コミット: fbb32dccee1fe693dc6e18bf8eadc1ba8555e7ae - system-bt (git)

R/O
HTTP
SSH
HTTPS

コミット

コミットメタ情報

リビジョン	fbb32dccee1fe693dc6e18bf8eadc1ba8555e7ae (tree)
日時	2019-05-20 18:39:52
作者	Chih-Wei Huang <cwhuang@linu...>
コミッター	Chih-Wei Huang

ログメッセージ

Android 8.1.0 Release 64 (OPM8.190505.001)
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCXNCVTQAKCRDorT+BmrEO
eKUdAJ98NM0aWKcW1zcZ+3HxCkkojnoZFQCdEWbojvM7+JH+YORTajxV6UsxzOs=
=3EKd
-----END PGP SIGNATURE-----

Merge tag 'android-8.1.0_r64' into oreo-x86

Android 8.1.0 Release 64 (OPM8.190505.001)

変更サマリ

modified: bta/hl/bta_hl_main.cc (diff)
modified: btif/src/btif_dm.cc (diff)
modified: btif/src/btif_hl.cc (diff)
modified: stack/avrc/avrc_pars_ct.cc (diff)
modified: stack/btm/ble_advertiser_hci_interface.cc (diff)
modified: stack/btm/btm_ble.cc (diff)
modified: stack/l2cap/l2c_fcr.cc (diff)
modified: stack/l2cap/l2c_main.cc (diff)
modified: stack/l2cap/l2c_utils.cc (diff)
modified: stack/smp/smp_act.cc (diff)
modified: stack/smp/smp_utils.cc (diff)

差分

--- a/bta/hl/bta_hl_main.cc

+++ b/bta/hl/bta_hl_main.cc

		@@ -1404,14 +1404,13 @@ static void bta_hl_sdp_query_results(UNUSED_ATTR tBTA_HL_CB* p_cb,
1404	1404	tBTA_HL_MCL_CB* p_mcb = BTA_HL_GET_MCL_CB_PTR(app_idx, mcl_idx);
1405	1405	tBTA_HL_SDP* p_sdp = NULL;
1406	1406	uint16_t event;
1407		- bool release_sdp_buf = false;
1408	1407
1409	1408	event = p_data->hdr.event;
1410	1409
1411	1410	if (event == BTA_HL_SDP_QUERY_OK_EVT) {
	1411	+ // this is freed in btif_hl_proc_sdp_query_cfm
1412	1412	p_sdp = (tBTA_HL_SDP*)osi_malloc(sizeof(tBTA_HL_SDP));
1413	1413	memcpy(p_sdp, &p_mcb->sdp, sizeof(tBTA_HL_SDP));
1414		- release_sdp_buf = true;
1415	1414	} else {
1416	1415	status = BTA_HL_STATUS_SDP_FAIL;
1417	1416	}

		@@ -1430,8 +1429,6 @@ static void bta_hl_sdp_query_results(UNUSED_ATTR tBTA_HL_CB* p_cb,
1430	1429	p_mcb->bd_addr, p_sdp, status);
1431	1430	p_acb->p_cback(BTA_HL_SDP_QUERY_CFM_EVT, (tBTA_HL*)&evt_data);
1432	1431
1433		- if (release_sdp_buf) osi_free_and_reset((void**)&p_sdp);
1434		-
1435	1432	if (p_data->cch_sdp.release_mcl_cb) {
1436	1433	memset(p_mcb, 0, sizeof(tBTA_HL_MCL_CB));
1437	1434	} else {

--- a/btif/src/btif_dm.cc

+++ b/btif/src/btif_dm.cc

		@@ -183,6 +183,7 @@ typedef struct {
183	183	#define BTA_SERVICE_ID_TO_SERVICE_MASK(id) (1 << (id))
184	184
185	185	#define UUID_HUMAN_INTERFACE_DEVICE "00001124-0000-1000-8000-00805f9b34fb"
	186	+#define UUID_EMPTY "00000000-0000-0000-0000-000000000000"
186	187
187	188	#define MAX_BTIF_BOND_EVENT_ENTRIES 15
188	189

		@@ -261,6 +262,11 @@ static bool is_empty_128bit(uint8_t* data) {
261	262	return !memcmp(zero, data, sizeof(zero));
262	263	}
263	264
	265	+static bool is_bonding_or_sdp() {
	266	+ return pairing_cb.state == BT_BOND_STATE_BONDING \|\|
	267	+ (pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts);
	268	+}
	269	+
264	270	static void btif_dm_data_copy(uint16_t event, char* dst, char* src) {
265	271	tBTA_DM_SEC* dst_dm_sec = (tBTA_DM_SEC*)dst;
266	272	tBTA_DM_SEC* src_dm_sec = (tBTA_DM_SEC*)src;

		@@ -487,8 +493,6 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr,
487	493	bt_bond_state_t state) {
488	494	btif_stats_add_bond_event(bd_addr, BTIF_DM_FUNC_BOND_STATE_CHANGED, state);
489	495
490		- // Send bonding state only once - based on outgoing/incoming we may receive
491		- // duplicates
492	496	if ((pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING)) {
493	497	// Cross key pairing so send callback for static address
494	498	if (!pairing_cb.static_bdaddr.IsEmpty()) {

		@@ -506,14 +510,18 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr,
506	510	auto tmp = bd_addr;
507	511	HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state);
508	512
509		- if (state == BT_BOND_STATE_BONDING) {
	513	+ int dev_type;
	514	+ if (!btif_get_device_type(bd_addr, &dev_type)) {
	515	+ dev_type = BT_DEVICE_TYPE_BREDR;
	516	+ }
	517	+
	518	+ if (state == BT_BOND_STATE_BONDING \|\|
	519	+ (state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts > 0)) {
	520	+ // Save state for the device is bonding or SDP.
510	521	pairing_cb.state = state;
511	522	pairing_cb.bd_addr = bd_addr;
512	523	} else {
513		- if (!pairing_cb.sdp_attempts)
514		- memset(&pairing_cb, 0, sizeof(pairing_cb));
515		- else
516		- BTIF_TRACE_DEBUG("%s: BR-EDR service discovery active", __func__);
	524	+ pairing_cb = {};
517	525	}
518	526	}
519	527

