Merge cherrypicks of ['googleplex-android-review.googlesource.com/25492676',... (e6746e12) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/btm/btm_sec.cc

+1 −2

Original line number	Diff line number	Diff line
		@@ -245,7 +245,6 @@ static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_r
		bool locally_initiated,
		uint16_t security_req) {
		return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
		p_dev_rec->is_device_authenticated() &&
		p_dev_rec->is_bond_type_temporary();
		}

system/stack/gatt/att_protocol.cc

+45 −11

Original line number	Diff line number	Diff line
		@@ -287,46 +287,80 @@ static BT_HDR* attp_build_opcode_cmd(uint8_t op_code) {
		static BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code,
		uint16_t handle, uint16_t offset,
		uint16_t len, uint8_t* p_data) {
		uint8_t p, pp, pair_len, *p_pair_len;
		uint8_t p, pp, *p_pair_len;
		size_t pair_len;
		size_t size_now = 1;

		#define CHECK_SIZE() \
		do { \
		if (size_now > payload_size) { \
		LOG_ERROR("payload size too small"); \
		osi_free(p_buf); \
		return nullptr; \
		} \
		} while (false)

		BT_HDR* p_buf =
		(BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);

		p = pp = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;

		CHECK_SIZE();
		UINT8_TO_STREAM(p, op_code);
		p_buf->offset = L2CAP_MIN_OFFSET;
		p_buf->len = 1;

		if (op_code == GATT_RSP_READ_BY_TYPE) {
		p_pair_len = p;
		p_pair_len = p++;
		pair_len = len + 2;
		UINT8_TO_STREAM(p, pair_len);
		p_buf->len += 1;
		size_now += 1;
		CHECK_SIZE();
		// this field will be backfilled in the end of this function
		}

		if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) {
		size_now += 2;
		CHECK_SIZE();
		UINT16_TO_STREAM(p, handle);
		p_buf->len += 2;
		}

		if (op_code == GATT_REQ_PREPARE_WRITE \|\| op_code == GATT_RSP_PREPARE_WRITE) {
		size_now += 2;
		CHECK_SIZE();
		UINT16_TO_STREAM(p, offset);
		p_buf->len += 2;
		}

		if (len > 0 && p_data != NULL) {
		/* ensure data not exceed MTU size */
		if (payload_size - p_buf->len < len) {
		len = payload_size - p_buf->len;
		if (payload_size - size_now < len) {
		len = payload_size - size_now;
		/* update handle value pair length */
		if (op_code == GATT_RSP_READ_BY_TYPE) *p_pair_len = (len + 2);
		if (op_code == GATT_RSP_READ_BY_TYPE) {
		pair_len = (len + 2);
		}

		LOG(WARNING) << StringPrintf(
		"attribute value too long, to be truncated to %d", len);
		}

		size_now += len;
		CHECK_SIZE();
		ARRAY_TO_STREAM(p, p_data, len);
		p_buf->len += len;
		}

		// backfill pair len field
		if (op_code == GATT_RSP_READ_BY_TYPE) {
		if (pair_len > UINT8_MAX) {
		LOG_ERROR("pair_len greater than %d", UINT8_MAX);
		osi_free(p_buf);
		return nullptr;
		}

		*p_pair_len = (uint8_t)pair_len;
		}

		#undef CHECK_SIZE

		p_buf->len = (uint16_t)size_now;
		return p_buf;
		}

system/stack/smp/smp_act.cc

+7 −0

Original line number	Diff line number	Diff line
		@@ -460,6 +460,13 @@ void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
		* Description process security request.
		******************************************************************************/
		void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
		if (smp_command_has_invalid_length(p_cb)) {
		tSMP_INT_DATA smp_int_data;
		smp_int_data.status = SMP_INVALID_PARAMETERS;
		smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
		return;
		}

		tBTM_LE_AUTH_REQ auth_req = (tBTM_LE_AUTH_REQ)p_data->p_data;
		tBTM_BLE_SEC_REQ_ACT sec_req_act;