system/bt
修訂 | fbb32dccee1fe693dc6e18bf8eadc1ba8555e7ae (tree) |
---|---|
時間 | 2019-05-20 18:39:52 |
作者 | Chih-Wei Huang <cwhuang@linu...> |
Commiter | Chih-Wei Huang |
Merge tag 'android-8.1.0_r64' into oreo-x86
Android 8.1.0 Release 64 (OPM8.190505.001)
@@ -1404,14 +1404,13 @@ static void bta_hl_sdp_query_results(UNUSED_ATTR tBTA_HL_CB* p_cb, | ||
1404 | 1404 | tBTA_HL_MCL_CB* p_mcb = BTA_HL_GET_MCL_CB_PTR(app_idx, mcl_idx); |
1405 | 1405 | tBTA_HL_SDP* p_sdp = NULL; |
1406 | 1406 | uint16_t event; |
1407 | - bool release_sdp_buf = false; | |
1408 | 1407 | |
1409 | 1408 | event = p_data->hdr.event; |
1410 | 1409 | |
1411 | 1410 | if (event == BTA_HL_SDP_QUERY_OK_EVT) { |
1411 | + // this is freed in btif_hl_proc_sdp_query_cfm | |
1412 | 1412 | p_sdp = (tBTA_HL_SDP*)osi_malloc(sizeof(tBTA_HL_SDP)); |
1413 | 1413 | memcpy(p_sdp, &p_mcb->sdp, sizeof(tBTA_HL_SDP)); |
1414 | - release_sdp_buf = true; | |
1415 | 1414 | } else { |
1416 | 1415 | status = BTA_HL_STATUS_SDP_FAIL; |
1417 | 1416 | } |
@@ -1430,8 +1429,6 @@ static void bta_hl_sdp_query_results(UNUSED_ATTR tBTA_HL_CB* p_cb, | ||
1430 | 1429 | p_mcb->bd_addr, p_sdp, status); |
1431 | 1430 | p_acb->p_cback(BTA_HL_SDP_QUERY_CFM_EVT, (tBTA_HL*)&evt_data); |
1432 | 1431 | |
1433 | - if (release_sdp_buf) osi_free_and_reset((void**)&p_sdp); | |
1434 | - | |
1435 | 1432 | if (p_data->cch_sdp.release_mcl_cb) { |
1436 | 1433 | memset(p_mcb, 0, sizeof(tBTA_HL_MCL_CB)); |
1437 | 1434 | } else { |
@@ -183,6 +183,7 @@ typedef struct { | ||
183 | 183 | #define BTA_SERVICE_ID_TO_SERVICE_MASK(id) (1 << (id)) |
184 | 184 | |
185 | 185 | #define UUID_HUMAN_INTERFACE_DEVICE "00001124-0000-1000-8000-00805f9b34fb" |
186 | +#define UUID_EMPTY "00000000-0000-0000-0000-000000000000" | |
186 | 187 | |
187 | 188 | #define MAX_BTIF_BOND_EVENT_ENTRIES 15 |
188 | 189 |
@@ -261,6 +262,11 @@ static bool is_empty_128bit(uint8_t* data) { | ||
261 | 262 | return !memcmp(zero, data, sizeof(zero)); |
262 | 263 | } |
263 | 264 | |
265 | +static bool is_bonding_or_sdp() { | |
266 | + return pairing_cb.state == BT_BOND_STATE_BONDING || | |
267 | + (pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts); | |
268 | +} | |
269 | + | |
264 | 270 | static void btif_dm_data_copy(uint16_t event, char* dst, char* src) { |
265 | 271 | tBTA_DM_SEC* dst_dm_sec = (tBTA_DM_SEC*)dst; |
266 | 272 | tBTA_DM_SEC* src_dm_sec = (tBTA_DM_SEC*)src; |
@@ -487,8 +493,6 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr, | ||
487 | 493 | bt_bond_state_t state) { |
488 | 494 | btif_stats_add_bond_event(bd_addr, BTIF_DM_FUNC_BOND_STATE_CHANGED, state); |
489 | 495 | |
490 | - // Send bonding state only once - based on outgoing/incoming we may receive | |
491 | - // duplicates | |
492 | 496 | if ((pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING)) { |
493 | 497 | // Cross key pairing so send callback for static address |
494 | 498 | if (!pairing_cb.static_bdaddr.IsEmpty()) { |
@@ -506,14 +510,18 @@ static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr, | ||
506 | 510 | auto tmp = bd_addr; |
507 | 511 | HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state); |
508 | 512 | |
509 | - if (state == BT_BOND_STATE_BONDING) { | |
513 | + int dev_type; | |
514 | + if (!btif_get_device_type(bd_addr, &dev_type)) { | |
515 | + dev_type = BT_DEVICE_TYPE_BREDR; | |
516 | + } | |
517 | + | |
518 | + if (state == BT_BOND_STATE_BONDING || | |
519 | + (state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts > 0)) { | |
520 | + // Save state for the device is bonding or SDP. | |
510 | 521 | pairing_cb.state = state; |
511 | 522 | pairing_cb.bd_addr = bd_addr; |
512 | 523 | } else { |
513 | - if (!pairing_cb.sdp_attempts) | |
514 | - memset(&pairing_cb, 0, sizeof(pairing_cb)); | |
515 | - else | |
516 | - BTIF_TRACE_DEBUG("%s: BR-EDR service discovery active", __func__); | |
524 | + pairing_cb = {}; | |
517 | 525 | } |
518 | 526 | } |
519 | 527 |
@@ -1121,6 +1129,10 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { | ||
1121 | 1129 | |
1122 | 1130 | /* Trigger SDP on the device */ |
1123 | 1131 | pairing_cb.sdp_attempts = 1; |
1132 | + | |
1133 | + // Report bonded to Java before start SDP | |
1134 | + bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED); | |
1135 | + | |
1124 | 1136 | btif_dm_get_remote_services(bd_addr); |
1125 | 1137 | } |
1126 | 1138 | } |
@@ -1378,9 +1390,9 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) { | ||
1378 | 1390 | |
1379 | 1391 | BTIF_TRACE_DEBUG("%s:(result=0x%x, services 0x%x)", __func__, |
1380 | 1392 | p_data->disc_res.result, p_data->disc_res.services); |
1381 | - if ((p_data->disc_res.result != BTA_SUCCESS) && | |
1382 | - (pairing_cb.state == BT_BOND_STATE_BONDING) && | |
1383 | - (pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING)) { | |
1393 | + if (p_data->disc_res.result != BTA_SUCCESS && | |
1394 | + pairing_cb.state == BT_BOND_STATE_BONDED && | |
1395 | + pairing_cb.sdp_attempts < BTIF_DM_MAX_SDP_ATTEMPTS_AFTER_PAIRING) { | |
1384 | 1396 | BTIF_TRACE_WARNING("%s:SDP failed after bonding re-attempting", |
1385 | 1397 | __func__); |
1386 | 1398 | pairing_cb.sdp_attempts++; |
@@ -1405,21 +1417,42 @@ static void btif_dm_search_services_evt(uint16_t event, char* p_param) { | ||
1405 | 1417 | /* onUuidChanged requires getBondedDevices to be populated. |