		@@ -1121,6 +1129,10 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) {
1121	1129
1122	1130	/* Trigger SDP on the device */
1123	1131	pairing_cb.sdp_attempts = 1;
	1132	+
	1133	+ // Report bonded to Java before start SDP
	1134	+ bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED);
	1135	+
1124	1136	btif_dm_get_remote_services(bd_addr);
1125	1137	}
1126	1138	}

		@@ -1378,9 +1390,9 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) {
1378	1390
1379	1391	BTIF_TRACE_DEBUG("%s:(result=0x%x, services 0x%x)", __func__,
1380	1392	p_data->disc_res.result, p_data->disc_res.services);
1381		- if ((p_data->disc_res.result != BTA_SUCCESS) &&
1382		- (pairing_cb.state == BT_BOND_STATE_BONDING) &&
1383		- (pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING)) {
	1393	+ if (p_data->disc_res.result != BTA_SUCCESS &&
	1394	+ pairing_cb.state == BT_BOND_STATE_BONDED &&
	1395	+ pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING) {
1384	1396	BTIF_TRACE_WARNING("%s:SDP failed after bonding re-attempting",
1385	1397	__func__);
1386	1398	pairing_cb.sdp_attempts++;

		@@ -1405,21 +1417,42 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) {
1405	1417	/* onUuidChanged requires getBondedDevices to be populated.
1406	1418	** bond_state_changed needs to be sent prior to remote_device_property
1407	1419	*/
1408		- if ((pairing_cb.state == BT_BOND_STATE_BONDING) &&
	1420	+ if ((pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts) &&
1409	1421	(p_data->disc_res.bd_addr == pairing_cb.bd_addr \|\|
1410		- p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) &&
1411		- pairing_cb.sdp_attempts > 0) {
1412		- BTIF_TRACE_DEBUG(
1413		- "%s Remote Service SDP done. Call bond_state_changed_cb BONDED",
1414		- __func__);
	1422	+ p_data->disc_res.bd_addr == pairing_cb.static_bdaddr)) {
	1423	+ LOG_INFO(LOG_TAG, "%s Remote Service SDP done.", __func__);
1415	1424	pairing_cb.sdp_attempts = 0;
1416	1425
1417		- // If bonding occured due to cross-key pairing, send bonding callback
	1426	+ // If bond occured due to cross-key pairing, send bond state callback
1418	1427	// for static address now
1419		- if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr)
	1428	+ if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) {
1420	1429	bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDING);
1421		-
1422		- bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED);
	1430	+ bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED);
	1431	+ }
	1432	+ if (pairing_cb.state == BT_BOND_STATE_BONDED) {
	1433	+ if (p_data->disc_res.result == BTA_SUCCESS) {
	1434	+ // Device is bonded and SDP completed. Clear the pairing control
	1435	+ // block.
	1436	+ pairing_cb = {};
	1437	+ } else {
	1438	+ // Report empty UUID to Java if SDP report negative result while
	1439	+ // pairing.
	1440	+ bt_property_t prop;
	1441	+ bt_uuid_t uuid;
	1442	+ char uuid_str[128] = UUID_EMPTY;
	1443	+
	1444	+ string_to_uuid(uuid_str, &uuid);
	1445	+
	1446	+ prop.type = BT_PROPERTY_UUIDS;
	1447	+ prop.val = uuid.uu;
	1448	+ prop.len = MAX_UUID_SIZE;
	1449	+
	1450	+ /* Send the event to the BTIF */
	1451	+ HAL_CBACK(bt_hal_cbacks, remote_device_properties_cb,
	1452	+ BT_STATUS_SUCCESS, &bd_addr, 1, &prop);
	1453	+ break;
	1454	+ }
	1455	+ }
1423	1456	}
1424	1457
1425	1458	if (p_data->disc_res.num_uuids != 0) {

		@@ -1629,7 +1662,7 @@ static void btif_dm_upstreams_evt(uint16_t event, char* p_param) {
1629	1662	break;
1630	1663
1631	1664	case BTA_DM_BOND_CANCEL_CMPL_EVT:
1632		- if (pairing_cb.state == BT_BOND_STATE_BONDING) {
	1665	+ if (is_bonding_or_sdp()) {
1633	1666	bd_addr = pairing_cb.bd_addr;
1634	1667	btm_set_bond_type_dev(pairing_cb.bd_addr, BOND_TYPE_UNKNOWN);
1635	1668	bond_state_changed((bt_status_t)p_data->bond_cancel_cmpl.result,

		@@ -2277,7 +2310,7 @@ bt_status_t btif_dm_cancel_bond(const RawAddress* bd_addr) {
2277	2310	** 1. Restore scan modes
2278	2311	** 2. special handling for HID devices
2279	2312	*/
2280		- if (pairing_cb.state == BT_BOND_STATE_BONDING) {
	2313	+ if (is_bonding_or_sdp()) {
2281	2314	if (pairing_cb.is_ssp) {
2282	2315	if (pairing_cb.is_le_only) {
2283	2316	BTA_DmBleSecurityGrant(*bd_addr, BTA_DM_SEC_PAIR_NOT_SPT);

		@@ -2469,7 +2502,7 @@ bt_status_t btif_dm_get_remote_services(const RawAddress& remote_addr) {
2469	2502
2470	2503	/*******************************************************************************
2471	2504	*
2472		- * Function btif_dm_get_remote_services_transport
	2505	+ * Function btif_dm_get_remote_services_by_transport
2473	2506	*
2474	2507	* Description Start SDP to get remote services by transport
2475	2508	*

