OSDN > Developer > cody_gibson > Chambre > system-bt > Commit

system-bt
Fork

Origine de Fork: android-x86 / system-bt

R/O
HTTP
SSH
HTTPS

Commit

Commit MetaInfo

Révision	8d930b9143c201787699beb7be0b47fd66699db7 (tree)
l'heure	2020-03-16 19:40:40
Auteur	Chih-Wei Huang <cwhuang@linu...>
Commiter	Chih-Wei Huang

Message de Log

Android 8.1.0 release 74
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCXl1rEAAKCRDorT+BmrEO
eLxvAJ9ujZEpIPtet+3JnxDojMQ7nqiVDwCdGgo6yyOaaSb2niJMkybWw99Ze4M=
=VLUH
-----END PGP SIGNATURE-----

Merge tag 'android-8.1.0_r74' into oreo-x86

Android 8.1.0 release 74

Change Summary

modified: btcore/src/device_class.cc (diff)
modified: btcore/test/device_class_test.cc (diff)
modified: btif/include/btif_dm.h (diff)
modified: btif/src/btif_dm.cc (diff)
modified: hci/src/packet_fragmenter.cc (diff)
modified: service/low_energy_client.cc (diff)
modified: stack/btm/btm_acl.cc (diff)
modified: stack/btm/btm_int.h (diff)
modified: stack/btu/btu_hcif.cc (diff)
modified: stack/include/hcidefs.h (diff)
modified: stack/sdp/sdp_discovery.cc (diff)

Modification

--- a/btcore/src/device_class.cc

+++ b/btcore/src/device_class.cc

		@@ -87,7 +87,9 @@ void device_class_from_int(bt_device_class_t* dc, int data) {
87	87	int device_class_to_int(const bt_device_class_t* dc) {
88	88	CHECK(dc != NULL);
89	89	// Careful with endianess.
90		- return (int)(le32toh((int)dc) & 0xffffff);
	90	+ int val = 0;
	91	+ memcpy(&val, dc, sizeof(*dc));
	92	+ return static_cast<int>(le32toh(val) & 0xffffff);
91	93	}
92	94
93	95	bool device_class_equals(const bt_device_class_t* p1,

--- a/btcore/test/device_class_test.cc

+++ b/btcore/test/device_class_test.cc

		@@ -22,9 +22,6 @@
22	22
23	23	#include "btcore/include/device_class.h"
24	24
25		-// Device Class is 3 bytes.
26		-static const int DC_MASK = 0xffffff;
27		-
28	25	::testing::AssertionResult check_bitfield(const char* m_expr,
29	26	const char* n_expr, int m, int n) {
30	27	if (m == n) return ::testing::AssertionSuccess();

		@@ -84,8 +81,9 @@ TEST_F(DeviceClassTest, to_stream) {
84	81	int rc = device_class_to_stream(&dc, dc_stream1, sizeof(dc_stream1));
85	82	EXPECT_EQ(3, rc);
86	83
87		- uint32_t* val = (uint32_t*)&dc;
88		- EXPECT_PRED_FORMAT2(check_bitfield, 0x00000000, *val & 0xffffff);
	84	+ uint32_t val = 0;
	85	+ memcpy(&val, &dc, sizeof(dc));
	86	+ EXPECT_PRED_FORMAT2(check_bitfield, 0x00000000, val);
89	87
90	88	EXPECT_PRED_FORMAT2(check_bitfield, 0x00, dc_stream1[0]);
91	89	EXPECT_PRED_FORMAT2(check_bitfield, 0x00, dc_stream1[1]);

