Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / bt / refs/heads/rel/10/fp2/22.08.0-rel^1..refs/heads/rel/10/fp2/22.08.0-rel / .
commita554e1cc7836195960c7807ea0be1a691943eac5[log] [tgz]
authorMaarten Derks <maarten@fairphone.com>Tue Jul 19 10:32:08 2022 +0200
committerMaarten Derks <maarten@fairphone.com>Tue Jul 19 10:32:08 2022 +0200
tree803c70d02e67123667bd222cc935cb52ef43dd2f
parent439ccf05c1f721c61580fc0f54aa561bbbe7aa04 [diff]
parentd9f4cb9c273fec3fd30eb9aad929fe6520e22d9e [diff]
Merge branch 'dev/10/fp2/security-aosp-qt-release' into int/10/fp2

* dev/10/fp2/security-aosp-qt-release:
  Removing bonded device when auth fails due to missing keys
  Security: Fix out of bound read in AT_SKIP_REST
  Check Avrcp packet vendor length before extracting length
  Security: Fix out of bound write in HFP client

Change-Id: I808b3707f276796236ecb2d07fe0a099f3e67ec3

diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc
index 5bcc68e..ecdf0da 100644
--- a/bta/hf_client/bta_hf_client_at.cc
+++ b/bta/hf_client/bta_hf_client_at.cc

@@ -332,6 +332,10 @@
 
   APPL_TRACE_DEBUG("%s: %lu.%s <%lu:%lu>", __func__, index, name, min, max);
 
+  if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) {
+    return;
+  }
+
   /* look for a matching indicator on list of supported ones */
   for (i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++) {
     if (strcmp(name, BTA_HF_CLIENT_INDICATOR_SERVICE) == 0) {
@@ -783,9 +787,9 @@
   } while (0)
 
 /* skip rest of AT string up to <cr> */
-#define AT_SKIP_REST(buf)           \
-  do {                              \
-    while (*(buf) != '\r') (buf)++; \
+#define AT_SKIP_REST(buf)                             \
+  do {                                                \
+    while (*(buf) != '\r' && *(buf) != '\0') (buf)++; \
   } while (0)
 
 static char* bta_hf_client_parse_ok(tBTA_HF_CLIENT_CB* client_cb,

diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc
index 503f823..d22bc2f 100644
--- a/btif/src/btif_dm.cc
+++ b/btif/src/btif_dm.cc

@@ -1171,14 +1171,12 @@
         break;
 
       case HCI_ERR_PAIRING_NOT_ALLOWED:
-        btif_storage_remove_bonded_device(&bd_addr);
         status = BT_STATUS_AUTH_REJECTED;
         break;
 
       /* map the auth failure codes, so we can retry pairing if necessary */
       case HCI_ERR_AUTH_FAILURE:
       case HCI_ERR_KEY_MISSING:
-        btif_storage_remove_bonded_device(&bd_addr);
       case HCI_ERR_HOST_REJECT_SECURITY:
       case HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE:
       case HCI_ERR_UNIT_KEY_USED:
@@ -1208,7 +1206,6 @@
       /* Remove Device as bonded in nvram as authentication failed */
       BTIF_TRACE_DEBUG("%s(): removing hid pointing device from nvram",
                        __func__);
-      btif_storage_remove_bonded_device(&bd_addr);
     }
     bond_state_changed(status, bd_addr, state);
   }

diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index 83bc8a8..99e6671 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc

@@ -43,6 +43,12 @@
                                            tAVRC_COMMAND* p_result) {
   tAVRC_STS status = AVRC_STS_NO_ERROR;
 
+  if (p_msg->vendor_len < 4) {  // 4 == pdu + reserved byte + len as uint16
+    AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
+                       __func__, p_msg->vendor_len);
+    android_errorWriteLog(0x534e4554, "205571133");
+    return AVRC_STS_INTERNAL_ERR;
+  }
   uint8_t* p = p_msg->p_vendor_data;
   p_result->pdu = *p++;
   AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);