update new sdk
This commit is contained in:
August
parent
f33907443a
commit
744c72c133
1643 changed files with 83006 additions and 28021 deletions
8
android/system/bt/bta/av/bta_av_act.cc
Normal file → Executable file
8
android/system/bt/bta/av/bta_av_act.cc
Normal file → Executable file
|
|
@ -34,6 +34,7 @@
|
|||
#include "bta_av_api.h"
|
||||
#include "bta_av_int.h"
|
||||
#include "l2c_api.h"
|
||||
#include "log/log.h"
|
||||
#include "osi/include/list.h"
|
||||
#include "osi/include/log.h"
|
||||
#include "osi/include/osi.h"
|
||||
|
|
@ -775,11 +776,16 @@ tBTA_AV_EVT bta_av_proc_meta_cmd(tAVRC_RESPONSE* p_rc_rsp,
|
|||
case AVRC_PDU_GET_CAPABILITIES:
|
||||
/* process GetCapabilities command without reporting the event to app */
|
||||
evt = 0;
|
||||
if (p_vendor->vendor_len != 5) {
|
||||
android_errorWriteLog(0x534e4554, "111893951");
|
||||
p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR;
|
||||
break;
|
||||
}
|
||||
u8 = *(p_vendor->p_vendor_data + 4);
|
||||
p = p_vendor->p_vendor_data + 2;
|
||||
p_rc_rsp->get_caps.capability_id = u8;
|
||||
BE_STREAM_TO_UINT16(u16, p);
|
||||
if ((u16 != 1) || (p_vendor->vendor_len != 5)) {
|
||||
if (u16 != 1) {
|
||||
p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR;
|
||||
} else {
|
||||
p_rc_rsp->get_caps.status = AVRC_STS_NO_ERROR;
|
||||
|
|
|
|||
30
android/system/bt/bta/dm/bta_dm_act.cc
Normal file → Executable file
30
android/system/bt/bta/dm/bta_dm_act.cc
Normal file → Executable file
|
|
@ -28,6 +28,7 @@
|
|||
#include <base/bind.h>
|
||||
#include <base/callback.h>
|
||||
#include <base/logging.h>
|
||||
#include <cutils/log.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "bt_common.h"
|
||||
|
|
@ -146,6 +147,8 @@ static void bta_dm_ctrl_features_rd_cmpl_cback(tBTM_STATUS result);
|
|||
#define BTA_DM_SWITCH_DELAY_TIMER_MS 500
|
||||
#endif
|
||||
|
||||
#define BTA_MAX_SERVICES 32
|
||||
|
||||
static void bta_dm_reset_sec_dev_pending(const RawAddress& remote_bd_addr);
|
||||
static void bta_dm_remove_sec_dev_entry(const RawAddress& remote_bd_addr);
|
||||
static void bta_dm_observe_results_cb(tBTM_INQ_RESULTS* p_inq, uint8_t* p_eir,
|
||||
|
|
@ -1486,7 +1489,7 @@ void bta_dm_sdp_result(tBTA_DM_MSG* p_data) {
|
|||
tBT_UUID service_uuid;
|
||||
|
||||
uint32_t num_uuids = 0;
|
||||
uint8_t uuid_list[32][MAX_UUID_SIZE]; // assuming a max of 32 services
|
||||
uint8_t uuid_list[BTA_MAX_SERVICES][MAX_UUID_SIZE]; // assuming a max of 32 services
|
||||
|
||||
if ((p_data->sdp_event.sdp_result == SDP_SUCCESS) ||
|
||||
(p_data->sdp_event.sdp_result == SDP_NO_RECS_MATCH) ||
|
||||
|
|
@ -1554,8 +1557,12 @@ void bta_dm_sdp_result(tBTA_DM_MSG* p_data) {
|
|||
bta_service_id_to_uuid_lkup_tbl[bta_dm_search_cb.service_index -
|
||||
1];
|
||||
/* Add to the list of UUIDs */
|
||||
sdpu_uuid16_to_uuid128(tmp_svc, uuid_list[num_uuids]);
|
||||
num_uuids++;
|
||||
if (num_uuids < BTA_MAX_SERVICES) {
|
||||
sdpu_uuid16_to_uuid128(tmp_svc, uuid_list[num_uuids]);
|
||||
num_uuids++;
|
||||
} else {
|
||||
android_errorWriteLog(0x534e4554, "74016921");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1587,8 +1594,12 @@ void bta_dm_sdp_result(tBTA_DM_MSG* p_data) {
|
|||
SDP_FindServiceInDb_128bit(bta_dm_search_cb.p_sdp_db, p_sdp_rec);
|
||||
if (p_sdp_rec) {
|
||||
if (SDP_FindServiceUUIDInRec_128bit(p_sdp_rec, &temp_uuid)) {
|
||||
memcpy(uuid_list[num_uuids], temp_uuid.uu.uuid128, MAX_UUID_SIZE);
|
||||
num_uuids++;
|
||||
if (num_uuids < BTA_MAX_SERVICES) {
|
||||
memcpy(uuid_list[num_uuids], temp_uuid.uu.uuid128, MAX_UUID_SIZE);
|
||||
num_uuids++;
|
||||
} else {
|
||||
android_errorWriteLog(0x534e4554, "74016921");
|
||||
}
|
||||
}
|
||||
}
|
||||
} while (p_sdp_rec);
|
||||
|
|
@ -3255,11 +3266,14 @@ static void bta_dm_remove_sec_dev_entry(const RawAddress& remote_bd_addr) {
|
|||
}
|
||||
}
|
||||
} else {
|
||||
BTM_SecDeleteDevice(remote_bd_addr);
|
||||
// remote_bd_addr comes from security record, which is removed in
|
||||
// BTM_SecDeleteDevice.