		@@ -3171,7 +3204,7 @@ bt_status_t btif_le_test_mode(uint16_t opcode, uint8_t* buf, uint8_t len) {
3171	3204
3172	3205	void btif_dm_on_disable() {
3173	3206	/* cancel any pending pairing requests */
3174		- if (pairing_cb.state == BT_BOND_STATE_BONDING) {
	3207	+ if (is_bonding_or_sdp()) {
3175	3208	BTIF_TRACE_DEBUG("%s: Cancel pending pairing request", __func__);
3176	3209	btif_dm_cancel_bond(&pairing_cb.bd_addr);
3177	3210	}

--- a/btif/src/btif_hl.cc

+++ b/btif/src/btif_hl.cc

		@@ -2128,6 +2128,10 @@ static bool btif_hl_proc_sdp_query_cfm(tBTA_HL* p_data) {
2128	2128	}
2129	2129	}
2130	2130	}
	2131	+
	2132	+ // this was allocated in bta_hl_sdp_query_results
	2133	+ osi_free_and_reset((void**)&p_data->sdp_query_cfm.p_sdp);
	2134	+
2131	2135	return status;
2132	2136	}
2133	2137

--- a/stack/avrc/avrc_pars_ct.cc

+++ b/stack/avrc/avrc_pars_ct.cc

		@@ -222,69 +222,88 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
222	222	uint8_t* p = p_msg->p_browse_data;
223	223
224	224	/* read the pdu */
	225	+ if (p_msg->browse_len < 3) {
	226	+ android_errorWriteLog(0x534e4554, "111451066");
	227	+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 3",
	228	+ __func__, p_msg->browse_len);
	229	+ return AVRC_STS_BAD_PARAM;
	230	+ }
225	231	BE_STREAM_TO_UINT8(pdu, p);
226	232	uint16_t pkt_len;
	233	+ int min_len = 0;
227	234	/* read the entire packet len */
228	235	BE_STREAM_TO_UINT16(pkt_len, p);
229	236
230		- AVRC_TRACE_DEBUG("%s pdu %d", __func__, pdu);
	237	+ AVRC_TRACE_DEBUG("%s pdu:%d, pkt_len:%d", __func__, pdu, pkt_len);
231	238
232		- /* used to track how much we have read, if we cannot read anymore but the
233		- * packet says so then we have a malformed packet. Also vice versa. */
234		- uint16_t pkt_len_read = 0;
	239	+ if (p_msg->browse_len < (pkt_len + 3)) {
	240	+ android_errorWriteLog(0x534e4554, "111451066");
	241	+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
	242	+ __func__, p_msg->browse_len, pkt_len + 3);
	243	+ return AVRC_STS_INTERNAL_ERR;
	244	+ }
235	245
236	246	switch (pdu) {
237	247	case AVRC_PDU_GET_FOLDER_ITEMS: {
238	248	tAVRC_GET_ITEMS_RSP* get_item_rsp = &(p_rsp->get_items);
239	249	/* Copy back the PDU */
240	250	get_item_rsp->pdu = pdu;
	251	+
	252	+ min_len += 1;
	253	+ if (pkt_len < min_len) goto browse_length_error;
241	254	/* read the status */
242	255	BE_STREAM_TO_UINT8(get_item_rsp->status, p);
	256	+ if (get_item_rsp->status != AVRC_STS_NO_ERROR) {
	257	+ AVRC_TRACE_WARNING("%s returning error %d", __func__,
	258	+ get_item_rsp->status);
	259	+ return get_item_rsp->status;
	260	+ }
	261	+
	262	+ min_len += 4;
	263	+ if (pkt_len < min_len) goto browse_length_error;
243	264	/* read the UID counter */
244	265	BE_STREAM_TO_UINT16(get_item_rsp->uid_counter, p);
245	266	/* read the number of items */
246	267	BE_STREAM_TO_UINT16(get_item_rsp->item_count, p);
247		- pkt_len_read += 5;
248	268
249	269	AVRC_TRACE_DEBUG(
250	270	"%s pdu %d status %d pkt_len %d uid counter %d item count %d",
251	271	__func__, get_item_rsp->pdu, get_item_rsp->status, pkt_len,
252	272	get_item_rsp->uid_counter, get_item_rsp->item_count);
253	273
254		- if (get_item_rsp->status != AVRC_STS_NO_ERROR) {
255		- AVRC_TRACE_WARNING("%s returning error %d", __func__,
256		- get_item_rsp->status);
257		- return get_item_rsp->status;
258		- }
259		-
260	274	/* get each of the items */
261	275	get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_malloc(
262	276	get_item_rsp->item_count * (sizeof(tAVRC_ITEM)));
263	277	tAVRC_ITEM* curr_item = get_item_rsp->p_item_list;
264	278	for (int i = 0; i < get_item_rsp->item_count; i++) {
	279	+ min_len += 1;
	280	+ if (pkt_len < min_len) goto browse_length_error;
265	281	BE_STREAM_TO_UINT8(curr_item->item_type, p);
266		- pkt_len_read += 1;
267	282	AVRC_TRACE_DEBUG("%s item type %d", __func__, curr_item->item_type);
268	283	switch (curr_item->item_type) {
269	284	case AVRC_ITEM_PLAYER: {
270	285	/* Handle player */
271	286	tAVRC_ITEM_PLAYER* player = &(curr_item->u.player);
272	287	uint8_t player_len;
	288	+ min_len += 10 + AVRC_FEATURE_MASK_SIZE;
	289	+ if (pkt_len < min_len) goto browse_length_error;
273	290	BE_STREAM_TO_UINT16(player_len, p);
274	291	BE_STREAM_TO_UINT16(player->player_id, p);
275	292	BE_STREAM_TO_UINT8(player->major_type, p);
276	293	BE_STREAM_TO_UINT32(player->sub_type, p);
277	294	BE_STREAM_TO_UINT8(player->play_status, p);
278	295	BE_STREAM_TO_ARRAY(p, player->features, AVRC_FEATURE_MASK_SIZE);
279		- pkt_len_read += (10 + AVRC_FEATURE_MASK_SIZE);
280	296
281	297	/* read str */
	298	+ min_len += 4;
	299	+ if (pkt_len < min_len) goto browse_length_error;
282	300	BE_STREAM_TO_UINT16(player->name.charset_id, p);
283	301	BE_STREAM_TO_UINT16(player->name.str_len, p);
	302	+ min_len += player->name.str_len;
	303	+ if (pkt_len < min_len) goto browse_length_error;
284	304	player->name.p_str = (uint8_t*)osi_malloc(
285	305	(player->name.str_len + 1) * sizeof(uint8_t));
286	306	BE_STREAM_TO_ARRAY(p, player->name.p_str, player->name.str_len);
287		- pkt_len_read += (4 + player->name.str_len);
288	307	AVRC_TRACE_DEBUG(
289	308	"%s type %d id %d mtype %d stype %d ps %d cs %d name len %d",
290	309	__func__, curr_item->item_type, player->player_id,