1406 | 1418 | ** bond_state_changed needs to be sent prior to remote_device_property |
1407 | 1419 | */ |
1408 | - if ((pairing_cb.state == BT_BOND_STATE_BONDING) && | |
1420 | + if ((pairing_cb.state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts) && | |
1409 | 1421 | (p_data->disc_res.bd_addr == pairing_cb.bd_addr || |
1410 | - p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) && | |
1411 | - pairing_cb.sdp_attempts > 0) { | |
1412 | - BTIF_TRACE_DEBUG( | |
1413 | - "%s Remote Service SDP done. Call bond_state_changed_cb BONDED", | |
1414 | - __func__); | |
1422 | + p_data->disc_res.bd_addr == pairing_cb.static_bdaddr)) { | |
1423 | + LOG_INFO(LOG_TAG, "%s Remote Service SDP done.", __func__); | |
1415 | 1424 | pairing_cb.sdp_attempts = 0; |
1416 | 1425 | |
1417 | - // If bonding occured due to cross-key pairing, send bonding callback | |
1426 | + // If bond occured due to cross-key pairing, send bond state callback | |
1418 | 1427 | // for static address now |
1419 | - if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) | |
1428 | + if (p_data->disc_res.bd_addr == pairing_cb.static_bdaddr) { | |
1420 | 1429 | bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDING); |
1421 | - | |
1422 | - bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED); | |
1430 | + bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDED); | |
1431 | + } | |
1432 | + if (pairing_cb.state == BT_BOND_STATE_BONDED) { | |
1433 | + if (p_data->disc_res.result == BTA_SUCCESS) { | |
1434 | + // Device is bonded and SDP completed. Clear the pairing control | |
1435 | + // block. | |
1436 | + pairing_cb = {}; | |
1437 | + } else { | |
1438 | + // Report empty UUID to Java if SDP report negative result while | |
1439 | + // pairing. | |
1440 | + bt_property_t prop; | |
1441 | + bt_uuid_t uuid; | |
1442 | + char uuid_str[128] = UUID_EMPTY; | |
1443 | + | |
1444 | + string_to_uuid(uuid_str, &uuid); | |
1445 | + | |
1446 | + prop.type = BT_PROPERTY_UUIDS; | |
1447 | + prop.val = uuid.uu; | |
1448 | + prop.len = MAX_UUID_SIZE; | |
1449 | + | |
1450 | + /* Send the event to the BTIF */ | |
1451 | + HAL_CBACK(bt_hal_cbacks, remote_device_properties_cb, | |
1452 | + BT_STATUS_SUCCESS, &bd_addr, 1, &prop); | |
1453 | + break; | |
1454 | + } | |
1455 | + } | |
1423 | 1456 | } |
1424 | 1457 | |
1425 | 1458 | if (p_data->disc_res.num_uuids != 0) { |
@@ -1629,7 +1662,7 @@ static void btif_dm_upstreams_evt(uint16_t event, char* p_param) { | ||
1629 | 1662 | break; |
1630 | 1663 | |
1631 | 1664 | case BTA_DM_BOND_CANCEL_CMPL_EVT: |
1632 | - if (pairing_cb.state == BT_BOND_STATE_BONDING) { | |
1665 | + if (is_bonding_or_sdp()) { | |
1633 | 1666 | bd_addr = pairing_cb.bd_addr; |
1634 | 1667 | btm_set_bond_type_dev(pairing_cb.bd_addr, BOND_TYPE_UNKNOWN); |
1635 | 1668 | bond_state_changed((bt_status_t)p_data->bond_cancel_cmpl.result, |
@@ -2277,7 +2310,7 @@ bt_status_t btif_dm_cancel_bond(const RawAddress* bd_addr) { | ||
2277 | 2310 | ** 1. Restore scan modes |
2278 | 2311 | ** 2. special handling for HID devices |
2279 | 2312 | */ |
2280 | - if (pairing_cb.state == BT_BOND_STATE_BONDING) { | |
2313 | + if (is_bonding_or_sdp()) { | |
2281 | 2314 | if (pairing_cb.is_ssp) { |
2282 | 2315 | if (pairing_cb.is_le_only) { |
2283 | 2316 | BTA_DmBleSecurityGrant(*bd_addr, BTA_DM_SEC_PAIR_NOT_SPT); |
@@ -2469,7 +2502,7 @@ bt_status_t btif_dm_get_remote_services(const RawAddress& remote_addr) { | ||
2469 | 2502 | |
2470 | 2503 | /******************************************************************************* |
2471 | 2504 | * |
2472 | - * Function btif_dm_get_remote_services_transport | |
2505 | + * Function btif_dm_get_remote_services_by_transport | |
2473 | 2506 | * |
2474 | 2507 | * Description Start SDP to get remote services by transport |
2475 | 2508 | * |
@@ -3171,7 +3204,7 @@ bt_status_t btif_le_test_mode(uint16_t opcode, uint8_t* buf, uint8_t len) { | ||
3171 | 3204 | |
3172 | 3205 | void btif_dm_on_disable() { |
3173 | 3206 | /* cancel any pending pairing requests */ |
3174 | - if (pairing_cb.state == BT_BOND_STATE_BONDING) { | |
3207 | + if (is_bonding_or_sdp()) { | |
3175 | 3208 | BTIF_TRACE_DEBUG("%s: Cancel pending pairing request", __func__); |
3176 | 3209 | btif_dm_cancel_bond(&pairing_cb.bd_addr); |
3177 | 3210 | } |
@@ -2128,6 +2128,10 @@ static bool btif_hl_proc_sdp_query_cfm(tBTA_HL* p_data) { | ||
2128 | 2128 | } |
2129 | 2129 | } |
2130 | 2130 | } |
2131 | + | |
2132 | + // this was allocated in bta_hl_sdp_query_results | |
2133 | + osi_free_and_reset((void**)&p_data->sdp_query_cfm.p_sdp); | |
2134 | + | |
2131 | 2135 | return status; |
2132 | 2136 | } |
2133 | 2137 |
@@ -222,69 +222,88 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, | ||
222 | 222 | uint8_t* p = p_msg->p_browse_data; |
223 | 223 | |
224 | 224 | /* read the pdu */ |
225 | + if (p_msg->browse_len < 3) { | |
226 | + android_errorWriteLog(0x534e4554, "111451066"); | |
227 | + AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 3", | |
228 | + __func__, p_msg->browse_len); | |
229 | + return AVRC_STS_BAD_PARAM; | |
230 | + } | |
225 | 231 | BE_STREAM_TO_UINT8(pdu, p); |
226 | 232 | uint16_t pkt_len; |
233 | + int min_len = 0; | |
227 | 234 | /* read the entire packet len */ |
228 | 235 | BE_STREAM_TO_UINT16(pkt_len, p); |
229 | 236 | |
230 | - AVRC_TRACE_DEBUG("%s pdu %d", __func__, pdu); | |
