Loading system/main/shim/hci_layer.cc +11 −6 Original line number Diff line number Diff line Loading @@ -38,6 +38,7 @@ #include "src/bridge.rs.h" #include "stack/include/bt_hdr.h" #include "stack/include/bt_types.h" #include "stack/include/hcimsgs.h" /** * Callback data wrapped as opaque token bundled with the command Loading Loading @@ -394,8 +395,9 @@ static void transmit_fragment(const uint8_t* stream, size_t length) { handle_with_flags >> 12 & 0b11); auto bc_flag = static_cast<bluetooth::hci::BroadcastFlag>(handle_with_flags >> 14); uint16_t handle = handle_with_flags & 0xFFF; ASSERT_LOG(handle <= 0xEFF, "Require handle <= 0xEFF, but is 0x%X", handle); uint16_t handle = HCID_GET_HANDLE(handle_with_flags); ASSERT_LOG(handle <= HCI_HANDLE_MAX, "Require handle <= 0x%X, but is 0x%X", HCI_HANDLE_MAX, handle); length -= 2; // skip data total length stream += 2; Loading @@ -410,8 +412,10 @@ static void transmit_fragment(const uint8_t* stream, size_t length) { static void transmit_sco_fragment(const uint8_t* stream, size_t length) { uint16_t handle_with_flags; STREAM_TO_UINT16(handle_with_flags, stream); uint16_t handle = handle_with_flags & 0xFFF; ASSERT_LOG(handle <= 0xEFF, "Require handle <= 0xEFF, but is 0x%X", handle); uint16_t handle = HCID_GET_HANDLE(handle_with_flags); ASSERT_LOG(handle <= HCI_HANDLE_MAX, "Require handle <= 0x%X, but is 0x%X", HCI_HANDLE_MAX, handle); length -= 2; // skip data total length stream += 1; Loading @@ -432,8 +436,9 @@ static void transmit_iso_fragment(const uint8_t* stream, size_t length) { handle_with_flags >> 12 & 0b11); auto ts_flag = static_cast<bluetooth::hci::TimeStampFlag>(handle_with_flags >> 14); uint16_t handle = handle_with_flags & 0xFFF; ASSERT_LOG(handle <= 0xEFF, "Require handle <= 0xEFF, but is 0x%X", handle); uint16_t handle = HCID_GET_HANDLE(handle_with_flags); ASSERT_LOG(handle <= HCI_HANDLE_MAX, "Require handle <= 0x%X, but is 0x%X", HCI_HANDLE_MAX, handle); length -= 2; // skip data total length stream += 2; Loading system/stack/btm/btm_sco.cc +19 −3 Original line number Diff line number Diff line Loading @@ -212,11 +212,27 @@ void btm_route_sco_data(BT_HDR* p_msg) { osi_free(p_msg); return; } uint16_t handle = handle_with_flags & 0xFFF; ASSERT_LOG(handle <= 0xEFF, "Require handle <= 0xEFF, but is 0x%X", handle); uint16_t handle = HCID_GET_HANDLE(handle_with_flags); if (handle > HCI_HANDLE_MAX) { LOG_ERROR( "Receive invalid SCO data with handle: 0x%X, required to be <= 0x%X, " "dropping", handle, HCI_HANDLE_MAX); osi_free(p_msg); return; } tSCO_CONN* active_sco = btm_get_active_sco(); if (active_sco == nullptr || active_sco->hci_handle != handle) { if (active_sco == nullptr) { LOG_ERROR("Received SCO data when there is no active SCO connection"); osi_free(p_msg); return; } if (active_sco->hci_handle != handle) { LOG_ERROR( "Drop packet with handle(0x%X) different from the active handle(0x%X)", handle, active_sco->hci_handle); osi_free(p_msg); return; } Loading system/stack/btu/btu_hcif.cc +5 −0 Original line number Diff line number Diff line Loading @@ -1127,6 +1127,11 @@ static void btu_hcif_esco_connection_comp_evt(const uint8_t* p) { STREAM_SKIP_UINT8(p); // air_mode handle = HCID_GET_HANDLE(handle); ASSERT_LOG( handle <= HCI_HANDLE_MAX, "Received eSCO connection complete event with invalid handle: 0x%X " "that should be <= 0x%X", handle, HCI_HANDLE_MAX); data.bd_addr = bda; if (status == HCI_SUCCESS) { Loading system/stack/include/hcidefs.h +3 −0 Original line number Diff line number Diff line Loading @@ -830,6 +830,9 @@ typedef enum : uint8_t { /* Define an invalid value for a handle */ #define HCI_INVALID_HANDLE 0xFFFF /* Define the max valid value for a connection handle */ #define HCI_HANDLE_MAX 0xEFF /* Define the preamble length for all HCI Commands. * This is 2-bytes for opcode and 1 byte for length */ Loading Loading