		@@ -295,20 +314,24 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
295	314	case AVRC_ITEM_FOLDER: {
296	315	tAVRC_ITEM_FOLDER* folder = &(curr_item->u.folder);
297	316	uint16_t folder_len;
	317	+ min_len += 4 + AVRC_UID_SIZE;
	318	+ if (pkt_len < min_len) goto browse_length_error;
298	319	BE_STREAM_TO_UINT16(folder_len, p);
299	320
300	321	BE_STREAM_TO_ARRAY(p, folder->uid, AVRC_UID_SIZE);
301	322	BE_STREAM_TO_UINT8(folder->type, p);
302	323	BE_STREAM_TO_UINT8(folder->playable, p);
303		- pkt_len_read += (4 + AVRC_UID_SIZE);
304	324
305	325	/* read str, encoding to be handled by upper layers */
	326	+ min_len += 4;
	327	+ if (pkt_len < min_len) goto browse_length_error;
306	328	BE_STREAM_TO_UINT16(folder->name.charset_id, p);
307	329	BE_STREAM_TO_UINT16(folder->name.str_len, p);
	330	+ min_len += folder->name.str_len;
	331	+ if (pkt_len < min_len) goto browse_length_error;
308	332	folder->name.p_str = (uint8_t*)osi_malloc(
309	333	(folder->name.str_len + 1) * sizeof(uint8_t));
310	334	BE_STREAM_TO_ARRAY(p, folder->name.p_str, folder->name.str_len);
311		- pkt_len_read += (4 + folder->name.str_len);
312	335	AVRC_TRACE_DEBUG("%s type %d playable %d cs %d name len %d",
313	336	__func__, folder->type, folder->playable,
314	337	folder->name.charset_id, folder->name.str_len);

		@@ -317,14 +340,19 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
317	340	case AVRC_ITEM_MEDIA: {
318	341	tAVRC_ITEM_MEDIA* media = &(curr_item->u.media);
319	342	uint8_t media_len;
	343	+ min_len += 3 + AVRC_UID_SIZE;
	344	+ if (pkt_len < min_len) goto browse_length_error;
320	345	BE_STREAM_TO_UINT16(media_len, p);
321	346	BE_STREAM_TO_ARRAY(p, media->uid, AVRC_UID_SIZE);
322	347	BE_STREAM_TO_UINT8(media->type, p);
323		- pkt_len_read += (3 + AVRC_UID_SIZE);
324	348
325	349	/* read str, encoding to be handled by upper layers */
	350	+ min_len += 4;
	351	+ if (pkt_len < min_len) goto browse_length_error;
326	352	BE_STREAM_TO_UINT16(media->name.charset_id, p);
327	353	BE_STREAM_TO_UINT16(media->name.str_len, p);
	354	+ min_len += 1 + media->name.str_len;
	355	+ if (pkt_len < min_len) goto browse_length_error;
328	356	media->name.p_str =
329	357	(uint8_t)osi_malloc((media->name.str_len) sizeof(uint8_t));
330	358	BE_STREAM_TO_ARRAY(p, media->name.p_str, media->name.str_len);

		@@ -333,22 +361,24 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
333	361	AVRC_TRACE_DEBUG("%s media type %d charset id %d len %d attr ct %d",
334	362	__func__, media->type, media->name.charset_id,
335	363	media->name.str_len, media->attr_count);
336		- pkt_len_read += (5 + media->name.str_len);
337	364
338	365	media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_malloc(
339	366	media->attr_count * sizeof(tAVRC_ATTR_ENTRY));
340	367	for (int jk = 0; jk < media->attr_count; jk++) {
341	368	tAVRC_ATTR_ENTRY* attr_entry = &(media->p_attr_list[jk]);
	369	+ min_len += 8;
	370	+ if (pkt_len < min_len) goto browse_length_error;
342	371	BE_STREAM_TO_UINT32(attr_entry->attr_id, p);
343	372
344	373	/* Parse the name now */
345	374	BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p);
346	375	BE_STREAM_TO_UINT16(attr_entry->name.str_len, p);
	376	+ min_len += attr_entry->name.str_len;
	377	+ if (pkt_len < min_len) goto browse_length_error;
347	378	attr_entry->name.p_str = (uint8_t*)osi_malloc(
348	379	attr_entry->name.str_len * sizeof(uint8_t));
349	380	BE_STREAM_TO_ARRAY(p, attr_entry->name.p_str,
350	381	attr_entry->name.str_len);
351		- pkt_len_read += (8 + attr_entry->name.str_len);
352	382	AVRC_TRACE_DEBUG("%s media attr id %d cs %d name len %d",
353	383	__func__, attr_entry->attr_id,
354	384	attr_entry->name.charset_id,

		@@ -362,14 +392,8 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
362	392	return AVRC_STS_INTERNAL_ERR;
363	393	}
364	394
365		- /* we check if we have overrun */
366		- if (pkt_len_read > pkt_len) {
367		- AVRC_TRACE_ERROR("%s overflow in read pkt_len %d pkt_len_read %d",
368		- __func__, pkt_len, pkt_len_read);
369		- return AVRC_STS_BAD_CMD;
370		- }
371		- AVRC_TRACE_DEBUG("%s pkt_len %d pkt_len_read %d", __func__, pkt_len,
372		- pkt_len_read);
	395	+ AVRC_TRACE_DEBUG("%s pkt_len %d min_len %d", __func__, pkt_len,
	396	+ min_len);
373	397
374	398	/* advance to populate the next item */
375	399	curr_item++;