237 | + AVRC_TRACE_DEBUG("%s pdu:%d, pkt_len:%d", __func__, pdu, pkt_len); | |
231 | 238 | |
232 | - /* used to track how much we have read, if we cannot read anymore but the | |
233 | - * packet says so then we have a malformed packet. Also vice versa. */ | |
234 | - uint16_t pkt_len_read = 0; | |
239 | + if (p_msg->browse_len < (pkt_len + 3)) { | |
240 | + android_errorWriteLog(0x534e4554, "111451066"); | |
241 | + AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", | |
242 | + __func__, p_msg->browse_len, pkt_len + 3); | |
243 | + return AVRC_STS_INTERNAL_ERR; | |
244 | + } | |
235 | 245 | |
236 | 246 | switch (pdu) { |
237 | 247 | case AVRC_PDU_GET_FOLDER_ITEMS: { |
238 | 248 | tAVRC_GET_ITEMS_RSP* get_item_rsp = &(p_rsp->get_items); |
239 | 249 | /* Copy back the PDU */ |
240 | 250 | get_item_rsp->pdu = pdu; |
251 | + | |
252 | + min_len += 1; | |
253 | + if (pkt_len < min_len) goto browse_length_error; | |
241 | 254 | /* read the status */ |
242 | 255 | BE_STREAM_TO_UINT8(get_item_rsp->status, p); |
256 | + if (get_item_rsp->status != AVRC_STS_NO_ERROR) { | |
257 | + AVRC_TRACE_WARNING("%s returning error %d", __func__, | |
258 | + get_item_rsp->status); | |
259 | + return get_item_rsp->status; | |
260 | + } | |
261 | + | |
262 | + min_len += 4; | |
263 | + if (pkt_len < min_len) goto browse_length_error; | |
243 | 264 | /* read the UID counter */ |
244 | 265 | BE_STREAM_TO_UINT16(get_item_rsp->uid_counter, p); |
245 | 266 | /* read the number of items */ |
246 | 267 | BE_STREAM_TO_UINT16(get_item_rsp->item_count, p); |
247 | - pkt_len_read += 5; | |
248 | 268 | |
249 | 269 | AVRC_TRACE_DEBUG( |
250 | 270 | "%s pdu %d status %d pkt_len %d uid counter %d item count %d", |
251 | 271 | __func__, get_item_rsp->pdu, get_item_rsp->status, pkt_len, |
252 | 272 | get_item_rsp->uid_counter, get_item_rsp->item_count); |
253 | 273 | |
254 | - if (get_item_rsp->status != AVRC_STS_NO_ERROR) { | |
255 | - AVRC_TRACE_WARNING("%s returning error %d", __func__, | |
256 | - get_item_rsp->status); | |
257 | - return get_item_rsp->status; | |
258 | - } | |
259 | - | |
260 | 274 | /* get each of the items */ |
261 | 275 | get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_malloc( |
262 | 276 | get_item_rsp->item_count * (sizeof(tAVRC_ITEM))); |
263 | 277 | tAVRC_ITEM* curr_item = get_item_rsp->p_item_list; |
264 | 278 | for (int i = 0; i < get_item_rsp->item_count; i++) { |
279 | + min_len += 1; | |
280 | + if (pkt_len < min_len) goto browse_length_error; | |
265 | 281 | BE_STREAM_TO_UINT8(curr_item->item_type, p); |
266 | - pkt_len_read += 1; | |
267 | 282 | AVRC_TRACE_DEBUG("%s item type %d", __func__, curr_item->item_type); |
268 | 283 | switch (curr_item->item_type) { |
269 | 284 | case AVRC_ITEM_PLAYER: { |
270 | 285 | /* Handle player */ |
271 | 286 | tAVRC_ITEM_PLAYER* player = &(curr_item->u.player); |
272 | 287 | uint8_t player_len; |
288 | + min_len += 10 + AVRC_FEATURE_MASK_SIZE; | |
289 | + if (pkt_len < min_len) goto browse_length_error; | |
273 | 290 | BE_STREAM_TO_UINT16(player_len, p); |
274 | 291 | BE_STREAM_TO_UINT16(player->player_id, p); |
275 | 292 | BE_STREAM_TO_UINT8(player->major_type, p); |
276 | 293 | BE_STREAM_TO_UINT32(player->sub_type, p); |
277 | 294 | BE_STREAM_TO_UINT8(player->play_status, p); |
278 | 295 | BE_STREAM_TO_ARRAY(p, player->features, AVRC_FEATURE_MASK_SIZE); |
279 | - pkt_len_read += (10 + AVRC_FEATURE_MASK_SIZE); | |
280 | 296 | |
281 | 297 | /* read str */ |
298 | + min_len += 4; | |
299 | + if (pkt_len < min_len) goto browse_length_error; | |
282 | 300 | BE_STREAM_TO_UINT16(player->name.charset_id, p); |
283 | 301 | BE_STREAM_TO_UINT16(player->name.str_len, p); |
302 | + min_len += player->name.str_len; | |
303 | + if (pkt_len < min_len) goto browse_length_error; | |
284 | 304 | player->name.p_str = (uint8_t*)osi_malloc( |
285 | 305 | (player->name.str_len + 1) * sizeof(uint8_t)); |
286 | 306 | BE_STREAM_TO_ARRAY(p, player->name.p_str, player->name.str_len); |
287 | - pkt_len_read += (4 + player->name.str_len); | |
288 | 307 | AVRC_TRACE_DEBUG( |
289 | 308 | "%s type %d id %d mtype %d stype %d ps %d cs %d name len %d", |
290 | 309 | __func__, curr_item->item_type, player->player_id, |
@@ -295,20 +314,24 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, | ||
295 | 314 | case AVRC_ITEM_FOLDER: { |
296 | 315 | tAVRC_ITEM_FOLDER* folder = &(curr_item->u.folder); |
297 | 316 | uint16_t folder_len; |
317 | + min_len += 4 + AVRC_UID_SIZE; | |
318 | + if (pkt_len < min_len) goto browse_length_error; | |
298 | 319 | BE_STREAM_TO_UINT16(folder_len, p); |
299 | 320 | |
300 | 321 | BE_STREAM_TO_ARRAY(p, folder->uid, AVRC_UID_SIZE); |
301 | 322 | BE_STREAM_TO_UINT8(folder->type, p); |
302 | 323 | BE_STREAM_TO_UINT8(folder->playable, p); |
303 | - pkt_len_read += (4 + AVRC_UID_SIZE); | |
304 | 324 | |
305 | 325 | /* read str, encoding to be handled by upper layers */ |
326 | + min_len += 4; | |
327 | + if (pkt_len < min_len) goto browse_length_error; | |
306 | 328 | BE_STREAM_TO_UINT16(folder->name.charset_id, p); |
307 | 329 | BE_STREAM_TO_UINT16(folder->name.str_len, p); |
330 | + min_len += folder->name.str_len; | |
331 | + if (pkt_len < min_len) goto browse_length_error; | |
308 | 332 | folder->name.p_str = (uint8_t*)osi_malloc( |
309 | 333 | (folder->name.str_len + 1) * sizeof(uint8_t)); |