		@@ -101,8 +99,9 @@ TEST_F(DeviceClassTest, to_stream) {
101	99
102	100	int rc = device_class_to_stream(&dc, dc_stream1, sizeof(dc_stream1));
103	101	EXPECT_EQ(3, rc);
104		- uint32_t* val = (uint32_t*)&dc;
105		- EXPECT_PRED_FORMAT2(check_bitfield, 0x00aa55aa, *val & 0xffffff);
	102	+ uint32_t val = 0;
	103	+ memcpy(&val, &dc, sizeof(dc));
	104	+ EXPECT_PRED_FORMAT2(check_bitfield, 0x00aa55aa, val);
106	105
107	106	EXPECT_PRED_FORMAT2(check_bitfield, 0xaa, dc_stream1[0]);
108	107	EXPECT_PRED_FORMAT2(check_bitfield, 0x55, dc_stream1[1]);

		@@ -118,8 +117,9 @@ TEST_F(DeviceClassTest, to_stream) {
118	117
119	118	int rc = device_class_to_stream(&dc, dc_stream1, sizeof(dc_stream1));
120	119	EXPECT_EQ(3, rc);
121		- uint32_t* val = (uint32_t*)&dc;
122		- EXPECT_PRED_FORMAT2(check_bitfield, 0x452301, *val & 0xffffff);
	120	+ uint32_t val = 0;
	121	+ memcpy(&val, &dc, sizeof(dc));
	122	+ EXPECT_PRED_FORMAT2(check_bitfield, 0x452301, val);
123	123
124	124	EXPECT_PRED_FORMAT2(check_bitfield, 0x01, dc_stream1[0]);
125	125	EXPECT_PRED_FORMAT2(check_bitfield, 0x23, dc_stream1[1]);

		@@ -131,24 +131,33 @@ TEST_F(DeviceClassTest, limited_discoverable_mode) {
131	131	uint8_t dc_stream[] = {0x00, 0x00, 0x00};
132	132	bt_device_class_t dc;
133	133	device_class_from_stream(&dc, dc_stream);
134		- uint32_t* test = (uint32_t*)&dc;
	134	+ uint32_t test = 0;
	135	+ memcpy(&test, &dc, sizeof(dc));
135	136
136	137	EXPECT_FALSE(device_class_get_limited(&dc));
137		- EXPECT_EQ((unsigned)0x00000000, *test & DC_MASK);
	138	+ EXPECT_EQ((unsigned)0x00000000, test);
138	139
139	140	device_class_set_limited(&dc, true);
	141	+ test = 0;
	142	+ memcpy(&test, &dc, sizeof(dc));
140	143	EXPECT_TRUE(device_class_get_limited(&dc));
141		- EXPECT_EQ((unsigned)0x00002000, *test & DC_MASK);
	144	+ EXPECT_EQ((unsigned)0x00002000, test);
142	145
143	146	device_class_set_limited(&dc, false);
	147	+ test = 0;
	148	+ memcpy(&test, &dc, sizeof(dc));
144	149	EXPECT_FALSE(device_class_get_limited(&dc));
145		- EXPECT_EQ((unsigned)0x00000000, *test & DC_MASK);
	150	+ EXPECT_EQ((unsigned)0x00000000, test);
146	151
147	152	device_class_set_limited(&dc, true);
148		- EXPECT_PRED_FORMAT2(check_bitfield, 0x00002000, *test & DC_MASK);
	153	+ test = 0;
	154	+ memcpy(&test, &dc, sizeof(dc));
	155	+ EXPECT_PRED_FORMAT2(check_bitfield, 0x00002000, test);
149	156
150	157	device_class_set_limited(&dc, false);
151		- EXPECT_PRED_FORMAT2(check_bitfield, 0x00000000, *test & DC_MASK);
	158	+ test = 0;
	159	+ memcpy(&test, &dc, sizeof(dc));
	160	+ EXPECT_PRED_FORMAT2(check_bitfield, 0x00000000, test);
152	161	}
153	162
154	163	TEST_F(DeviceClassTest, equals) {

