Remerge TQ1A.230205.002 am: bd19f30551 (df950376) · Commits · e / os / android_packages_modules_Bluetooth

system/bta/Android.bp

+34 −0

Original line number	Diff line number	Diff line
		@@ -230,6 +230,40 @@ cc_test {
		],
		}

		// bta unit tests for target
		cc_test {
		name: "net_test_bta_security",
		defaults: [
		"fluoride_bta_defaults",
		"mts_defaults"
		],
		test_suites: ["device-tests"],
		srcs: [
		":TestCommonMockFunctions",
		":TestMockDevice",
		":TestMockStack",
		":TestMockBtif",
		"test/bta_hf_client_security_test.cc",
		],
		shared_libs: [
		"android.hardware.bluetooth.audio@2.0",
		"android.hardware.bluetooth.audio@2.1",
		"libcrypto",
		"liblog",
		"libprotobuf-cpp-lite",
		],
		static_libs: [
		"crypto_toolbox_for_tests",
		"libbtcore",
		"libbt-bta",
		"libbt-bta-core",
		"libbt-audio-hal-interface",
		"libbluetooth-types",
		"libbt-protos-lite",
		"libosi",
		"libbt-common",
		],
		}
		cc_test {
		name: "bt_host_test_bta",
		defaults: [

system/bta/hf_client/bta_hf_client_at.cc

+6 −0

Original line number	Diff line number	Diff line
		@@ -1731,6 +1731,12 @@ void bta_hf_client_at_parse(tBTA_HF_CLIENT_CB* client_cb, char* buf,
		client_cb->at_cb.offset += tmp;
		}

		/* prevent buffer overflow in cases where LEN exceeds available buffer space
		*/
		if (len > BTA_HF_CLIENT_AT_PARSER_MAX_LEN - client_cb->at_cb.offset) {
		return;
		}

		memcpy(client_cb->at_cb.buf + client_cb->at_cb.offset, buf, len);
		client_cb->at_cb.offset += len;

system/bta/test/bta_hf_client_security_test.cc

0 → 100644

+79 −0

Original line number	Diff line number	Diff line
		/******************************************************************************
		*
		* Copyright 2022 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at:
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*
		******************************************************************************/

		#include <gtest/gtest.h>

		#include "bta/hf_client/bta_hf_client_int.h"
		#include "bta/include/bta_hf_client_api.h"
		#include "common/message_loop_thread.h"
		#include "device/include/esco_parameters.h"
		#include "test/mock/mock_device_controller.h"
		#include "types/raw_address.h"

		namespace base {
		class MessageLoop;
		} // namespace base

		bluetooth::common::MessageLoopThread* get_main_thread() { return nullptr; }
		void do_in_main_thread(base::Location const&, base::OnceCallback<void()>) {
		return;
		}

		namespace {
		const RawAddress bdaddr1({0x11, 0x22, 0x33, 0x44, 0x55, 0x66});
		} // namespace

		// TODO(jpawlowski): there is some weird dependency issue in tests, and the
		// tests here fail to compile without this definition.
		void LogMsg(uint32_t trace_set_mask, const char* fmt_str, ...) {}

		class BtaHfClientSecurityTest : public testing::Test {
		protected:
		void SetUp() override {
		// Reset the memory block, this is the state on which the allocate handle
		// would start operating
		bta_hf_client_cb_arr_init();
		}
		};

		// Attempt to parse a buffer which exceeds available buffer space.
		// This should fail but not crash
		TEST_F(BtaHfClientSecurityTest, test_parse_overflow_buffer) {
		uint16_t p_handle;
		bool status = bta_hf_client_allocate_handle(bdaddr1, &p_handle);

		tBTA_HF_CLIENT_CB* cb;

		// Allocation should succeed
		ASSERT_EQ(true, status);
		ASSERT_GT(p_handle, 0);

		cb = bta_hf_client_find_cb_by_bda(bdaddr1);

		ASSERT_TRUE(cb != NULL);

		uint16_t len = BTA_HF_CLIENT_AT_PARSER_MAX_LEN * 2 + 3;
		char buf[BTA_HF_CLIENT_AT_PARSER_MAX_LEN * 2 + 3] = {'\n'};

		bta_hf_client_at_parse(cb, (char*)(&buf[0]), len);

		ASSERT_TRUE(len);
		ASSERT_TRUE(buf != NULL);

		ASSERT_TRUE(1);
		}

system/stack/a2dp/a2dp_codec_config.cc

+10 −0

Original line number	Diff line number	Diff line
		@@ -598,6 +598,9 @@ bool A2dpCodecs::init() {
		LOG_INFO("%s", __func__);
		std::lock_guard<std::recursive_mutex> lock(codec_mutex_);

		bool opus_enabled =
		osi_property_get_bool("persist.bluetooth.opus.enabled", false);

		for (int i = BTAV_A2DP_CODEC_INDEX_MIN; i < BTAV_A2DP_CODEC_INDEX_MAX; i++) {
		btav_a2dp_codec_index_t codec_index =
		static_cast<btav_a2dp_codec_index_t>(i);
		@@ -610,6 +613,13 @@ bool A2dpCodecs::init() {
		codec_priority = cp_iter->second;
		}

		// If OPUS is not supported it is disabled
		if (codec_index == BTAV_A2DP_CODEC_INDEX_SOURCE_OPUS && !opus_enabled) {
		codec_priority = BTAV_A2DP_CODEC_PRIORITY_DISABLED;
		LOG_INFO("%s: OPUS codec disabled, updated priority to %d", __func__,
		codec_priority);
		}

		A2dpCodecConfig* codec_config =
		A2dpCodecConfig::createCodec(codec_index, codec_priority);
		if (codec_config == nullptr) continue;

system/stack/avdt/avdt_scb_act.cc

+3 −3

Original line number	Diff line number	Diff line
		@@ -261,7 +261,7 @@ void avdt_scb_hdl_pkt_no_frag(AvdtpScb* p_scb, tAVDT_SCB_EVT* p_data) {
		p += ex_len * 4;
		}

		if ((p - p_start) > len) {
		if ((p - p_start) >= len) {
		osi_free_and_reset((void**)&p_data->p_pkt);
		return;
		}
		@@ -270,11 +270,11 @@ void avdt_scb_hdl_pkt_no_frag(AvdtpScb* p_scb, tAVDT_SCB_EVT* p_data) {
		/* adjust length for any padding at end of packet */
		if (o_p) {
		/* padding length in last byte of packet */
		pad_len = *(p_start + len);
		pad_len = *(p_start + len - 1);
		}

		/* do sanity check */
		if (pad_len > (len - offset)) {
		if (pad_len >= (len - offset)) {
		AVDT_TRACE_WARNING("Got bad media packet");
		osi_free_and_reset((void**)&p_data->p_pkt);
		}