|
||||
RawAddress addr_copy = remote_bd_addr;
|
||||
BTM_SecDeleteDevice(addr_copy);
|
||||
/* need to remove all pending background connection */
|
||||
BTA_GATTC_CancelOpen(0, remote_bd_addr, false);
|
||||
BTA_GATTC_CancelOpen(0, addr_copy, false);
|
||||
/* remove all cached GATT information */
|
||||
BTA_GATTC_Refresh(remote_bd_addr);
|
||||
BTA_GATTC_Refresh(addr_copy);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
29
android/system/bt/bta/hd/bta_hd_act.cc
Normal file → Executable file
29
android/system/bt/bta/hd/bta_hd_act.cc
Normal file → Executable file
|
|
@ -36,6 +36,7 @@
|
|||
#include "bta_sys.h"
|
||||
#include "btm_api.h"
|
||||
|
||||
#include "log/log.h"
|
||||
#include "osi/include/osi.h"
|
||||
|
||||
static void bta_hd_cback(const RawAddress& bd_addr, uint8_t event,
|
||||
|
|
@ -504,6 +505,10 @@ extern void bta_hd_intr_data_act(tBTA_HD_DATA* p_data) {
|
|||
APPL_TRACE_API("%s", __func__);
|
||||
|
||||
if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) {
|
||||
if (len < 1) {
|
||||
android_errorWriteLog(0x534e4554, "109757986");
|
||||
return;
|
||||
}
|
||||
ret.report_id = *p_buf;
|
||||
|
||||
len--;
|
||||
|
|
@ -536,15 +541,31 @@ extern void bta_hd_get_report_act(tBTA_HD_DATA* p_data) {
|
|||
|
||||
APPL_TRACE_API("%s", __func__);
|
||||
|
||||
uint16_t remaining_len = p_msg->len;
|
||||
if (remaining_len < 1) {
|
||||
android_errorWriteLog(0x534e4554, "109757168");
|
||||
return;
|
||||
}
|
||||
|
||||
ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK;
|
||||
p_buf++;
|
||||
remaining_len--;
|
||||
|
||||
if (bta_hd_cb.use_report_id) {
|
||||
if (remaining_len < 1) {
|
||||
android_errorWriteLog(0x534e4554, "109757168");
|
||||
return;
|
||||
}
|
||||
ret.report_id = *p_buf;
|
||||
p_buf++;
|
||||
remaining_len--;
|
||||
}
|
||||
|
||||
if (rep_size_follows) {
|
||||
if (remaining_len < 2) {
|
||||
android_errorWriteLog(0x534e4554, "109757168");
|
||||
return;
|
||||
}
|
||||
ret.buffer_size = *p_buf | (*(p_buf + 1) << 8);
|
||||
}
|
||||
|
||||
|
|
@ -569,11 +590,19 @@ extern void bta_hd_set_report_act(tBTA_HD_DATA* p_data) {
|
|||
|
||||
APPL_TRACE_API("%s", __func__);
|
||||
|
||||
if (len < 1) {
|
||||
android_errorWriteLog(0x534e4554, "110846194");
|
||||
return;
|
||||
}
|
||||
ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK;
|
||||
p_buf++;
|
||||
len--;
|
||||
|
||||
if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) {
|
||||
if (len < 1) {
|
||||
android_errorWriteLog(0x534e4554, "109757435");
|
||||
return;
|
||||
}
|
||||
ret.report_id = *p_buf;
|
||||
|
||||
len--;
|
||||
|
|
|
|||
34
android/system/bt/bta/pan/bta_pan_act.cc
Normal file → Executable file
34
android/system/bt/bta/pan/bta_pan_act.cc
Normal file → Executable file
|
|
@ -171,31 +171,25 @@ static void bta_pan_data_flow_cb(uint16_t handle, tPAN_RESULT result) {
|
|||
static void bta_pan_data_buf_ind_cback(uint16_t handle, const RawAddress& src,
|
||||
const RawAddress& dst, uint16_t protocol,
|
||||
BT_HDR* p_buf, bool ext, bool forward) {
|
||||
tBTA_PAN_SCB* p_scb;
|
||||
BT_HDR* p_new_buf;
|
||||
|
||||
p_scb = bta_pan_scb_by_handle(handle);
|
||||
tBTA_PAN_SCB* p_scb = bta_pan_scb_by_handle(handle);
|
||||
if (p_scb == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
|
||||