--- a/btif/include/btif_dm.h

+++ b/btif/include/btif_dm.h

		@@ -100,7 +100,7 @@ void btif_dm_load_ble_local_keys(void);
100	100	void btif_dm_get_ble_local_keys(tBTA_DM_BLE_LOCAL_KEY_MASK* p_key_mask,
101	101	BT_OCTET16 er,
102	102	tBTA_BLE_LOCAL_ID_KEYS* p_id_keys);
103		-void btif_dm_save_ble_bonding_keys(void);
	103	+void btif_dm_save_ble_bonding_keys(RawAddress& bd_addr);
104	104	void btif_dm_remove_ble_bonding_keys(void);
105	105	void btif_dm_ble_sec_req_evt(tBTA_DM_BLE_SEC_REQ* p_ble_req);
106	106

--- a/btif/src/btif_dm.cc

+++ b/btif/src/btif_dm.cc

		@@ -183,6 +183,7 @@ typedef struct {
183	183	#define BTA_SERVICE_ID_TO_SERVICE_MASK(id) (1 << (id))
184	184
185	185	#define UUID_HUMAN_INTERFACE_DEVICE "00001124-0000-1000-8000-00805f9b34fb"
	186	+#define UUID_EMPTY "00000000-0000-0000-0000-000000000000"
186	187
187	188	#define MAX_BTIF_BOND_EVENT_ENTRIES 15
188	189

		@@ -261,6 +262,11 @@ static bool is_empty_128bit(uint8_t* data) {
261	262	return !memcmp(zero, data, sizeof(zero));
262	263	}
263	264
	265	+static bool is_bonding_or_sdp() {
	266	+ return pairing_cb.state == BT_BOND_STATE_BONDING \|\|
	267	+ (pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts);
	268	+}
	269	+
264	270	static void btif_dm_data_copy(uint16_t event, char* dst, char* src) {
265	271	tBTA_DM_SEC* dst_dm_sec = (tBTA_DM_SEC*)dst;
266	272	tBTA_DM_SEC* src_dm_sec = (tBTA_DM_SEC*)src;

		@@ -487,8 +493,6 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr,
487	493	bt_bond_state_t state) {
488	494	btif_stats_add_bond_event(bd_addr, BTIF_DM_FUNC_BOND_STATE_CHANGED, state);
489	495
490		- // Send bonding state only once - based on outgoing/incoming we may receive
491		- // duplicates
492	496	if ((pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING)) {
493	497	// Cross key pairing so send callback for static address
494	498	if (!pairing_cb.static_bdaddr.IsEmpty()) {

		@@ -506,14 +510,13 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr,
506	510	auto tmp = bd_addr;
507	511	HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state);
508	512
509		- if (state == BT_BOND_STATE_BONDING) {
	513	+ if (state == BT_BOND_STATE_BONDING \|\|
	514	+ (state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts > 0)) {
	515	+ // Save state for the device is bonding or SDP.
510	516	pairing_cb.state = state;
511	517	pairing_cb.bd_addr = bd_addr;
512	518	} else {
513		- if (!pairing_cb.sdp_attempts)
514		- memset(&pairing_cb, 0, sizeof(pairing_cb));
515		- else
516		- BTIF_TRACE_DEBUG("%s: BR-EDR service discovery active", __func__);
	519	+ pairing_cb = {};
517	520	}
518	521	}
519	522