310 | 334 | BE_STREAM_TO_ARRAY(p, folder->name.p_str, folder->name.str_len); |
311 | - pkt_len_read += (4 + folder->name.str_len); | |
312 | 335 | AVRC_TRACE_DEBUG("%s type %d playable %d cs %d name len %d", |
313 | 336 | __func__, folder->type, folder->playable, |
314 | 337 | folder->name.charset_id, folder->name.str_len); |
@@ -317,14 +340,19 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, | ||
317 | 340 | case AVRC_ITEM_MEDIA: { |
318 | 341 | tAVRC_ITEM_MEDIA* media = &(curr_item->u.media); |
319 | 342 | uint8_t media_len; |
343 | + min_len += 3 + AVRC_UID_SIZE; | |
344 | + if (pkt_len < min_len) goto browse_length_error; | |
320 | 345 | BE_STREAM_TO_UINT16(media_len, p); |
321 | 346 | BE_STREAM_TO_ARRAY(p, media->uid, AVRC_UID_SIZE); |
322 | 347 | BE_STREAM_TO_UINT8(media->type, p); |
323 | - pkt_len_read += (3 + AVRC_UID_SIZE); | |
324 | 348 | |
325 | 349 | /* read str, encoding to be handled by upper layers */ |
350 | + min_len += 4; | |
351 | + if (pkt_len < min_len) goto browse_length_error; | |
326 | 352 | BE_STREAM_TO_UINT16(media->name.charset_id, p); |
327 | 353 | BE_STREAM_TO_UINT16(media->name.str_len, p); |
354 | + min_len += 1 + media->name.str_len; | |
355 | + if (pkt_len < min_len) goto browse_length_error; | |
328 | 356 | media->name.p_str = |
329 | 357 | (uint8_t*)osi_malloc((media->name.str_len) * sizeof(uint8_t)); |
330 | 358 | BE_STREAM_TO_ARRAY(p, media->name.p_str, media->name.str_len); |
@@ -333,22 +361,24 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, | ||
333 | 361 | AVRC_TRACE_DEBUG("%s media type %d charset id %d len %d attr ct %d", |
334 | 362 | __func__, media->type, media->name.charset_id, |
335 | 363 | media->name.str_len, media->attr_count); |
336 | - pkt_len_read += (5 + media->name.str_len); | |
337 | 364 | |
338 | 365 | media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_malloc( |
339 | 366 | media->attr_count * sizeof(tAVRC_ATTR_ENTRY)); |
340 | 367 | for (int jk = 0; jk < media->attr_count; jk++) { |
341 | 368 | tAVRC_ATTR_ENTRY* attr_entry = &(media->p_attr_list[jk]); |
369 | + min_len += 8; | |
370 | + if (pkt_len < min_len) goto browse_length_error; | |
342 | 371 | BE_STREAM_TO_UINT32(attr_entry->attr_id, p); |
343 | 372 | |
344 | 373 | /* Parse the name now */ |
345 | 374 | BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p); |
346 | 375 | BE_STREAM_TO_UINT16(attr_entry->name.str_len, p); |
376 | + min_len += attr_entry->name.str_len; | |
377 | + if (pkt_len < min_len) goto browse_length_error; | |
347 | 378 | attr_entry->name.p_str = (uint8_t*)osi_malloc( |
348 | 379 | attr_entry->name.str_len * sizeof(uint8_t)); |
349 | 380 | BE_STREAM_TO_ARRAY(p, attr_entry->name.p_str, |
350 | 381 | attr_entry->name.str_len); |
351 | - pkt_len_read += (8 + attr_entry->name.str_len); | |
352 | 382 | AVRC_TRACE_DEBUG("%s media attr id %d cs %d name len %d", |
353 | 383 | __func__, attr_entry->attr_id, |
354 | 384 | attr_entry->name.charset_id, |
@@ -362,14 +392,8 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, | ||
362 | 392 | return AVRC_STS_INTERNAL_ERR; |
363 | 393 | } |
364 | 394 | |
365 | - /* we check if we have overrun */ | |
366 | - if (pkt_len_read > pkt_len) { | |
367 | - AVRC_TRACE_ERROR("%s overflow in read pkt_len %d pkt_len_read %d", | |
368 | - __func__, pkt_len, pkt_len_read); | |
369 | - return AVRC_STS_BAD_CMD; | |
370 | - } | |
371 | - AVRC_TRACE_DEBUG("%s pkt_len %d pkt_len_read %d", __func__, pkt_len, | |
372 | - pkt_len_read); | |
395 | + AVRC_TRACE_DEBUG("%s pkt_len %d min_len %d", __func__, pkt_len, | |
396 | + min_len); | |
373 | 397 | |
374 | 398 | /* advance to populate the next item */ |
375 | 399 | curr_item++; |
@@ -379,13 +403,14 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, | ||
379 | 403 | |
380 | 404 | case AVRC_PDU_CHANGE_PATH: { |
381 | 405 | tAVRC_CHG_PATH_RSP* change_path_rsp = &(p_rsp->chg_path); |
406 | + min_len += 5; | |
407 | + if (pkt_len < min_len) goto browse_length_error; | |
382 | 408 | /* Copyback the PDU */ |
383 | 409 | change_path_rsp->pdu = pdu; |
384 | 410 | /* Read the status */ |
385 | 411 | BE_STREAM_TO_UINT8(change_path_rsp->status, p); |
386 | 412 | /* Read the number of items in folder */ |
387 | 413 | BE_STREAM_TO_UINT32(change_path_rsp->num_items, p); |
388 | - pkt_len_read += 5; | |
389 | 414 | |
390 | 415 | AVRC_TRACE_DEBUG("%s pdu %d status %d item count %d", __func__, |
391 | 416 | change_path_rsp->pdu, change_path_rsp->status, |
@@ -399,6 +424,8 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, | ||
399 | 424 | set_br_pl_rsp->pdu = pdu; |
400 | 425 | |
401 | 426 | /* Read the status */ |
427 | + min_len += 10; | |
428 | + if (pkt_len < min_len) goto browse_length_error; | |
402 | 429 | BE_STREAM_TO_UINT8(set_br_pl_rsp->status, p); |
403 | 430 | |
404 | 431 | if (set_br_pl_rsp->status != AVRC_STS_NO_ERROR) { |
@@ -415,7 +442,6 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, | ||
415 | 442 | "%s AVRC_PDU_SET_BROWSED_PLAYER status %d items %d cs %d depth %d", |
416 | 443 | __func__, set_br_pl_rsp->status, set_br_pl_rsp->num_items, |
417 | 444 | set_br_pl_rsp->charset_id, set_br_pl_rsp->folder_depth); |
418 | - pkt_len_read += 10; | |
419 | 445 | |
420 | 446 | set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_malloc( |
421 | 447 | set_br_pl_rsp->num_items * sizeof(tAVRC_NAME)); |