system/main/shim/hci_layer.cc +11 −6 Original line number Diff line number Diff line Loading @@ -38,6 +38,7 @@ #include "src/bridge.rs.h" #include "stack/include/bt_hdr.h" #include "stack/include/bt_types.h" #include "stack/include/hcimsgs.h" /** * Callback data wrapped as opaque token bundled with the command Loading Loading @@ -394,8 +395,9 @@ static void transmit_fragment(const uint8_t* stream, size_t length) { handle_with_flags >> 12 & 0b11); auto bc_flag = static_cast<bluetooth::hci::BroadcastFlag>(handle_with_flags >> 14); uint16_t handle = handle_with_flags & 0xFFF; ASSERT_LOG(handle <= 0xEFF, "Require handle <= 0xEFF, but is 0x%X", handle); uint16_t handle = HCID_GET_HANDLE(handle_with_flags); ASSERT_LOG(handle <= HCI_HANDLE_MAX, "Require handle <= 0x%X, but is 0x%X", HCI_HANDLE_MAX, handle); length -= 2; // skip data total length stream += 2; Loading @@ -410,8 +412,10 @@ static void transmit_fragment(const uint8_t* stream, size_t length) { static void transmit_sco_fragment(const uint8_t* stream, size_t length) { uint16_t handle_with_flags; STREAM_TO_UINT16(handle_with_flags, stream); uint16_t handle = handle_with_flags & 0xFFF; ASSERT_LOG(handle <= 0xEFF, "Require handle <= 0xEFF, but is 0x%X", handle); uint16_t handle = HCID_GET_HANDLE(handle_with_flags); ASSERT_LOG(handle <= HCI_HANDLE_MAX, "Require handle <= 0x%X, but is 0x%X", HCI_HANDLE_MAX, handle); length -= 2; // skip data total length stream += 1; Loading @@ -432,8 +436,9 @@ static void transmit_iso_fragment(const uint8_t* stream, size_t length) { handle_with_flags >> 12 & 0b11); auto ts_flag = static_cast<bluetooth::hci::TimeStampFlag>(handle_with_flags >> 14); uint16_t handle = handle_with_flags & 0xFFF; ASSERT_LOG(handle <= 0xEFF, "Require handle <= 0xEFF, but is 0x%X", handle); uint16_t handle = HCID_GET_HANDLE(handle_with_flags); ASSERT_LOG(handle <= HCI_HANDLE_MAX, "Require handle <= 0x%X, but is 0x%X", HCI_HANDLE_MAX, handle); length -= 2; // skip data total length stream += 2; Loading
system/stack/btm/btm_sco.cc +19 −3 Original line number Diff line number Diff line Loading @@ -212,11 +212,27 @@ void btm_route_sco_data(BT_HDR* p_msg) { osi_free(p_msg); return; } uint16_t handle = handle_with_flags & 0xFFF; ASSERT_LOG(handle <= 0xEFF, "Require handle <= 0xEFF, but is 0x%X", handle); uint16_t handle = HCID_GET_HANDLE(handle_with_flags); if (handle > HCI_HANDLE_MAX) { LOG_ERROR( "Receive invalid SCO data with handle: 0x%X, required to be <= 0x%X, " "dropping", handle, HCI_HANDLE_MAX); osi_free(p_msg); return; } tSCO_CONN* active_sco = btm_get_active_sco(); if (active_sco == nullptr || active_sco->hci_handle != handle) { if (active_sco == nullptr) { LOG_ERROR("Received SCO data when there is no active SCO connection"); osi_free(p_msg); return; } if (active_sco->hci_handle != handle) { LOG_ERROR( "Drop packet with handle(0x%X) different from the active handle(0x%X)", handle, active_sco->hci_handle); osi_free(p_msg); return; } Loading
system/stack/btu/btu_hcif.cc +5 −0 Original line number Diff line number Diff line Loading @@ -1127,6 +1127,11 @@ static void btu_hcif_esco_connection_comp_evt(const uint8_t* p) { STREAM_SKIP_UINT8(p); // air_mode handle = HCID_GET_HANDLE(handle); ASSERT_LOG( handle <= HCI_HANDLE_MAX, "Received eSCO connection complete event with invalid handle: 0x%X " "that should be <= 0x%X", handle, HCI_HANDLE_MAX); data.bd_addr = bda; if (status == HCI_SUCCESS) { Loading
system/stack/include/hcidefs.h +3 −0 Original line number Diff line number Diff line Loading @@ -830,6 +830,9 @@ typedef enum : uint8_t { /* Define an invalid value for a handle */ #define HCI_INVALID_HANDLE 0xFFFF /* Define the max valid value for a connection handle */ #define HCI_HANDLE_MAX 0xEFF /* Define the preamble length for all HCI Commands. * This is 2-bytes for opcode and 1 byte for length */ Loading