		@@ -947,21 +950,12 @@ static void btif_dm_ssp_cfm_req_evt(tBTA_DM_SP_CFM_REQ* p_ssp_cfm_req) {
947	950
948	951	/* If JustWorks auto-accept */
949	952	if (p_ssp_cfm_req->just_works) {
950		- /* Pairing consent for JustWorks needed if:
951		- * 1. Incoming (non-temporary) pairing is detected AND
952		- * 2. local IO capabilities are DisplayYesNo AND
953		- * 3. remote IO capabiltiies are DisplayOnly or NoInputNoOutput;
	953	+ /* Pairing consent for JustWorks NOT needed if:
	954	+ * 1. Incoming temporary pairing is detected
954	955	*/
955		- if (is_incoming && pairing_cb.bond_type != BOND_TYPE_TEMPORARY &&
956		- ((p_ssp_cfm_req->loc_io_caps == HCI_IO_CAP_DISPLAY_YESNO) &&
957		- (p_ssp_cfm_req->rmt_io_caps == HCI_IO_CAP_DISPLAY_ONLY \|\|
958		- p_ssp_cfm_req->rmt_io_caps == HCI_IO_CAP_NO_IO))) {
	956	+ if (is_incoming && pairing_cb.bond_type == BOND_TYPE_TEMPORARY) {
959	957	BTIF_TRACE_EVENT(
960		- "%s: User consent needed for incoming pairing request. loc_io_caps: "
961		- "%d, rmt_io_caps: %d",
962		- __func__, p_ssp_cfm_req->loc_io_caps, p_ssp_cfm_req->rmt_io_caps);
963		- } else {
964		- BTIF_TRACE_EVENT("%s: Auto-accept JustWorks pairing", __func__);
	958	+ "%s: Auto-accept JustWorks pairing for temporary incoming", __func__);
965	959	btif_dm_ssp_reply(&bd_addr, BT_SSP_VARIANT_CONSENT, true, 0);
966	960	return;
967	961	}

		@@ -1121,6 +1115,17 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) {
1121	1115
1122	1116	/* Trigger SDP on the device */
1123	1117	pairing_cb.sdp_attempts = 1;
	1118	+
	1119	+ if (is_crosskey) {
	1120	+ // If bonding occurred due to cross-key pairing, send bonding callback
	1121	+ // for static address now
	1122	+ LOG_INFO(LOG_TAG,
	1123	+ "%s: send bonding state update for static address %s",
	1124	+ __func__, bd_addr.ToString().c_str());
	1125	+ bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDING);
	1126	+ }
	1127	+ bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED);
	1128	+
1124	1129	btif_dm_get_remote_services(bd_addr);
1125	1130	}
1126	1131	}

		@@ -1378,9 +1383,9 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) {
1378	1383
1379	1384	BTIF_TRACE_DEBUG("%s:(result=0x%x, services 0x%x)", __func__,
1380	1385	p_data->disc_res.result, p_data->disc_res.services);
1381		- if ((p_data->disc_res.result != BTA_SUCCESS) &&
1382		- (pairing_cb.state == BT_BOND_STATE_BONDING) &&
1383		- (pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING)) {
	1386	+ if (p_data->disc_res.result != BTA_SUCCESS &&
	1387	+ pairing_cb.state == BT_BOND_STATE_BONDED &&
	1388	+ pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING) {
1384	1389	BTIF_TRACE_WARNING("%s:SDP failed after bonding re-attempting",
1385	1390	__func__);
1386	1391	pairing_cb.sdp_attempts++;