@@ -423,13 +449,16 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, | ||
423 | 449 | /* Read each of the folder in the depth */ |
424 | 450 | for (uint32_t i = 0; i < set_br_pl_rsp->folder_depth; i++) { |
425 | 451 | tAVRC_NAME* folder_name = &(set_br_pl_rsp->p_folders[i]); |
452 | + min_len += 2; | |
453 | + if (pkt_len < min_len) goto browse_length_error; | |
426 | 454 | BE_STREAM_TO_UINT16(folder_name->str_len, p); |
455 | + min_len += folder_name->str_len; | |
456 | + if (pkt_len < min_len) goto browse_length_error; | |
427 | 457 | AVRC_TRACE_DEBUG("%s AVRC_PDU_SET_BROWSED_PLAYER item: %d len: %d", |
428 | 458 | __func__, i, folder_name->str_len); |
429 | 459 | folder_name->p_str = |
430 | 460 | (uint8_t*)osi_malloc((folder_name->str_len + 1) * sizeof(uint8_t)); |
431 | 461 | BE_STREAM_TO_ARRAY(p, folder_name->p_str, folder_name->str_len); |
432 | - pkt_len_read += (2 + folder_name->str_len); | |
433 | 462 | } |
434 | 463 | break; |
435 | 464 | } |
@@ -438,12 +467,13 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, | ||
438 | 467 | AVRC_TRACE_ERROR("%s pdu %d not handled", __func__, pdu); |
439 | 468 | } |
440 | 469 | |
441 | - if (pkt_len != pkt_len_read) { | |
442 | - AVRC_TRACE_ERROR("%s finished pkt_len %d pkt_len_read %d", __func__, | |
443 | - pkt_len, pkt_len_read); | |
444 | - return AVRC_STS_BAD_CMD; | |
445 | - } | |
446 | 470 | return status; |
471 | + | |
472 | +browse_length_error: | |
473 | + android_errorWriteLog(0x534e4554, "111451066"); | |
474 | + AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least %d", | |
475 | + __func__, pkt_len, min_len); | |
476 | + return AVRC_STS_BAD_CMD; | |
447 | 477 | } |
448 | 478 | |
449 | 479 | /******************************************************************************* |
@@ -27,6 +27,7 @@ | ||
27 | 27 | #include "btm_int_types.h" |
28 | 28 | #include "device/include/controller.h" |
29 | 29 | #include "hcidefs.h" |
30 | +#include "log/log.h" | |
30 | 31 | |
31 | 32 | #define BTM_BLE_MULTI_ADV_SET_RANDOM_ADDR_LEN 8 |
32 | 33 | #define BTM_BLE_MULTI_ADV_ENB_LEN 3 |
@@ -162,6 +163,14 @@ class BleAdvertiserVscHciInterfaceImpl : public BleAdvertiserHciInterface { | ||
162 | 163 | uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN]; |
163 | 164 | memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN); |
164 | 165 | |
166 | + if (data_length > BTM_BLE_AD_DATA_LEN) { | |
167 | + android_errorWriteLog(0x534e4554, "121145627"); | |
168 | + LOG(ERROR) << __func__ | |
169 | + << ": data_length=" << static_cast<int>(data_length) | |
170 | + << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN; | |
171 | + data_length = BTM_BLE_AD_DATA_LEN; | |
172 | + } | |
173 | + | |
165 | 174 | uint8_t* pp = param; |
166 | 175 | UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_ADV_DATA); |
167 | 176 | UINT8_TO_STREAM(pp, data_length); |
@@ -181,6 +190,14 @@ class BleAdvertiserVscHciInterfaceImpl : public BleAdvertiserHciInterface { | ||
181 | 190 | uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN]; |
182 | 191 | memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN); |
183 | 192 | |
193 | + if (scan_response_data_length > BTM_BLE_AD_DATA_LEN) { | |
194 | + android_errorWriteLog(0x534e4554, "121145627"); | |
195 | + LOG(ERROR) << __func__ << ": scan_response_data_length=" | |
196 | + << static_cast<int>(scan_response_data_length) | |
197 | + << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN; | |
198 | + scan_response_data_length = BTM_BLE_AD_DATA_LEN; | |
199 | + } | |
200 | + | |
184 | 201 | uint8_t* pp = param; |
185 | 202 | UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_SCAN_RSP_DATA); |
186 | 203 | UINT8_TO_STREAM(pp, scan_response_data_length); |
@@ -370,6 +387,15 @@ class BleAdvertiserLegacyHciInterfaceImpl : public BleAdvertiserHciInterface { | ||
370 | 387 | |
371 | 388 | uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1]; |
372 | 389 | |
390 | + if (data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) { | |
391 | + android_errorWriteLog(0x534e4554, "121145627"); | |
392 | + LOG(ERROR) << __func__ | |
393 | + << ": data_length=" << static_cast<int>(data_length) | |
394 | + << ", is longer than size limit " | |
395 | + << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; | |
396 | + data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; | |
397 | + } | |
398 | + | |
373 | 399 | uint8_t* pp = param; |
374 | 400 | memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1); |
375 | 401 | UINT8_TO_STREAM(pp, data_length); |
@@ -387,6 +413,15 @@ class BleAdvertiserLegacyHciInterfaceImpl : public BleAdvertiserHciInterface { | ||
387 | 413 | VLOG(1) << __func__; |
388 | 414 | uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1]; |
389 | 415 | |
416 | + if (scan_response_data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) { | |
417 | + android_errorWriteLog(0x534e4554, "121145627"); | |
418 | + LOG(ERROR) << __func__ << ": scan_response_data_length=" | |
419 | + << static_cast<int>(scan_response_data_length) | |
420 | + << ", is longer than size limit " | |
421 | + << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; | |
422 | + scan_response_data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; | |
423 | + } | |
424 | + | |
390 | 425 | uint8_t* pp = param; |
