system-bt

Fork

Merge remote-tracking branch 'cm/cm-14.1' into cm-14.1-x86

Merge remote-tracking branch 'x86/nougat-x86' into cm-14.1-x86

Fall back to CLOCK_BOOTTIME if CLOCK_BOOTTIME_ALARM fails

If the cuttlefish device does not have an rtc device (such as the crosvm
VMM) the bt osi layer can promote crashes due to it not being able to
create a CLOCK_BOOTTIME_ALARM timer. Bring back a fallback but enable it
at runtime instead of compile time.

Bug: 126955943
Test: run with cuttlefish
Change-Id: I3ab0282b3e8fde776aa7b37d5772c8f62cf957bf

DO NOT MERGE Fix for Bluetooth connection being dropped after HCI Read Encryption Key Size

If remote device stop the encryption before we call "Read Encryption Key Size",
we might receive Insufficient Security, which means that link is no longer
encrypted.

In such cases we should stay connected, rather than disconnecting the
link.

Test: Connect to device that stop encryption right after encryption is
complete, i.e. to change roles.
Bug: 124301137
Bug: 132626699

Change-Id: Iab0fd9f357d18a6b048b971d0393fbb47fd4d793
Merged-In: Iab0fd9f357d18a6b048b971d0393fbb47fd4d793
(cherry picked from commit c5aa5feebf558df160772fefaf271a6f3251e261)

DO NOT MERGE Send HCI Read Encryption Key properly

This patch fixes bad HCI command being send instead of Read Encryption
Key Size.

Bug: 124301137
Test: pair and connect with Bluetooth headset
Change-Id: If325ef2771ca1546ae58df7c684f66ae537b8573
(cherry picked from commit a3cc7575f9ce644a3dfceee61ab7b4b206a3982e)

DO NOT MERGE Drop Bluetooth connection with weak encryption key

This patch requires Bluetooth chip to support HCI Read Encryption Key Size
command and will cause Bluetooth to crash if this command is not supported
on a device. Such device should not take this patch and should look for
alternative solution to drop Bluetooth connection with weak encryption key.

Bug: 124301137
Change-Id: Id4b6b4e765628397a79e6806f45c2cd27acebd5b
(cherry picked from commit 027532b3678e3d50ed41270d747df5eb06bc6a8d)

Fix potential OOB read in sdpu_get_len_from_type

Add boundary check in sdpu_get_len_from_type to prevent potential OOB read.

Bug: 117105007
Test: Manul
Merged-In: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
Change-Id: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
(cherry picked from commit 1243f8da338dadfe2a3c281a08297b431402d41c)
(cherry picked from commit 4d8e1d63e1a2116c47702d38d858f5a742e8292f)

DO NOT MERGE Don't persist bonds using sample LTK

Test: compilation, manual testing
Bug: 128843052
Change-Id: I52fd484d42bf87e96dbc9e6456090f231ed48111
(cherry picked from commit c0fb2a25f92848f4d78f72d31e9705e29e6f5ca8)

btm_proc_smp_cback: Don't access p_dev_rec if freed

In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free

Bug: 120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
(cherry picked from commit 953dd279502980b1d8d30656eb78c6445a6e31f7)

process_l2cap_cmd: Fix OOB

Bug: 119870451
Test: POC
Change-Id: I2f5e7fedd9aed96c4ffc55af79fdac61c2e5b087
Merged-In: I5131bbf9cda6248fdbbc4bb91916b2fe3731246e
(cherry picked from commit 94fd011bc9a72081cc691ed7d6e6eec42e9f4539)

DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu

Add check to make sure that data buffer is big enough to read the 2
bytes for length.

Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.

Bug: 120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit fcb1994de1f6ee34b8dc6804a2b32e20bf138073)
(cherry picked from commit 1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit 6b2739f309f7719086eb8201b3e1a35ba60035f4)
(cherry picked from commit c1fcbd5508a75ae3eaf5f311d706d026fee2fe48)

Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm

Bug: 116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit 889efd5b9165ed7641fcd75eabbbef56be2ef5df)

Fix buffer overflow in btif_dm_data_copy

When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.

Bug: 110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
(cherry picked from commit ea90417d9965aec1c475418ca8f8f305af12de2d)

Fix possible OOB when AVDT data channel recive ACL data

Bug: 111450156

Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit ad4098c340b52acdb0f48fd3e2612d810e71f4c4)

MCAP: Check response length in mca_ccb_hdl_rsp

Bug: 116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit 0ab53ca2af26f70126d6d9d6600d090a720758fa)

HH: Check parameter length in bta_hh_ctrl_dat_act

Bug: 116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit b8fbe73f0d32686e8393bfe07a84b6f0e8829caf)

SDP: Check p_end in save_attr_seq and add_attr

Bug: 115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit b8a5081b00fc9730092d8392786f3f4e659cb602)

HFP: Check AT command buffer boundary during parsing

* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac

Bug: 112860487
Test: testplans/details/218593/3975
Change-Id: I6bbbc2ba29ad025c7d3ba023d8191af6a11c4aa9
(cherry picked from commit 28ddbe904bd15c9636063f5431a9360d8e9df8b9)

Fix possible OOB read

Bug: 74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit 6e6c347e798bf8195a9a02457edf871a97b1cfad)

DO NOT MERGE - Check SDU lower bound before allocate p_data

Bug: 112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit 6fc96f847be808a4f38eae45b5e9bbc3f18b9a2d)

Check data length when parsing AVRCP vendor specific command responses

Bug: 111450531
Bug: 111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit 7439ea940354f65a147c4ecfce3bada49c688047)

AVRCP: unify Get{Element,Item}Attributes response.

GetElementAttributes response and GetItemAttributes response share the
same format and require the same checks for length.

Test: play media on carkit, see media. especially with long items.
Bug: 32407250
Bug: 30571638
Change-Id: I8623e7d662f7a39112b7527b6f5ab63c5e32379c

Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()

Bug: 111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit 1c14e10cac53d5a5724dcf34c5679ad8819f9442)
(cherry picked from commit f779ebe368d245c0d9ac954cf7b2b102e7da56be)

Checks the SMP length to fix OOB read

Bug: 111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit fceb753bda651c4135f3f93a510e5fcb4c7542b8)

Add packet length check in smp_proc_master_id

Bug: 111937027
Test: manual

Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075
(cherry picked from commit c8294662d07a98e9b8b1cab1ab681ec0805ce4e8)

DO NOT MERGE Fix OOB read before buffer length check

Bug: 111936834
Test: manual
Change-Id: Ib98528fb62db0d724ebd9112d071e367f78e369d
(cherry picked from commit 4548f34c90803c6544f6bed03399f2eabeab2a8e)

Check packet length in bta_av_proc_meta_cmd

Bug: 111893951
Test: manual - connect A2DP
Change-Id: Ibbf347863dfd29ea3385312e9dde1082bc90d2f3
(cherry picked from commit ed51887f921263219bcd2fbf6650ead5ec8d334e)

Add missing AVRCP message length checks inside avrc_msg_cback

Explicitly check the length of the received message before
accessing the data.

Bug: 111803925
Bug: 79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit 282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit 007868d05f4b761842c7345161aeda6fd40dd245)

Add packet length checks in mca_ccb_hdl_req

Bug: 110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
(cherry picked from commit 4de7ccdd914b7a178df9180d15f675b257ea6e02)

Fix a wrong check in rfc_parse_data

Bug: 78288018
Bug: 111436796
Test: manual
Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a
(cherry picked from commit d1ced302cd1066087588c891027b1756be31db46)