		@@ -1405,21 +1410,38 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) {
1405	1410	/* onUuidChanged requires getBondedDevices to be populated.
1406	1411	** bond_state_changed needs to be sent prior to remote_device_property
1407	1412	*/
1408		- if ((pairing_cb.state == BT_BOND_STATE_BONDING) &&
	1413	+ if ((pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts) &&
1409	1414	(p_data->disc_res.bd_addr == pairing_cb.bd_addr \|\|
1410		- p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) &&
1411		- pairing_cb.sdp_attempts > 0) {
1412		- BTIF_TRACE_DEBUG(
1413		- "%s Remote Service SDP done. Call bond_state_changed_cb BONDED",
1414		- __func__);
	1415	+ p_data->disc_res.bd_addr == pairing_cb.static_bdaddr)) {
	1416	+ LOG_INFO(LOG_TAG, "%s: SDP search done for %s", __func__,
	1417	+ bd_addr.ToString().c_str());
1415	1418	pairing_cb.sdp_attempts = 0;
1416	1419
1417		- // If bonding occured due to cross-key pairing, send bonding callback
1418		- // for static address now
1419		- if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr)
1420		- bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDING);
1421		-
1422		- bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED);
	1420	+ // Both SDP and bonding are done, clear pairing control block
	1421	+ pairing_cb = {};
	1422	+
	1423	+ // Send one empty UUID to Java to unblock pairing intent when SDP failed
	1424	+ // or no UUID is discovered
	1425	+ if (p_data->disc_res.result != BTA_SUCCESS \|\|
	1426	+ p_data->disc_res.num_uuids == 0) {
	1427	+ LOG_INFO(LOG_TAG,
	1428	+ "%s: SDP failed, send empty UUID to unblock bonding %s",
	1429	+ __func__, bd_addr.ToString().c_str());
	1430	+ bt_property_t prop;
	1431	+ bt_uuid_t uuid = {};
	1432	+ char uuid_str[128] = UUID_EMPTY;
	1433	+
	1434	+ string_to_uuid(uuid_str, &uuid);
	1435	+
	1436	+ prop.type = BT_PROPERTY_UUIDS;
	1437	+ prop.val = uuid.uu;
	1438	+ prop.len = MAX_UUID_SIZE;
	1439	+
	1440	+ /* Send the event to the BTIF */
	1441	+ HAL_CBACK(bt_hal_cbacks, remote_device_properties_cb,
	1442	+ BT_STATUS_SUCCESS, &bd_addr, 1, &prop);
	1443	+ break;
	1444	+ }
1423	1445	}
1424	1446
1425	1447	if (p_data->disc_res.num_uuids != 0) {

		@@ -1629,7 +1651,7 @@ static void btif_dm_upstreams_evt(uint16_t event, char* p_param) {
1629	1651	break;
1630	1652
1631	1653	case BTA_DM_BOND_CANCEL_CMPL_EVT:
1632		- if (pairing_cb.state == BT_BOND_STATE_BONDING) {
	1654	+ if (is_bonding_or_sdp()) {
1633	1655	bd_addr = pairing_cb.bd_addr;
1634	1656	btm_set_bond_type_dev(pairing_cb.bd_addr, BOND_TYPE_UNKNOWN);
1635	1657	bond_state_changed((bt_status_t)p_data->bond_cancel_cmpl.result,

		@@ -2277,7 +2299,7 @@ bt_status_t btif_dm_cancel_bond(const RawAddress* bd_addr) {
2277	2299	** 1. Restore scan modes
2278	2300	** 2. special handling for HID devices
2279	2301	*/
2280		- if (pairing_cb.state == BT_BOND_STATE_BONDING) {
	2302	+ if (is_bonding_or_sdp()) {
2281	2303	if (pairing_cb.is_ssp) {
2282	2304	if (pairing_cb.is_le_only) {
2283	2305	BTA_DmBleSecurityGrant(*bd_addr, BTA_DM_SEC_PAIR_NOT_SPT);

		@@ -2469,7 +2491,7 @@ bt_status_t btif_dm_get_remote_services(const RawAddress& remote_addr) {
2469	2491
2470	2492	/*******************************************************************************
2471	2493	*
2472		- * Function btif_dm_get_remote_services_transport
	2494	+ * Function btif_dm_get_remote_services_by_transport
2473	2495	*
2474	2496	* Description Start SDP to get remote services by transport
2475	2497	*

		@@ -2838,7 +2860,7 @@ static void btif_dm_ble_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) {
2838	2860	btif_storage_remove_bonded_device(&bdaddr);
2839	2861	state = BT_BOND_STATE_NONE;
2840	2862	} else {
2841		- btif_dm_save_ble_bonding_keys();
	2863	+ btif_dm_save_ble_bonding_keys(bdaddr);
2842	2864	BTA_GATTC_Refresh(bd_addr);
2843	2865	btif_dm_get_remote_services_by_transport(&bd_addr, BTA_GATT_TRANSPORT_LE);
2844	2866	}

