Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c88c328b authored by Hui Peng's avatar Hui Peng Committed by Automerger Merge Worker
Browse files

Fix an OOB bug in btm_read_rssi_complete am: 047a68b1 

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20697157



Change-Id: I03e75e237fb47f366bc3ed5c82c66869e7b87bc2
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 57a85e21 047a68b1

system/stack/acl/btm_acl.cc

+14 −1
Original line number Diff line number Diff line
@@ -1840,7 +1840,7 @@ void btm_read_rssi_timeout(UNUSED_ATTR void* data) { 
 * Returns          void

 *

 ******************************************************************************/

void btm_read_rssi_complete(uint8_t* p) {

void btm_read_rssi_complete(uint8_t* p, uint16_t evt_len) {

  tBTM_CMPL_CB* p_cb = btm_cb.devcb.p_rssi_cmpl_cb;

  tBTM_RSSI_RESULT result;
@@ -1849,11 +1849,19 @@ void btm_read_rssi_complete(uint8_t* p) { 


  /* If there was a registered callback, call it */

  if (p_cb) {

    if (evt_len < 1) {

      goto err_out;

    }



    STREAM_TO_UINT8(result.hci_status, p);

    result.status = BTM_ERR_PROCESSING;



    if (result.hci_status == HCI_SUCCESS) {

      uint16_t handle;



      if (evt_len < 4) {

        goto err_out;

      }

      STREAM_TO_UINT16(handle, p);



      STREAM_TO_UINT8(result.rssi, p);
@@ -1869,6 +1877,11 @@ void btm_read_rssi_complete(uint8_t* p) { 
    }

    (*p_cb)(&result);

  }



  return;



err_out:

  LOG_ERROR("Bogus event packet, too short");

}



/*******************************************************************************

system/stack/btu/btu_hcif.cc

+1 −1
Original line number Diff line number Diff line
@@ -1200,7 +1200,7 @@ static void btu_hcif_hdl_command_complete(uint16_t opcode, uint8_t* p, 
      break;



    case HCI_READ_RSSI:

      btm_read_rssi_complete(p);

      btm_read_rssi_complete(p, evt_len);

      break;



    case HCI_READ_FAILED_CONTACT_COUNTER:

system/stack/include/acl_hci_link_interface.h

+1 −1
Original line number Diff line number Diff line
@@ -62,7 +62,7 @@ void btm_read_remote_version_complete(tHCI_STATUS status, uint16_t handle, 
                                      uint8_t lmp_version,

                                      uint16_t manufacturer,

                                      uint16_t lmp_subversion);

void btm_read_rssi_complete(uint8_t* p);

void btm_read_rssi_complete(uint8_t* p, uint16_t evt_len);

void btm_read_tx_power_complete(uint8_t* p, uint16_t evt_len, bool is_ble);



void acl_rcv_acl_data(BT_HDR* p_msg);

system/test/mock/mock_stack_acl.cc

+2 −2
Original line number Diff line number Diff line
@@ -665,9 +665,9 @@ void btm_read_remote_version_complete(tHCI_STATUS status, uint16_t handle, 
  test::mock::stack_acl::btm_read_remote_version_complete(

      status, handle, lmp_version, manufacturer, lmp_subversion);

}

void btm_read_rssi_complete(uint8_t* p) {

void btm_read_rssi_complete(uint8_t* p, uint16_t evt_len) {

  mock_function_count_map[__func__]++;

  test::mock::stack_acl::btm_read_rssi_complete(p);

  test::mock::stack_acl::btm_read_rssi_complete(p, evt_len);

}

void btm_read_rssi_timeout(UNUSED_ATTR void* data) {

  mock_function_count_map[__func__]++;

system/test/mock/mock_stack_acl.h

+3 −2
Original line number Diff line number Diff line
@@ -1189,8 +1189,9 @@ extern struct btm_read_remote_version_complete btm_read_remote_version_complete; 
// Params: uint8_t* p

// Returns: void

struct btm_read_rssi_complete {

  std::function<void(uint8_t* p)> body{[](uint8_t* p) { ; }};

  void operator()(uint8_t* p) { body(p); };

  std::function<void(uint8_t* p, uint16_t evt_len)> body{

      [](uint8_t* pm, uint16_t evt_len) { ; }};

  void operator()(uint8_t* p, uint16_t evt_len) { body(p, evt_len); };

};

extern struct btm_read_rssi_complete btm_read_rssi_complete;

// Name: btm_read_rssi_timeout