		@@ -379,13 +403,14 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
379	403
380	404	case AVRC_PDU_CHANGE_PATH: {
381	405	tAVRC_CHG_PATH_RSP* change_path_rsp = &(p_rsp->chg_path);
	406	+ min_len += 5;
	407	+ if (pkt_len < min_len) goto browse_length_error;
382	408	/* Copyback the PDU */
383	409	change_path_rsp->pdu = pdu;
384	410	/* Read the status */
385	411	BE_STREAM_TO_UINT8(change_path_rsp->status, p);
386	412	/* Read the number of items in folder */
387	413	BE_STREAM_TO_UINT32(change_path_rsp->num_items, p);
388		- pkt_len_read += 5;
389	414
390	415	AVRC_TRACE_DEBUG("%s pdu %d status %d item count %d", __func__,
391	416	change_path_rsp->pdu, change_path_rsp->status,

		@@ -399,6 +424,8 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
399	424	set_br_pl_rsp->pdu = pdu;
400	425
401	426	/* Read the status */
	427	+ min_len += 10;
	428	+ if (pkt_len < min_len) goto browse_length_error;
402	429	BE_STREAM_TO_UINT8(set_br_pl_rsp->status, p);
403	430
404	431	if (set_br_pl_rsp->status != AVRC_STS_NO_ERROR) {

		@@ -415,7 +442,6 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
415	442	"%s AVRC_PDU_SET_BROWSED_PLAYER status %d items %d cs %d depth %d",
416	443	__func__, set_br_pl_rsp->status, set_br_pl_rsp->num_items,
417	444	set_br_pl_rsp->charset_id, set_br_pl_rsp->folder_depth);
418		- pkt_len_read += 10;
419	445
420	446	set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_malloc(
421	447	set_br_pl_rsp->num_items * sizeof(tAVRC_NAME));

		@@ -423,13 +449,16 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
423	449	/* Read each of the folder in the depth */
424	450	for (uint32_t i = 0; i < set_br_pl_rsp->folder_depth; i++) {
425	451	tAVRC_NAME* folder_name = &(set_br_pl_rsp->p_folders[i]);
	452	+ min_len += 2;
	453	+ if (pkt_len < min_len) goto browse_length_error;
426	454	BE_STREAM_TO_UINT16(folder_name->str_len, p);
	455	+ min_len += folder_name->str_len;
	456	+ if (pkt_len < min_len) goto browse_length_error;
427	457	AVRC_TRACE_DEBUG("%s AVRC_PDU_SET_BROWSED_PLAYER item: %d len: %d",
428	458	__func__, i, folder_name->str_len);
429	459	folder_name->p_str =
430	460	(uint8_t)osi_malloc((folder_name->str_len + 1) sizeof(uint8_t));
431	461	BE_STREAM_TO_ARRAY(p, folder_name->p_str, folder_name->str_len);
432		- pkt_len_read += (2 + folder_name->str_len);
433	462	}
434	463	break;
435	464	}

		@@ -438,12 +467,13 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
438	467	AVRC_TRACE_ERROR("%s pdu %d not handled", __func__, pdu);
439	468	}
440	469
441		- if (pkt_len != pkt_len_read) {
442		- AVRC_TRACE_ERROR("%s finished pkt_len %d pkt_len_read %d", __func__,
443		- pkt_len, pkt_len_read);
444		- return AVRC_STS_BAD_CMD;
445		- }
446	470	return status;
	471	+
	472	+browse_length_error:
	473	+ android_errorWriteLog(0x534e4554, "111451066");
	474	+ AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least %d",
	475	+ __func__, pkt_len, min_len);
	476	+ return AVRC_STS_BAD_CMD;
447	477	}
448	478
449	479	/*******************************************************************************

--- a/stack/btm/ble_advertiser_hci_interface.cc

+++ b/stack/btm/ble_advertiser_hci_interface.cc

		@@ -27,6 +27,7 @@
27	27	#include "btm_int_types.h"
28	28	#include "device/include/controller.h"
29	29	#include "hcidefs.h"
	30	+#include "log/log.h"
30	31
31	32	#define BTM_BLE_MULTI_ADV_SET_RANDOM_ADDR_LEN 8
32	33	#define BTM_BLE_MULTI_ADV_ENB_LEN 3

		@@ -162,6 +163,14 @@ class BleAdvertiserVscHciInterfaceImpl : public BleAdvertiserHciInterface {
162	163	uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN];
163	164	memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN);
164	165
	166	+ if (data_length > BTM_BLE_AD_DATA_LEN) {
	167	+ android_errorWriteLog(0x534e4554, "121145627");
	168	+ LOG(ERROR) << __func__
	169	+ << ": data_length=" << static_cast<int>(data_length)
	170	+ << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN;
	171	+ data_length = BTM_BLE_AD_DATA_LEN;
	172	+ }
	173	+
165	174	uint8_t* pp = param;
166	175	UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_ADV_DATA);
167	176	UINT8_TO_STREAM(pp, data_length);

		@@ -181,6 +190,14 @@ class BleAdvertiserVscHciInterfaceImpl : public BleAdvertiserHciInterface {
181	190	uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN];
182	191	memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN);
183	192
	193	+ if (scan_response_data_length > BTM_BLE_AD_DATA_LEN) {
	194	+ android_errorWriteLog(0x534e4554, "121145627");
	195	+ LOG(ERROR) << __func__ << ": scan_response_data_length="
	196	+ << static_cast<int>(scan_response_data_length)
	197	+ << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN;
	198	+ scan_response_data_length = BTM_BLE_AD_DATA_LEN;
	199	+ }
	200	+
184	201	uint8_t* pp = param;
185	202	UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_SCAN_RSP_DATA);
186	203	UINT8_TO_STREAM(pp, scan_response_data_length);