		@@ -2861,6 +2883,10 @@ static void btif_dm_ble_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) {
2861	2883	break;
2862	2884	}
2863	2885	}
	2886	+ if (state == BT_BOND_STATE_BONDED && bd_addr != pairing_cb.static_bdaddr) {
	2887	+ // Report RPA bonding state to Java in crosskey paring
	2888	+ bond_state_changed(status, bd_addr, BT_BOND_STATE_BONDING);
	2889	+ }
2864	2890	bond_state_changed(status, bd_addr, state);
2865	2891	}
2866	2892

		@@ -2907,11 +2933,9 @@ void btif_dm_get_ble_local_keys(tBTA_DM_BLE_LOCAL_KEY_MASK* p_key_mask,
2907	2933	BTIF_TRACE_DEBUG("%s p_key_mask=0x%02x", __func__, p_key_mask);
2908	2934	}
2909	2935
2910		-void btif_dm_save_ble_bonding_keys(void) {
	2936	+void btif_dm_save_ble_bonding_keys(RawAddress& bd_addr) {
2911	2937	BTIF_TRACE_DEBUG("%s", __func__);
2912	2938
2913		- RawAddress bd_addr = pairing_cb.bd_addr;
2914		-
2915	2939	if (pairing_cb.ble.is_penc_key_rcvd) {
2916	2940	btif_storage_add_ble_bonding_key(&bd_addr, (char*)&pairing_cb.ble.penc_key,
2917	2941	BTIF_DM_LE_KEY_PENC,

		@@ -3171,7 +3195,7 @@ bt_status_t btif_le_test_mode(uint16_t opcode, uint8_t* buf, uint8_t len) {
3171	3195
3172	3196	void btif_dm_on_disable() {
3173	3197	/* cancel any pending pairing requests */
3174		- if (pairing_cb.state == BT_BOND_STATE_BONDING) {
	3198	+ if (is_bonding_or_sdp()) {
3175	3199	BTIF_TRACE_DEBUG("%s: Cancel pending pairing request", __func__);
3176	3200	btif_dm_cancel_bond(&pairing_cb.bd_addr);
3177	3201	}

--- a/hci/src/packet_fragmenter.cc

+++ b/hci/src/packet_fragmenter.cc

		@@ -212,7 +212,8 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) {
212	212	"%s got packet which would exceed expected length of %d. "
213	213	"Truncating.",
214	214	__func__, partial_packet->len);
215		- packet->len = partial_packet->len - partial_packet->offset;
	215	+ packet->len =
	216	+ (partial_packet->len - partial_packet->offset) + packet->offset;
216	217	projected_offset = partial_packet->len;
217	218	}
218	219

--- a/service/low_energy_client.cc

+++ b/service/low_energy_client.cc

		@@ -188,8 +188,8 @@ void LowEnergyClient::MtuChangedCallback(
188	188
189	189	if (!bda) return;
190	190
191		- const char* addr = BtAddrString(bda).c_str();
192		- if (delegate_) delegate_->OnMtuChanged(this, status, addr, mtu);
	191	+ std::string addr = BtAddrString(bda);
	192	+ if (delegate_) delegate_->OnMtuChanged(this, status, addr.c_str(), mtu);
193	193	}
194	194
195	195	// LowEnergyClientFactory implementation

--- a/stack/btm/btm_acl.cc

+++ b/stack/btm/btm_acl.cc

		@@ -47,6 +47,7 @@
47	47	#include "device/include/interop.h"
48	48	#include "hcidefs.h"
49	49	#include "hcimsgs.h"
	50	+#include "log/log.h"
50	51	#include "l2c_int.h"
51	52	#include "osi/include/osi.h"
52	53

