Snap for 10080193 from 4ca5c6bbc5f9adb75bb494406d1e12cfa7ce4d27 to udc-qpr1-release (d45eca16) · Commits · e / os / android_packages_modules_Bluetooth

android/app/src/com/android/bluetooth/hfp/HeadsetStateMachine.java

+0 −2

Original line number	Diff line number	Diff line
		@@ -2129,8 +2129,6 @@ public class HeadsetStateMachine extends StateMachine {
		processAtCpbs(atCommand.substring(5), commandType, device);
		} else if (atCommand.startsWith("+CPBR")) {
		processAtCpbr(atCommand.substring(5), commandType, device);
		} else if (atCommand.startsWith("+ANDROID")) {
		processAndroidAt(atCommand, device);
		} else {
		processVendorSpecificAt(atCommand, device);
		}

+1 −0

Original line number	Diff line number	Diff line
		@@ -1439,6 +1439,7 @@ public class HeadsetStateMachineTest {
		/**
		* A test to validate received Android AT commands and processing
		*/
		@Ignore("b/275668166")
		@Test
		public void testProcessAndroidAt() {
		setUpConnectedState();

+6 −1

Original line number	Diff line number	Diff line
		@@ -609,12 +609,17 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,

		memcpy(value.value, p, value.len);

		bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);

		if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) {
		gatt_send_prepare_write(tcb, p_clcb);
		return;
		}

		if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
		// We now know that we have not terminated, or else we would have returned
		// early. We free the buffer only if the subtype is not equal to
		// GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.
		if (subtype_is_write_prepare) {
		/* application should verify handle offset
		and value are matched or not */
		gatt_end_operation(p_clcb, p_clcb->status, &value);

+12 −5

Original line number	Diff line number	Diff line
		@@ -143,7 +143,8 @@ void gatt_dequeue_sr_cmd(tGATT_TCB& tcb, uint16_t cid) {
		}

		static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
		uint16_t ii, total_len, len;
		uint16_t ii;
		size_t total_len, len;
		uint8_t* p;
		bool is_overflow = false;

		@@ -188,7 +189,7 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
		len = p_rsp->attr_value.len - (total_len - mtu);
		is_overflow = true;
		VLOG(1) << StringPrintf(
		"multi read overflow available len=%d val_len=%d", len,
		"multi read overflow available len=%zu val_len=%d", len,
		p_rsp->attr_value.len);
		} else {
		len = p_rsp->attr_value.len;
		@@ -200,6 +201,8 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
		}

		if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
		// check for possible integer overflow
		if (p_buf->len + len <= UINT16_MAX) {
		memcpy(p, p_rsp->attr_value.value, len);
		if (!is_overflow) p += len;
		p_buf->len += len;
		@@ -207,6 +210,10 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
		p_cmd->status = GATT_NOT_FOUND;
		break;
		}
		} else {
		p_cmd->status = GATT_NOT_FOUND;
		break;
		}

		if (is_overflow) break;

+8 −0

Original line number	Diff line number	Diff line
		@@ -470,6 +470,14 @@ bool SDP_AddAttributeToRecord(tSDP_RECORD* p_rec, uint16_t attr_id,
		p_attr->len = attr_len;

		if (p_rec->free_pad_ptr + attr_len >= SDP_MAX_PAD_LEN) {
		if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) {
		SDP_TRACE_ERROR(
		"SDP_AddAttributeToRecord failed: free pad %d equals or exceeds max "
		"padding length %d",
		p_rec->free_pad_ptr, SDP_MAX_PAD_LEN);
		return (false);
		}

		/* do truncate only for text string type descriptor */
		if (attr_type == TEXT_STR_DESC_TYPE) {
		SDP_TRACE_WARNING(