		@@ -370,6 +387,15 @@ class BleAdvertiserLegacyHciInterfaceImpl : public BleAdvertiserHciInterface {
370	387
371	388	uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1];
372	389
	390	+ if (data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) {
	391	+ android_errorWriteLog(0x534e4554, "121145627");
	392	+ LOG(ERROR) << __func__
	393	+ << ": data_length=" << static_cast<int>(data_length)
	394	+ << ", is longer than size limit "
	395	+ << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA;
	396	+ data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA;
	397	+ }
	398	+
373	399	uint8_t* pp = param;
374	400	memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1);
375	401	UINT8_TO_STREAM(pp, data_length);

		@@ -387,6 +413,15 @@ class BleAdvertiserLegacyHciInterfaceImpl : public BleAdvertiserHciInterface {
387	413	VLOG(1) << __func__;
388	414	uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1];
389	415
	416	+ if (scan_response_data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) {
	417	+ android_errorWriteLog(0x534e4554, "121145627");
	418	+ LOG(ERROR) << __func__ << ": scan_response_data_length="
	419	+ << static_cast<int>(scan_response_data_length)
	420	+ << ", is longer than size limit "
	421	+ << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA;
	422	+ scan_response_data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA;
	423	+ }
	424	+
390	425	uint8_t* pp = param;
391	426	memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1);
392	427	UINT8_TO_STREAM(pp, scan_response_data_length);

--- a/stack/btm/btm_ble.cc

+++ b/stack/btm/btm_ble.cc

		@@ -39,6 +39,7 @@
39	39	#include "gap_api.h"
40	40	#include "gatt_api.h"
41	41	#include "hcimsgs.h"
	42	+#include "log/log.h"
42	43	#include "l2c_int.h"
43	44	#include "osi/include/log.h"
44	45	#include "osi/include/osi.h"

		@@ -2060,6 +2061,12 @@ uint8_t btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr,
2060	2061	}
2061	2062
2062	2063	if (event == SMP_COMPLT_EVT) {
	2064	+ p_dev_rec = btm_find_dev(bd_addr);
	2065	+ if (p_dev_rec == NULL) {
	2066	+ BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__);
	2067	+ android_errorWriteLog(0x534e4554, "120612744");
	2068	+ return 0;
	2069	+ }
2063	2070	BTM_TRACE_DEBUG(
2064	2071	"evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x",
2065	2072	p_data->cmplt.sec_level, p_dev_rec->sec_flags);

--- a/stack/l2cap/l2c_fcr.cc

+++ b/stack/l2cap/l2c_fcr.cc

		@@ -834,7 +834,16 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) {
834	834	}
835	835
836	836	if (p_ccb->is_first_seg) {
	837	+ if (p_buf->len < sizeof(sdu_length)) {
	838	+ L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.",
	839	+ __func__, p_buf->len);
	840	+ android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0);
	841	+ /* Discard the buffer */
	842	+ osi_free(p_buf);
	843	+ return;
	844	+ }
837	845	STREAM_TO_UINT16(sdu_length, p);
	846	+
838	847	/* Check the SDU Length with local MTU size */
839	848	if (sdu_length > p_ccb->local_conn_cfg.mtu) {
840	849	/* Discard the buffer */

		@@ -842,6 +851,9 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) {
842	851	return;
843	852	}
844	853
	854	+ p_buf->len -= sizeof(sdu_length);
	855	+ p_buf->offset += sizeof(sdu_length);
	856	+
845	857	if (sdu_length < p_buf->len) {
846	858	L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
847	859	android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);

		@@ -860,8 +872,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) {
860	872	p_data->len = 0;
861	873	p_ccb->ble_sdu_length = sdu_length;
862	874	L2CAP_TRACE_DEBUG("%s SDU Length = %d", __func__, sdu_length);
863		- p_buf->len -= sizeof(sdu_length);
864		- p_buf->offset += sizeof(sdu_length);
865	875	p_data->offset = 0;
866	876
867	877	} else {

--- a/stack/l2cap/l2c_main.cc

+++ b/stack/l2cap/l2c_main.cc

		@@ -471,7 +471,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
471	471	switch (cfg_code & 0x7F) {
472	472	case L2CAP_CFG_TYPE_MTU:
473	473	cfg_info.mtu_present = true;
474		- if (p + 2 > p_next_cmd) {
	474	+ if (cfg_len != 2) {
	475	+ android_errorWriteLog(0x534e4554, "119870451");
	476	+ return;
	477	+ }
	478	+ if (p + cfg_len > p_next_cmd) {
475	479	android_errorWriteLog(0x534e4554, "74202041");
476	480	return;
477	481	}

		@@ -480,7 +484,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
480	484
481	485	case L2CAP_CFG_TYPE_FLUSH_TOUT:
482	486	cfg_info.flush_to_present = true;
483		- if (p + 2 > p_next_cmd) {
	487	+ if (cfg_len != 2) {
	488	+ android_errorWriteLog(0x534e4554, "119870451");
	489	+ return;
	490	+ }
	491	+ if (p + cfg_len > p_next_cmd) {
484	492	android_errorWriteLog(0x534e4554, "74202041");
485	493	return;
486	494	}

		@@ -489,7 +497,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
489	497
490	498	case L2CAP_CFG_TYPE_QOS:
491	499	cfg_info.qos_present = true;
492		- if (p + 2 + 5 * 4 > p_next_cmd) {
	500	+ if (cfg_len != 2 + 5 * 4) {
	501	+ android_errorWriteLog(0x534e4554, "119870451");
	502	+ return;
	503	+ }
	504	+ if (p + cfg_len > p_next_cmd) {
493	505	android_errorWriteLog(0x534e4554, "74202041");
494	506	return;
495	507	}

