• R/O
  • HTTP
  • SSH
  • HTTPS

コミット

タグ
未設定

よく使われているワード(クリックで追加)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

system/bt


コミットメタ情報

リビジョン247c64ee940b88cb7c14c857cb8630b8f3f1a979 (tree)
日時2019-11-23 04:12:19
作者Adam Seaton <aseaton@goog...>
コミッターMyles Watson

ログメッセージ

Revert "Fix potential OOB write in btm_read_remote_ext_features_complete"

This reverts commit efcedeb60ea270cf6be228a88da4cf3bad65975c.

Reason for revert: reverting from release branches due to functional regressions in Auto.

Bug: 144205318
Change-Id: I80d7fb4f910e6c5c88668141e83ca48401151496

変更サマリ

差分

--- a/stack/btm/btm_acl.cc
+++ b/stack/btm/btm_acl.cc
@@ -1084,7 +1084,7 @@ void btm_read_remote_features_complete(uint8_t* p) {
10841084 * Returns void
10851085 *
10861086 ******************************************************************************/
1087-void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {
1087+void btm_read_remote_ext_features_complete(uint8_t* p) {
10881088 tACL_CONN* p_acl_cb;
10891089 uint8_t page_num, max_page;
10901090 uint16_t handle;
@@ -1092,14 +1092,6 @@ void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {
10921092
10931093 BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete");
10941094
1095- if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) {
1096- android_errorWriteLog(0x534e4554, "141552859");
1097- BTM_TRACE_ERROR(
1098- "btm_read_remote_ext_features_complete evt length too short. length=%d",
1099- evt_len);
1100- return;
1101- }
1102-
11031095 ++p;
11041096 STREAM_TO_UINT16(handle, p);
11051097 STREAM_TO_UINT8(page_num, p);
@@ -1119,13 +1111,6 @@ void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {
11191111 return;
11201112 }
11211113
1122- if (page_num > max_page) {
1123- android_errorWriteLog(0x534e4554, "141552859");
1124- BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid",
1125- page_num);
1126- return;
1127- }
1128-
11291114 p_acl_cb = &btm_cb.acl_db[acl_idx];
11301115
11311116 /* Copy the received features page */
--- a/stack/btm/btm_int.h
+++ b/stack/btm/btm_int.h
@@ -119,7 +119,7 @@ extern uint16_t btm_get_acl_disc_reason_code(void);
119119 extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr,
120120 tBT_TRANSPORT transport);
121121 extern void btm_read_remote_features_complete(uint8_t* p);
122-extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len);
122+extern void btm_read_remote_ext_features_complete(uint8_t* p);
123123 extern void btm_read_remote_ext_features_failed(uint8_t status,
124124 uint16_t handle);
125125 extern void btm_read_remote_version_complete(uint8_t* p);
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -75,8 +75,7 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p);
7575 static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len);
7676 static void btu_hcif_encryption_change_evt(uint8_t* p);
7777 static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p);
78-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
79- uint8_t evt_len);
78+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p);
8079 static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p);
8180 static void btu_hcif_qos_setup_comp_evt(uint8_t* p);
8281 static void btu_hcif_command_complete_evt(BT_HDR* response, void* context);
@@ -296,7 +295,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) {
296295 btu_hcif_read_rmt_features_comp_evt(p);
297296 break;
298297 case HCI_READ_RMT_EXT_FEATURES_COMP_EVT:
299- btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len);
298+ btu_hcif_read_rmt_ext_features_comp_evt(p);
300299 break;
301300 case HCI_READ_RMT_VERSION_COMP_EVT:
302301 btu_hcif_read_rmt_version_comp_evt(p);
@@ -1212,8 +1211,7 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) {
12121211 * Returns void
12131212 *
12141213 ******************************************************************************/
1215-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
1216- uint8_t evt_len) {
1214+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
12171215 uint8_t* p_cur = p;
12181216 uint8_t status;
12191217 uint16_t handle;
@@ -1221,7 +1219,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
12211219 STREAM_TO_UINT8(status, p_cur);
12221220
12231221 if (status == HCI_SUCCESS)
1224- btm_read_remote_ext_features_complete(p, evt_len);
1222+ btm_read_remote_ext_features_complete(p);
12251223 else {
12261224 STREAM_TO_UINT16(handle, p_cur);
12271225 btm_read_remote_ext_features_failed(status, handle);
--- a/stack/include/hcidefs.h
+++ b/stack/include/hcidefs.h
@@ -1323,8 +1323,6 @@ typedef struct {
13231323
13241324 #define HCI_FEATURE_BYTES_PER_PAGE 8
13251325
1326-#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13
1327-
13281326 #define HCI_FEATURES_KNOWN(x) \
13291327 (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0)
13301328