		@@ -1062,7 +1063,7 @@ void btm_read_remote_features_complete(uint8_t* p) {
1062	1063	* Returns void
1063	1064	*
1064	1065	******************************************************************************/
1065		-void btm_read_remote_ext_features_complete(uint8_t* p) {
	1066	+void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {
1066	1067	tACL_CONN* p_acl_cb;
1067	1068	uint8_t page_num, max_page;
1068	1069	uint16_t handle;

		@@ -1070,6 +1071,14 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
1070	1071
1071	1072	BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete");
1072	1073
	1074	+ if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) {
	1075	+ android_errorWriteLog(0x534e4554, "141552859");
	1076	+ BTM_TRACE_ERROR(
	1077	+ "btm_read_remote_ext_features_complete evt length too short. length=%d",
	1078	+ evt_len);
	1079	+ return;
	1080	+ }
	1081	+
1073	1082	++p;
1074	1083	STREAM_TO_UINT16(handle, p);
1075	1084	STREAM_TO_UINT8(page_num, p);

		@@ -1089,6 +1098,19 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
1089	1098	return;
1090	1099	}
1091	1100
	1101	+ if (page_num > HCI_EXT_FEATURES_PAGE_MAX) {
	1102	+ android_errorWriteLog(0x534e4554, "141552859");
	1103	+ BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid",
	1104	+ page_num);
	1105	+ return;
	1106	+ }
	1107	+
	1108	+ if (page_num > max_page) {
	1109	+ BTM_TRACE_WARNING(
	1110	+ "btm_read_remote_ext_features_complete num_page=%d, max_page=%d "
	1111	+ "invalid", page_num, max_page);
	1112	+ }
	1113	+
1092	1114	p_acl_cb = &btm_cb.acl_db[acl_idx];
1093	1115
1094	1116	/* Copy the received features page */

--- a/stack/btm/btm_int.h

+++ b/stack/btm/btm_int.h

		@@ -117,7 +117,7 @@ extern uint16_t btm_get_acl_disc_reason_code(void);
117	117	extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr,
118	118	tBT_TRANSPORT transport);
119	119	extern void btm_read_remote_features_complete(uint8_t* p);
120		-extern void btm_read_remote_ext_features_complete(uint8_t* p);
	120	+extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len);
121	121	extern void btm_read_remote_ext_features_failed(uint8_t status,
122	122	uint16_t handle);
123	123	extern void btm_read_remote_version_complete(uint8_t* p);

--- a/stack/btu/btu_hcif.cc

+++ b/stack/btu/btu_hcif.cc

		@@ -70,7 +70,8 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p);
70	70	static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len);
71	71	static void btu_hcif_encryption_change_evt(uint8_t* p);
72	72	static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p);
73		-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p);
	73	+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
	74	+ uint8_t evt_len);
74	75	static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p);
75	76	static void btu_hcif_qos_setup_comp_evt(uint8_t* p);
76	77	static void btu_hcif_command_complete_evt(BT_HDR* response, void* context);

		@@ -194,7 +195,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) {
194	195	btu_hcif_read_rmt_features_comp_evt(p);
195	196	break;
196	197	case HCI_READ_RMT_EXT_FEATURES_COMP_EVT:
197		- btu_hcif_read_rmt_ext_features_comp_evt(p);
	198	+ btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len);
198	199	break;
199	200	case HCI_READ_RMT_VERSION_COMP_EVT:
200	201	btu_hcif_read_rmt_version_comp_evt(p);

		@@ -791,7 +792,8 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) {
791	792	* Returns void
792	793	*
793	794	******************************************************************************/
794		-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
	795	+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
	796	+ uint8_t evt_len) {
795	797	uint8_t* p_cur = p;
796	798	uint8_t status;
797	799	uint16_t handle;

		@@ -799,7 +801,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
799	801	STREAM_TO_UINT8(status, p_cur);
800	802
801	803	if (status == HCI_SUCCESS)
802		- btm_read_remote_ext_features_complete(p);
	804	+ btm_read_remote_ext_features_complete(p, evt_len);
803	805	else {
804	806	STREAM_TO_UINT16(handle, p_cur);
805	807	btm_read_remote_ext_features_failed(status, handle);