		@@ -504,7 +516,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
504	516
505	517	case L2CAP_CFG_TYPE_FCR:
506	518	cfg_info.fcr_present = true;
507		- if (p + 3 + 3 * 2 > p_next_cmd) {
	519	+ if (cfg_len != 3 + 3 * 2) {
	520	+ android_errorWriteLog(0x534e4554, "119870451");
	521	+ return;
	522	+ }
	523	+ if (p + cfg_len > p_next_cmd) {
508	524	android_errorWriteLog(0x534e4554, "74202041");
509	525	return;
510	526	}

		@@ -518,7 +534,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
518	534
519	535	case L2CAP_CFG_TYPE_FCS:
520	536	cfg_info.fcs_present = true;
521		- if (p + 1 > p_next_cmd) {
	537	+ if (cfg_len != 1) {
	538	+ android_errorWriteLog(0x534e4554, "119870451");
	539	+ return;
	540	+ }
	541	+ if (p + cfg_len > p_next_cmd) {
522	542	android_errorWriteLog(0x534e4554, "74202041");
523	543	return;
524	544	}

		@@ -527,7 +547,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
527	547
528	548	case L2CAP_CFG_TYPE_EXT_FLOW:
529	549	cfg_info.ext_flow_spec_present = true;
530		- if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
	550	+ if (cfg_len != 2 + 2 + 3 * 4) {
	551	+ android_errorWriteLog(0x534e4554, "119870451");
	552	+ return;
	553	+ }
	554	+ if (p + cfg_len > p_next_cmd) {
531	555	android_errorWriteLog(0x534e4554, "74202041");
532	556	return;
533	557	}

--- a/stack/l2cap/l2c_utils.cc

+++ b/stack/l2cap/l2c_utils.cc

		@@ -804,6 +804,9 @@ void l2cu_send_peer_config_rej(tL2C_CCB* p_ccb, uint8_t* p_data,
804	804	case L2CAP_CFG_TYPE_MTU:
805	805	case L2CAP_CFG_TYPE_FLUSH_TOUT:
806	806	case L2CAP_CFG_TYPE_QOS:
	807	+ case L2CAP_CFG_TYPE_FCR:
	808	+ case L2CAP_CFG_TYPE_FCS:
	809	+ case L2CAP_CFG_TYPE_EXT_FLOW:
807	810	p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
808	811	break;
809	812

--- a/stack/smp/smp_act.cc

+++ b/stack/smp/smp_act.cc

		@@ -335,7 +335,7 @@ void smp_send_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
335	335	* Description send encryption information command.
336	336	******************************************************************************/
337	337	void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
338		- tBTM_LE_LENC_KEYS le_key;
	338	+ tBTM_LE_KEY_VALUE le_key;
339	339
340	340	SMP_TRACE_DEBUG("%s: p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size);
341	341	smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);

		@@ -344,15 +344,14 @@ void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
344	344	smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb);
345	345
346	346	/* save the DIV and key size information when acting as slave device */
347		- memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
348		- le_key.div = p_cb->div;
349		- le_key.key_size = p_cb->loc_enc_size;
350		- le_key.sec_level = p_cb->sec_level;
	347	+ memcpy(le_key.lenc_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
	348	+ le_key.lenc_key.div = p_cb->div;
	349	+ le_key.lenc_key.key_size = p_cb->loc_enc_size;
	350	+ le_key.lenc_key.sec_level = p_cb->sec_level;
351	351
352	352	if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
353	353	(p_cb->loc_auth_req & SMP_AUTH_BOND))
354		- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC,
355		- (tBTM_LE_KEY_VALUE*)&le_key, true);
	354	+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &le_key, true);
356	355
357	356	SMP_TRACE_WARNING("%s", __func__);
358	357

		@@ -384,17 +383,16 @@ void smp_send_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
384	383	* Description send CSRK command.
385	384	******************************************************************************/
386	385	void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
387		- tBTM_LE_LCSRK_KEYS key;
	386	+ tBTM_LE_KEY_VALUE key;
388	387	SMP_TRACE_DEBUG("%s", __func__);
389	388	smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false);
390	389
391	390	if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
392		- key.div = p_cb->div;
393		- key.sec_level = p_cb->sec_level;
394		- key.counter = 0; /* initialize the local counter */
395		- memcpy(key.csrk, p_cb->csrk, BT_OCTET16_LEN);
396		- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK,
397		- (tBTM_LE_KEY_VALUE*)&key, true);
	391	+ key.lcsrk_key.div = p_cb->div;
	392	+ key.lcsrk_key.sec_level = p_cb->sec_level;
	393	+ key.lcsrk_key.counter = 0; /* initialize the local counter */
	394	+ memcpy(key.lcsrk_key.csrk, p_cb->csrk, BT_OCTET16_LEN);
	395	+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, &key, true);
398	396	}
399	397
400	398	smp_key_distribution_by_transport(p_cb, NULL);

		@@ -917,7 +915,7 @@ void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
917	915	******************************************************************************/
918	916	void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
919	917	uint8_t* p = (uint8_t*)p_data;
920		- tBTM_LE_PENC_KEYS le_key;
	918	+ tBTM_LE_KEY_VALUE le_key;
921	919
922	920	SMP_TRACE_DEBUG("%s", __func__);
923	921

		@@ -930,18 +928,17 @@ void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
930	928
931	929	smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
932	930
933		- STREAM_TO_UINT16(le_key.ediv, p);
934		- STREAM_TO_ARRAY(le_key.rand, p, BT_OCTET8_LEN);
	931	+ STREAM_TO_UINT16(le_key.penc_key.ediv, p);
	932	+ STREAM_TO_ARRAY(le_key.penc_key.rand, p, BT_OCTET8_LEN);
935	933
936	934	/* store the encryption keys from peer device */
937		- memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
938		- le_key.sec_level = p_cb->sec_level;
939		- le_key.key_size = p_cb->loc_enc_size;
	935	+ memcpy(le_key.penc_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
	936	+ le_key.penc_key.sec_level = p_cb->sec_level;
	937	+ le_key.penc_key.key_size = p_cb->loc_enc_size;
940	938
941	939	if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
942	940	(p_cb->loc_auth_req & SMP_AUTH_BOND))
943		- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC,
944		- (tBTM_LE_KEY_VALUE*)&le_key, true);
	941	+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &le_key, true);
945	942
946	943	smp_key_distribution(p_cb, NULL);
947	944	}