391 | 426 | memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1); |
392 | 427 | UINT8_TO_STREAM(pp, scan_response_data_length); |
@@ -39,6 +39,7 @@ | ||
39 | 39 | #include "gap_api.h" |
40 | 40 | #include "gatt_api.h" |
41 | 41 | #include "hcimsgs.h" |
42 | +#include "log/log.h" | |
42 | 43 | #include "l2c_int.h" |
43 | 44 | #include "osi/include/log.h" |
44 | 45 | #include "osi/include/osi.h" |
@@ -2060,6 +2061,12 @@ uint8_t btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr, | ||
2060 | 2061 | } |
2061 | 2062 | |
2062 | 2063 | if (event == SMP_COMPLT_EVT) { |
2064 | + p_dev_rec = btm_find_dev(bd_addr); | |
2065 | + if (p_dev_rec == NULL) { | |
2066 | + BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__); | |
2067 | + android_errorWriteLog(0x534e4554, "120612744"); | |
2068 | + return 0; | |
2069 | + } | |
2063 | 2070 | BTM_TRACE_DEBUG( |
2064 | 2071 | "evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", |
2065 | 2072 | p_data->cmplt.sec_level, p_dev_rec->sec_flags); |
@@ -834,7 +834,16 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { | ||
834 | 834 | } |
835 | 835 | |
836 | 836 | if (p_ccb->is_first_seg) { |
837 | + if (p_buf->len < sizeof(sdu_length)) { | |
838 | + L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.", | |
839 | + __func__, p_buf->len); | |
840 | + android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0); | |
841 | + /* Discard the buffer */ | |
842 | + osi_free(p_buf); | |
843 | + return; | |
844 | + } | |
837 | 845 | STREAM_TO_UINT16(sdu_length, p); |
846 | + | |
838 | 847 | /* Check the SDU Length with local MTU size */ |
839 | 848 | if (sdu_length > p_ccb->local_conn_cfg.mtu) { |
840 | 849 | /* Discard the buffer */ |
@@ -842,6 +851,9 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { | ||
842 | 851 | return; |
843 | 852 | } |
844 | 853 | |
854 | + p_buf->len -= sizeof(sdu_length); | |
855 | + p_buf->offset += sizeof(sdu_length); | |
856 | + | |
845 | 857 | if (sdu_length < p_buf->len) { |
846 | 858 | L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length); |
847 | 859 | android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0); |
@@ -860,8 +872,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { | ||
860 | 872 | p_data->len = 0; |
861 | 873 | p_ccb->ble_sdu_length = sdu_length; |
862 | 874 | L2CAP_TRACE_DEBUG("%s SDU Length = %d", __func__, sdu_length); |
863 | - p_buf->len -= sizeof(sdu_length); | |
864 | - p_buf->offset += sizeof(sdu_length); | |
865 | 875 | p_data->offset = 0; |
866 | 876 | |
867 | 877 | } else { |
@@ -471,7 +471,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { | ||
471 | 471 | switch (cfg_code & 0x7F) { |
472 | 472 | case L2CAP_CFG_TYPE_MTU: |
473 | 473 | cfg_info.mtu_present = true; |
474 | - if (p + 2 > p_next_cmd) { | |
474 | + if (cfg_len != 2) { | |
475 | + android_errorWriteLog(0x534e4554, "119870451"); | |
476 | + return; | |
477 | + } | |
478 | + if (p + cfg_len > p_next_cmd) { | |
475 | 479 | android_errorWriteLog(0x534e4554, "74202041"); |
476 | 480 | return; |
477 | 481 | } |
@@ -480,7 +484,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { | ||
480 | 484 | |
481 | 485 | case L2CAP_CFG_TYPE_FLUSH_TOUT: |
482 | 486 | cfg_info.flush_to_present = true; |
483 | - if (p + 2 > p_next_cmd) { | |
487 | + if (cfg_len != 2) { | |
488 | + android_errorWriteLog(0x534e4554, "119870451"); | |
489 | + return; | |
490 | + } | |
491 | + if (p + cfg_len > p_next_cmd) { | |
484 | 492 | android_errorWriteLog(0x534e4554, "74202041"); |
485 | 493 | return; |
486 | 494 | } |
@@ -489,7 +497,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { | ||
489 | 497 | |
490 | 498 | case L2CAP_CFG_TYPE_QOS: |
491 | 499 | cfg_info.qos_present = true; |
492 | - if (p + 2 + 5 * 4 > p_next_cmd) { | |
500 | + if (cfg_len != 2 + 5 * 4) { | |
501 | + android_errorWriteLog(0x534e4554, "119870451"); | |
502 | + return; | |
503 | + } | |
504 | + if (p + cfg_len > p_next_cmd) { | |
493 | 505 | android_errorWriteLog(0x534e4554, "74202041"); |
494 | 506 | return; |
495 | 507 | } |
@@ -504,7 +516,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { | ||
504 | 516 | |
505 | 517 | case L2CAP_CFG_TYPE_FCR: |
506 | 518 | cfg_info.fcr_present = true; |
507 | - if (p + 3 + 3 * 2 > p_next_cmd) { | |
519 | + if (cfg_len != 3 + 3 * 2) { | |
520 | + android_errorWriteLog(0x534e4554, "119870451"); | |
521 | + return; | |
522 | + } | |
523 | + if (p + cfg_len > p_next_cmd) { | |
508 | 524 | android_errorWriteLog(0x534e4554, "74202041"); |
509 | 525 | return; |
510 | 526 | } |
@@ -518,7 +534,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { | ||
518 | 534 | |
519 | 535 | case L2CAP_CFG_TYPE_FCS: |
520 | 536 | cfg_info.fcs_present = true; |
521 | - if (p + 1 > p_next_cmd) { | |
537 | + if (cfg_len != 1) { | |
538 | + android_errorWriteLog(0x534e4554, "119870451"); | |
539 | + return; | |
540 | + } | |
541 | + if (p + cfg_len > p_next_cmd) { | |
522 | 542 | android_errorWriteLog(0x534e4554, "74202041"); |
523 | 543 | return; |
524 | 544 | } |
@@ -527,7 +547,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { | ||
527 | 547 | |
528 | 548 | case L2CAP_CFG_TYPE_EXT_FLOW: |
529 | 549 | cfg_info.ext_flow_spec_present = true; |
530 | - if (p + 2 + 2 + 3 * 4 > p_next_cmd) { | |
550 | + if (cfg_len != 2 + 2 + 3 * 4) { | |
551 | + android_errorWriteLog(0x534e4554, "119870451"); | |