--- a/stack/include/hcidefs.h

+++ b/stack/include/hcidefs.h

		@@ -1296,6 +1296,8 @@ typedef struct {
1296	1296
1297	1297	#define HCI_FEATURE_BYTES_PER_PAGE 8
1298	1298
	1299	+#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13
	1300	+
1299	1301	#define HCI_FEATURES_KNOWN(x) \
1300	1302	(((x)[0] \| (x)[1] \| (x)[2] \| (x)[3] \| (x)[4] \| (x)[5] \| (x)[6] \| (x)[7]) != 0)
1301	1303

--- a/stack/sdp/sdp_discovery.cc

+++ b/stack/sdp/sdp_discovery.cc

		@@ -338,11 +338,13 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
338	338	* Description copy the raw data
339	339	*
340	340	*
341		- * Returns void
	341	+ * Returns bool
	342	+ * true if successful
	343	+ * false if not copied
342	344	*
343	345	******************************************************************************/
344	346	#if (SDP_RAW_DATA_INCLUDED == TRUE)
345		-static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) {
	347	+static bool sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) {
346	348	unsigned int cpy_len, rem_len;
347	349	uint32_t list_len;
348	350	uint8_t* p;

		@@ -373,11 +375,11 @@ static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) {
373	375	p = sdpu_get_len_from_type(p, p_end, type, &list_len);
374	376	if (p == NULL \|\| (p + list_len) > p_end) {
375	377	SDP_TRACE_WARNING("%s: bad length", __func__);
376		- return;
	378	+ return false;
377	379	}
378	380	if ((int)cpy_len < (p - old_p)) {
379	381	SDP_TRACE_WARNING("%s: no bytes left for data", __func__);
380		- return;
	382	+ return false;
381	383	}
382	384	cpy_len -= (p - old_p);
383	385	}

		@@ -397,6 +399,7 @@ static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) {
397	399	memcpy(&p_ccb->p_db->raw_data[p_ccb->p_db->raw_used], p, cpy_len);
398	400	p_ccb->p_db->raw_used += cpy_len;
399	401	}
	402	+ return true;
400	403	}
401	404	#endif
402	405

		@@ -465,7 +468,12 @@ static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
465	468	} else {
466	469	#if (SDP_RAW_DATA_INCLUDED == TRUE)
467	470	SDP_TRACE_WARNING("process_service_attr_rsp");
468		- sdp_copy_raw_data(p_ccb, false);
	471	+ if (!sdp_copy_raw_data(p_ccb, false)) {
	472	+ SDP_TRACE_ERROR("sdp_copy_raw_data failed");
	473	+ sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
	474	+ return;
	475	+ }
	476	+
469	477	#endif
470	478
471	479	/* Save the response in the database. Stop on any error */

		@@ -690,7 +698,11 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
690	698
691	699	#if (SDP_RAW_DATA_INCLUDED == TRUE)
692	700	SDP_TRACE_WARNING("process_service_search_attr_rsp");
693		- sdp_copy_raw_data(p_ccb, true);
	701	+ if (!sdp_copy_raw_data(p_ccb, true)) {
	702	+ SDP_TRACE_ERROR("sdp_copy_raw_data failed");
	703	+ sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
	704	+ return;
	705	+ }
694	706	#endif
695	707
696	708	p = &p_ccb->rsp_list[0];

		@@ -705,6 +717,7 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
705	717	p = sdpu_get_len_from_type(p, p + p_ccb->list_len, type, &seq_len);
706	718	if (p == NULL \|\| (p + seq_len) > (p + p_ccb->list_len)) {
707	719	SDP_TRACE_WARNING("%s: bad length", __func__);
	720	+ sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
708	721	return;
709	722	}
710	723	p_end = &p_ccb->rsp_list[p_ccb->list_len];

system-bt Fork