

system/stack/a2dp/a2dp_api.cc

+25 −7
Original line number Diff line number Diff line
@@ -88,23 +88,41 @@ static void a2dp_sdp_cback(tSDP_STATUS status) { 
      peer_address = p_rec->remote_bd_addr;



      /* get service name */

      if ((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_SERVICE_NAME)) !=

          NULL) {

      if ((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_SERVICE_NAME)) != NULL) {

        if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == TEXT_STR_DESC_TYPE) {

          a2dp_svc.p_service_name = (char*)p_attr->attr_value.v.array;

          a2dp_svc.service_len = SDP_DISC_ATTR_LEN(p_attr->attr_len_type);

        } else {

          LOG_ERROR("ATTR_ID_SERVICE_NAME attr type not STR!!");

        }

      } else {

        LOG_ERROR("ATTR_ID_SERVICE_NAME attr not found!!");

      }



      /* get provider name */

      if ((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_PROVIDER_NAME)) !=

          NULL) {

        if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == TEXT_STR_DESC_TYPE) {

          a2dp_svc.p_provider_name = (char*)p_attr->attr_value.v.array;

          a2dp_svc.provider_len = SDP_DISC_ATTR_LEN(p_attr->attr_len_type);

        } else {

          LOG_ERROR("ATTR_ID_PROVIDER_NAME attr type not STR!!");

        }

      } else {

        LOG_ERROR("ATTR_ID_PROVIDER_NAME attr not found!!");

      }



      /* get supported features */

      if ((p_attr = SDP_FindAttributeInRec(

               p_rec, ATTR_ID_SUPPORTED_FEATURES)) != NULL) {

        if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

            SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

          a2dp_svc.features = p_attr->attr_value.v.u16;

        } else {

          LOG_ERROR("ATTR_ID_SUPPORTED_FEATURES attr type not STR!!");

        }

      } else {

        LOG_ERROR("ATTR_ID_SUPPORTED_FEATURES attr not found!!");

      }



      /* get AVDTP version */