552 | + return; | |
553 | + } | |
554 | + if (p + cfg_len > p_next_cmd) { | |
531 | 555 | android_errorWriteLog(0x534e4554, "74202041"); |
532 | 556 | return; |
533 | 557 | } |
@@ -804,6 +804,9 @@ void l2cu_send_peer_config_rej(tL2C_CCB* p_ccb, uint8_t* p_data, | ||
804 | 804 | case L2CAP_CFG_TYPE_MTU: |
805 | 805 | case L2CAP_CFG_TYPE_FLUSH_TOUT: |
806 | 806 | case L2CAP_CFG_TYPE_QOS: |
807 | + case L2CAP_CFG_TYPE_FCR: | |
808 | + case L2CAP_CFG_TYPE_FCS: | |
809 | + case L2CAP_CFG_TYPE_EXT_FLOW: | |
807 | 810 | p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD; |
808 | 811 | break; |
809 | 812 |
@@ -335,7 +335,7 @@ void smp_send_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { | ||
335 | 335 | * Description send encryption information command. |
336 | 336 | ******************************************************************************/ |
337 | 337 | void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { |
338 | - tBTM_LE_LENC_KEYS le_key; | |
338 | + tBTM_LE_KEY_VALUE le_key; | |
339 | 339 | |
340 | 340 | SMP_TRACE_DEBUG("%s: p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size); |
341 | 341 | smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false); |
@@ -344,15 +344,14 @@ void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { | ||
344 | 344 | smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb); |
345 | 345 | |
346 | 346 | /* save the DIV and key size information when acting as slave device */ |
347 | - memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
348 | - le_key.div = p_cb->div; | |
349 | - le_key.key_size = p_cb->loc_enc_size; | |
350 | - le_key.sec_level = p_cb->sec_level; | |
347 | + memcpy(le_key.lenc_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
348 | + le_key.lenc_key.div = p_cb->div; | |
349 | + le_key.lenc_key.key_size = p_cb->loc_enc_size; | |
350 | + le_key.lenc_key.sec_level = p_cb->sec_level; | |
351 | 351 | |
352 | 352 | if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && |
353 | 353 | (p_cb->loc_auth_req & SMP_AUTH_BOND)) |
354 | - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, | |
355 | - (tBTM_LE_KEY_VALUE*)&le_key, true); | |
354 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &le_key, true); | |
356 | 355 | |
357 | 356 | SMP_TRACE_WARNING("%s", __func__); |
358 | 357 |
@@ -384,17 +383,16 @@ void smp_send_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { | ||
384 | 383 | * Description send CSRK command. |
385 | 384 | ******************************************************************************/ |
386 | 385 | void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { |
387 | - tBTM_LE_LCSRK_KEYS key; | |
386 | + tBTM_LE_KEY_VALUE key; | |
388 | 387 | SMP_TRACE_DEBUG("%s", __func__); |
389 | 388 | smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false); |
390 | 389 | |
391 | 390 | if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) { |
392 | - key.div = p_cb->div; | |
393 | - key.sec_level = p_cb->sec_level; | |
394 | - key.counter = 0; /* initialize the local counter */ | |
395 | - memcpy(key.csrk, p_cb->csrk, BT_OCTET16_LEN); | |
396 | - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, | |
397 | - (tBTM_LE_KEY_VALUE*)&key, true); | |
391 | + key.lcsrk_key.div = p_cb->div; | |
392 | + key.lcsrk_key.sec_level = p_cb->sec_level; | |
393 | + key.lcsrk_key.counter = 0; /* initialize the local counter */ | |
394 | + memcpy(key.lcsrk_key.csrk, p_cb->csrk, BT_OCTET16_LEN); | |
395 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, &key, true); | |
398 | 396 | } |
399 | 397 | |
400 | 398 | smp_key_distribution_by_transport(p_cb, NULL); |
@@ -917,7 +915,7 @@ void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { | ||
917 | 915 | ******************************************************************************/ |
918 | 916 | void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { |
919 | 917 | uint8_t* p = (uint8_t*)p_data; |
920 | - tBTM_LE_PENC_KEYS le_key; | |
918 | + tBTM_LE_KEY_VALUE le_key; | |
921 | 919 | |
922 | 920 | SMP_TRACE_DEBUG("%s", __func__); |
923 | 921 |
@@ -930,18 +928,17 @@ void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { | ||
930 | 928 | |
931 | 929 | smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true); |
932 | 930 | |
933 | - STREAM_TO_UINT16(le_key.ediv, p); | |
934 | - STREAM_TO_ARRAY(le_key.rand, p, BT_OCTET8_LEN); | |
931 | + STREAM_TO_UINT16(le_key.penc_key.ediv, p); | |
932 | + STREAM_TO_ARRAY(le_key.penc_key.rand, p, BT_OCTET8_LEN); | |
935 | 933 | |
936 | 934 | /* store the encryption keys from peer device */ |
937 | - memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
938 | - le_key.sec_level = p_cb->sec_level; | |
939 | - le_key.key_size = p_cb->loc_enc_size; | |
935 | + memcpy(le_key.penc_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
936 | + le_key.penc_key.sec_level = p_cb->sec_level; | |
937 | + le_key.penc_key.key_size = p_cb->loc_enc_size; | |
940 | 938 | |
941 | 939 | if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && |
942 | 940 | (p_cb->loc_auth_req & SMP_AUTH_BOND)) |
943 | - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, | |
944 | - (tBTM_LE_KEY_VALUE*)&le_key, true); | |
941 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &le_key, true); | |
945 | 942 | |
946 | 943 | smp_key_distribution(p_cb, NULL); |
947 | 944 | } |