		@@ -972,25 +969,24 @@ void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
972	969	******************************************************************************/
973	970	void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
974	971	uint8_t* p = (uint8_t*)p_data;
975		- tBTM_LE_PID_KEYS pid_key;
	972	+ tBTM_LE_KEY_VALUE pid_key;
976	973
977	974	SMP_TRACE_DEBUG("%s", __func__);
978	975	smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true);
979	976
980		- STREAM_TO_UINT8(pid_key.addr_type, p);
981		- STREAM_TO_BDADDR(pid_key.static_addr, p);
982		- memcpy(pid_key.irk, p_cb->tk, BT_OCTET16_LEN);
	977	+ STREAM_TO_UINT8(pid_key.pid_key.addr_type, p);
	978	+ STREAM_TO_BDADDR(pid_key.pid_key.static_addr, p);
	979	+ memcpy(pid_key.pid_key.irk, p_cb->tk, BT_OCTET16_LEN);
983	980
984	981	/* to use as BD_ADDR for lk derived from ltk */
985	982	p_cb->id_addr_rcvd = true;
986		- p_cb->id_addr_type = pid_key.addr_type;
987		- p_cb->id_addr = pid_key.static_addr;
	983	+ p_cb->id_addr_type = pid_key.pid_key.addr_type;
	984	+ p_cb->id_addr = pid_key.pid_key.static_addr;
988	985
989	986	/* store the ID key from peer device */
990	987	if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
991	988	(p_cb->loc_auth_req & SMP_AUTH_BOND))
992		- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID,
993		- (tBTM_LE_KEY_VALUE*)&pid_key, true);
	989	+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, &pid_key, true);
994	990	smp_key_distribution_by_transport(p_cb, NULL);
995	991	}
996	992

		@@ -999,24 +995,23 @@ void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
999	995	* Description process security information from peer device
1000	996	******************************************************************************/
1001	997	void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1002		- tBTM_LE_PCSRK_KEYS le_key;
	998	+ tBTM_LE_KEY_VALUE le_key;
1003	999
1004	1000	SMP_TRACE_DEBUG("%s", __func__);
1005	1001	smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true);
1006	1002
1007	1003	/* save CSRK to security record */
1008		- le_key.sec_level = p_cb->sec_level;
	1004	+ le_key.pcsrk_key.sec_level = p_cb->sec_level;
1009	1005
1010	1006	/* get peer CSRK */
1011		- maybe_non_aligned_memcpy(le_key.csrk, p_data, BT_OCTET16_LEN);
	1007	+ maybe_non_aligned_memcpy(le_key.pcsrk_key.csrk, p_data, BT_OCTET16_LEN);
1012	1008
1013	1009	/* initialize the peer counter */
1014		- le_key.counter = 0;
	1010	+ le_key.pcsrk_key.counter = 0;
1015	1011
1016	1012	if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1017	1013	(p_cb->loc_auth_req & SMP_AUTH_BOND))
1018		- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK,
1019		- (tBTM_LE_KEY_VALUE*)&le_key, true);
	1014	+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, &le_key, true);
1020	1015	smp_key_distribution_by_transport(p_cb, NULL);
1021	1016	}
1022	1017

--- a/stack/smp/smp_utils.cc

+++ b/stack/smp/smp_utils.cc

		@@ -1427,25 +1427,23 @@ bool smp_check_commitment(tSMP_CB* p_cb) {
1427	1427	*
1428	1428	******************************************************************************/
1429	1429	void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) {
1430		- tBTM_LE_LENC_KEYS lle_key;
1431		- tBTM_LE_PENC_KEYS ple_key;
	1430	+ tBTM_LE_KEY_VALUE lle_key;
	1431	+ tBTM_LE_KEY_VALUE ple_key;
1432	1432
1433	1433	SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__);
1434		- memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1435		- lle_key.div = 0;
1436		- lle_key.key_size = p_cb->loc_enc_size;
1437		- lle_key.sec_level = p_cb->sec_level;
1438		- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC,
1439		- (tBTM_LE_KEY_VALUE*)&lle_key, true);
	1434	+ memcpy(lle_key.lenc_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
	1435	+ lle_key.lenc_key.div = 0;
	1436	+ lle_key.lenc_key.key_size = p_cb->loc_enc_size;
	1437	+ lle_key.lenc_key.sec_level = p_cb->sec_level;
	1438	+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &lle_key, true);
1440	1439
1441	1440	SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__);
1442		- ple_key.ediv = 0;
1443		- memset(ple_key.rand, 0, BT_OCTET8_LEN);
1444		- memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1445		- ple_key.sec_level = p_cb->sec_level;
1446		- ple_key.key_size = p_cb->loc_enc_size;
1447		- btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC,
1448		- (tBTM_LE_KEY_VALUE*)&ple_key, true);
	1441	+ ple_key.penc_key.ediv = 0;
	1442	+ memset(ple_key.penc_key.rand, 0, BT_OCTET8_LEN);
	1443	+ memcpy(ple_key.penc_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
	1444	+ ple_key.penc_key.sec_level = p_cb->sec_level;
	1445	+ ple_key.penc_key.key_size = p_cb->loc_enc_size;
	1446	+ btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &ple_key, true);
1449	1447	}
1450	1448
1451	1449	/*******************************************************************************

system-bt
Fork

コミット

タグ

コミットメタ情報

ログメッセージ

変更サマリ

差分

system-bt Fork

コミット

タグ

よく使われているワード(クリックで追加)

コミットメタ情報

ログメッセージ

変更サマリ

差分

system-bt
Fork