Merge branch 'dev/10/fp2/security-aosp-qt-release' into int/10/fp2
* dev/10/fp2/security-aosp-qt-release:
Removing bonded device when auth fails due to missing keys
Security: Fix out of bound read in AT_SKIP_REST
Check Avrcp packet vendor length before extracting length
Security: Fix out of bound write in HFP client
Change-Id: I808b3707f276796236ecb2d07fe0a099f3e67ec3
diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc
index 5bcc68e..ecdf0da 100644
--- a/bta/hf_client/bta_hf_client_at.cc
+++ b/bta/hf_client/bta_hf_client_at.cc
@@ -332,6 +332,10 @@
APPL_TRACE_DEBUG("%s: %lu.%s <%lu:%lu>", __func__, index, name, min, max);
+ if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) {
+ return;
+ }
+
/* look for a matching indicator on list of supported ones */
for (i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++) {
if (strcmp(name, BTA_HF_CLIENT_INDICATOR_SERVICE) == 0) {
@@ -783,9 +787,9 @@
} while (0)
/* skip rest of AT string up to <cr> */
-#define AT_SKIP_REST(buf) \
- do { \
- while (*(buf) != '\r') (buf)++; \
+#define AT_SKIP_REST(buf) \
+ do { \
+ while (*(buf) != '\r' && *(buf) != '\0') (buf)++; \
} while (0)
static char* bta_hf_client_parse_ok(tBTA_HF_CLIENT_CB* client_cb,
diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc
index 503f823..d22bc2f 100644
--- a/btif/src/btif_dm.cc
+++ b/btif/src/btif_dm.cc
@@ -1171,14 +1171,12 @@
break;
case HCI_ERR_PAIRING_NOT_ALLOWED:
- btif_storage_remove_bonded_device(&bd_addr);
status = BT_STATUS_AUTH_REJECTED;
break;
/* map the auth failure codes, so we can retry pairing if necessary */
case HCI_ERR_AUTH_FAILURE:
case HCI_ERR_KEY_MISSING:
- btif_storage_remove_bonded_device(&bd_addr);
case HCI_ERR_HOST_REJECT_SECURITY:
case HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE:
case HCI_ERR_UNIT_KEY_USED:
@@ -1208,7 +1206,6 @@
/* Remove Device as bonded in nvram as authentication failed */
BTIF_TRACE_DEBUG("%s(): removing hid pointing device from nvram",
__func__);
- btif_storage_remove_bonded_device(&bd_addr);
}
bond_state_changed(status, bd_addr, state);
}
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index 83bc8a8..99e6671 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -43,6 +43,12 @@
tAVRC_COMMAND* p_result) {
tAVRC_STS status = AVRC_STS_NO_ERROR;
+ if (p_msg->vendor_len < 4) { // 4 == pdu + reserved byte + len as uint16
+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
+ __func__, p_msg->vendor_len);
+ android_errorWriteLog(0x534e4554, "205571133");
+ return AVRC_STS_INTERNAL_ERR;
+ }
uint8_t* p = p_msg->p_vendor_data;
p_result->pdu = *p++;
AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);