@@ -972,25 +969,24 @@ void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { | ||
972 | 969 | ******************************************************************************/ |
973 | 970 | void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { |
974 | 971 | uint8_t* p = (uint8_t*)p_data; |
975 | - tBTM_LE_PID_KEYS pid_key; | |
972 | + tBTM_LE_KEY_VALUE pid_key; | |
976 | 973 | |
977 | 974 | SMP_TRACE_DEBUG("%s", __func__); |
978 | 975 | smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true); |
979 | 976 | |
980 | - STREAM_TO_UINT8(pid_key.addr_type, p); | |
981 | - STREAM_TO_BDADDR(pid_key.static_addr, p); | |
982 | - memcpy(pid_key.irk, p_cb->tk, BT_OCTET16_LEN); | |
977 | + STREAM_TO_UINT8(pid_key.pid_key.addr_type, p); | |
978 | + STREAM_TO_BDADDR(pid_key.pid_key.static_addr, p); | |
979 | + memcpy(pid_key.pid_key.irk, p_cb->tk, BT_OCTET16_LEN); | |
983 | 980 | |
984 | 981 | /* to use as BD_ADDR for lk derived from ltk */ |
985 | 982 | p_cb->id_addr_rcvd = true; |
986 | - p_cb->id_addr_type = pid_key.addr_type; | |
987 | - p_cb->id_addr = pid_key.static_addr; | |
983 | + p_cb->id_addr_type = pid_key.pid_key.addr_type; | |
984 | + p_cb->id_addr = pid_key.pid_key.static_addr; | |
988 | 985 | |
989 | 986 | /* store the ID key from peer device */ |
990 | 987 | if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && |
991 | 988 | (p_cb->loc_auth_req & SMP_AUTH_BOND)) |
992 | - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, | |
993 | - (tBTM_LE_KEY_VALUE*)&pid_key, true); | |
989 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, &pid_key, true); | |
994 | 990 | smp_key_distribution_by_transport(p_cb, NULL); |
995 | 991 | } |
996 | 992 |
@@ -999,24 +995,23 @@ void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { | ||
999 | 995 | * Description process security information from peer device |
1000 | 996 | ******************************************************************************/ |
1001 | 997 | void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { |
1002 | - tBTM_LE_PCSRK_KEYS le_key; | |
998 | + tBTM_LE_KEY_VALUE le_key; | |
1003 | 999 | |
1004 | 1000 | SMP_TRACE_DEBUG("%s", __func__); |
1005 | 1001 | smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true); |
1006 | 1002 | |
1007 | 1003 | /* save CSRK to security record */ |
1008 | - le_key.sec_level = p_cb->sec_level; | |
1004 | + le_key.pcsrk_key.sec_level = p_cb->sec_level; | |
1009 | 1005 | |
1010 | 1006 | /* get peer CSRK */ |
1011 | - maybe_non_aligned_memcpy(le_key.csrk, p_data, BT_OCTET16_LEN); | |
1007 | + maybe_non_aligned_memcpy(le_key.pcsrk_key.csrk, p_data, BT_OCTET16_LEN); | |
1012 | 1008 | |
1013 | 1009 | /* initialize the peer counter */ |
1014 | - le_key.counter = 0; | |
1010 | + le_key.pcsrk_key.counter = 0; | |
1015 | 1011 | |
1016 | 1012 | if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && |
1017 | 1013 | (p_cb->loc_auth_req & SMP_AUTH_BOND)) |
1018 | - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, | |
1019 | - (tBTM_LE_KEY_VALUE*)&le_key, true); | |
1014 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, &le_key, true); | |
1020 | 1015 | smp_key_distribution_by_transport(p_cb, NULL); |
1021 | 1016 | } |
1022 | 1017 |
@@ -1427,25 +1427,23 @@ bool smp_check_commitment(tSMP_CB* p_cb) { | ||
1427 | 1427 | * |
1428 | 1428 | ******************************************************************************/ |
1429 | 1429 | void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) { |
1430 | - tBTM_LE_LENC_KEYS lle_key; | |
1431 | - tBTM_LE_PENC_KEYS ple_key; | |
1430 | + tBTM_LE_KEY_VALUE lle_key; | |
1431 | + tBTM_LE_KEY_VALUE ple_key; | |
1432 | 1432 | |
1433 | 1433 | SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__); |
1434 | - memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
1435 | - lle_key.div = 0; | |
1436 | - lle_key.key_size = p_cb->loc_enc_size; | |
1437 | - lle_key.sec_level = p_cb->sec_level; | |
1438 | - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, | |
1439 | - (tBTM_LE_KEY_VALUE*)&lle_key, true); | |
1434 | + memcpy(lle_key.lenc_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
1435 | + lle_key.lenc_key.div = 0; | |
1436 | + lle_key.lenc_key.key_size = p_cb->loc_enc_size; | |
1437 | + lle_key.lenc_key.sec_level = p_cb->sec_level; | |
1438 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &lle_key, true); | |
1440 | 1439 | |
1441 | 1440 | SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__); |
1442 | - ple_key.ediv = 0; | |
1443 | - memset(ple_key.rand, 0, BT_OCTET8_LEN); | |
1444 | - memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
1445 | - ple_key.sec_level = p_cb->sec_level; | |
1446 | - ple_key.key_size = p_cb->loc_enc_size; | |
1447 | - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, | |
1448 | - (tBTM_LE_KEY_VALUE*)&ple_key, true); | |
1441 | + ple_key.penc_key.ediv = 0; | |
1442 | + memset(ple_key.penc_key.rand, 0, BT_OCTET8_LEN); | |
1443 | + memcpy(ple_key.penc_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
1444 | + ple_key.penc_key.sec_level = p_cb->sec_level; | |
1445 | + ple_key.penc_key.key_size = p_cb->loc_enc_size; | |
1446 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &ple_key, true); | |
1449 | 1447 | } |
1450 | 1448 | |
1451 | 1449 | /******************************************************************************* |