Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fe19886e authored by Hui Peng's avatar Hui Peng Committed by Automerger Merge Worker
Browse files

Merge "Add validation on sdp attr type and size in hidh_api.cc" into tm-dev... 

Merge "Add validation on sdp attr type and size in hidh_api.cc" into tm-dev am: 114f8039 am: ae8a371b am: 3d7de746 am: 3c31723c

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/24638584



Change-Id: Id370a0236060b836fa327f725f426bd9a3976900
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents f0266e28 3c31723c

system/stack/hid/hidh_api.cc

+44 −13
Original line number Diff line number Diff line
@@ -88,6 +88,7 @@ void hidh_get_str_attr(tSDP_DISC_REC* p_rec, uint16_t attr_id, uint16_t max_len, 


  p_attr = SDP_FindAttributeInRec(p_rec, attr_id);

  if (p_attr != NULL) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == TEXT_STR_DESC_TYPE) {

      name_len = SDP_DISC_ATTR_LEN(p_attr->attr_len_type);

      if (name_len < max_len) {

        memcpy(str, (char*)p_attr->attr_value.v.array, name_len);
@@ -96,6 +97,10 @@ void hidh_get_str_attr(tSDP_DISC_REC* p_rec, uint16_t attr_id, uint16_t max_len, 
        memcpy(str, (char*)p_attr->attr_value.v.array, max_len - 1);

        str[max_len - 1] = '\0';

      }

    } else {

      str[0] = '\0';

      LOG_ERROR("attr type not str!!");

    }

  } else

    str[0] = '\0';

}
@@ -144,36 +149,48 @@ static void hidh_search_callback(tSDP_RESULT sdp_result) { 


  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_VIRTUAL_CABLE)) !=

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1 &&

      (p_attr->attr_value.v.u8)) {

    attr_mask |= HID_VIRTUAL_CABLE;

  }



  if (((p_attr = SDP_FindAttributeInRec(

            p_rec, ATTR_ID_HID_RECONNECT_INITIATE)) != NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1 &&

      (p_attr->attr_value.v.u8)) {

    attr_mask |= HID_RECONN_INIT;

  }



  if (((p_attr = SDP_FindAttributeInRec(

            p_rec, ATTR_ID_HID_NORMALLY_CONNECTABLE)) != NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1 &&

      (p_attr->attr_value.v.u8)) {

    attr_mask |= HID_NORMALLY_CONNECTABLE;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_SDP_DISABLE)) !=

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1 &&

      (p_attr->attr_value.v.u8)) {

    attr_mask |= HID_SDP_DISABLE;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_BATTERY_POWER)) !=

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1 &&

      (p_attr->attr_value.v.u8)) {

    attr_mask |= HID_BATTERY_POWER;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_REMOTE_WAKE)) !=

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1 &&

      (p_attr->attr_value.v.u8)) {

    attr_mask |= HID_REMOTE_WAKE;

  }
@@ -186,40 +203,54 @@ static void hidh_search_callback(tSDP_RESULT sdp_result) { 
                    p_nvi->prov_name);



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_DEVICE_RELNUM)) !=

       NULL)) {

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

    p_nvi->rel_num = p_attr->attr_value.v.u16;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_COUNTRY_CODE)) !=

       NULL)) {

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1) {

    p_nvi->ctry_code = p_attr->attr_value.v.u8;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_DEVICE_SUBCLASS)) !=

       NULL)) {

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1) {

    p_nvi->sub_class = p_attr->attr_value.v.u8;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_PARSER_VERSION)) !=

       NULL)) {

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

    p_nvi->hpars_ver = p_attr->attr_value.v.u16;

  }



  if (((p_attr = SDP_FindAttributeInRec(

            p_rec, ATTR_ID_HID_LINK_SUPERVISION_TO)) != NULL)) {

            p_rec, ATTR_ID_HID_LINK_SUPERVISION_TO)) != NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

    attr_mask |= HID_SUP_TOUT_AVLBL;

    p_nvi->sup_timeout = p_attr->attr_value.v.u16;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_SSR_HOST_MAX_LAT)) !=

       NULL)) {

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

    attr_mask |= HID_SSR_MAX_LATENCY;

    p_nvi->ssr_max_latency = p_attr->attr_value.v.u16;

  } else

    p_nvi->ssr_max_latency = HID_SSR_PARAM_INVALID;



  if (((p_attr = SDP_FindAttributeInRec(

            p_rec, ATTR_ID_HID_SSR_HOST_MIN_TOUT)) != NULL)) {

            p_rec, ATTR_ID_HID_SSR_HOST_MIN_TOUT)) != NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

    attr_mask |= HID_SSR_MIN_TOUT;

    p_nvi->ssr_min_tout = p_attr->attr_value.v.u16;

  } else