/* offset smaller than data structure in front of actual data */
|
||||
if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
|
||||
PAN_BUF_SIZE) {
|
||||
android_errorWriteLog(0x534e4554, "63146237");
|
||||
APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
|
||||
p_buf->len);
|
||||
return;
|
||||
}
|
||||
p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE);
|
||||
memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
|
||||
(uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
|
||||
p_new_buf->len = p_buf->len;
|
||||
p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
|
||||
} else {
|
||||
p_new_buf = p_buf;
|
||||
if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
|
||||
PAN_BUF_SIZE) {
|
||||
android_errorWriteLog(0x534e4554, "63146237");
|
||||
APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
|
||||
p_buf->len);
|
||||
return;
|
||||
}
|
||||
|
||||
BT_HDR* p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE);
|
||||
memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
|
||||
(uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
|
||||
p_new_buf->len = p_buf->len;
|
||||
p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
|
||||
|
||||
/* copy params into the space before the data */
|
||||
((tBTA_PAN_DATA_PARAMS*)p_new_buf)->src = src;
|
||||
((tBTA_PAN_DATA_PARAMS*)p_new_buf)->dst = dst;
|
||||
|
|
|
|||
11
android/system/bt/btif/src/btif_av.cc
Normal file → Executable file
11
android/system/bt/btif/src/btif_av.cc
Normal file → Executable file
|
|
@ -1180,6 +1180,14 @@ void btif_av_event_deep_copy(uint16_t event, char* p_dest, char* p_src) {
|
|||
memcpy(p_msg_dest->vendor.p_vendor_data,
|
||||
p_msg_src->vendor.p_vendor_data, p_msg_src->vendor.vendor_len);
|
||||
}
|
||||
if ((p_msg_src->hdr.opcode == AVRC_OP_BROWSE) &&
|
||||
p_msg_src->browse.p_browse_data && p_msg_src->browse.browse_len) {
|
||||
p_msg_dest->browse.p_browse_data =
|
||||
(uint8_t*)osi_calloc(p_msg_src->browse.browse_len);
|
||||
memcpy(p_msg_dest->browse.p_browse_data,
|
||||
p_msg_src->browse.p_browse_data, p_msg_src->browse.browse_len);
|
||||
android_errorWriteLog(0x534e4554, "109699112");
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
|
|
@ -1198,6 +1206,9 @@ static void btif_av_event_free_data(btif_sm_event_t event, void* p_data) {
|
|||
if (av->meta_msg.p_msg->hdr.opcode == AVRC_OP_VENDOR) {
|
||||
osi_free(av->meta_msg.p_msg->vendor.p_vendor_data);
|
||||
}
|
||||
if (av->meta_msg.p_msg->hdr.opcode == AVRC_OP_BROWSE) {
|
||||
osi_free(av->meta_msg.p_msg->browse.p_browse_data);
|
||||
}
|
||||
osi_free_and_reset((void**)&av->meta_msg.p_msg);
|
||||
}
|
||||
} break;
|
||||
|
|
|
|||
19
android/system/bt/btif/src/btif_hf.cc
Normal file → Executable file
19
android/system/bt/btif/src/btif_hf.cc
Normal file → Executable file
|
|
@ -33,6 +33,7 @@
|
|||
|
||||
#include <hardware/bluetooth.h>
|
||||
#include <hardware/bt_hf.h>
|
||||
#include <log/log.h>
|
||||
|
||||
#include "bta/include/utl.h"
|
||||
#include "bta_ag_api.h"
|
||||
|
|
@ -1198,13 +1199,20 @@ static bt_status_t clcc_response(int index, bthf_call_direction_t dir,
|
|||
dialnum[newidx++] = '+';
|
||||
}
|
||||
for (size_t i = 0; number[i] != 0; i++) {
|
||||
if (newidx >= (sizeof(dialnum) - res_strlen - 1)) {
|
||||
android_errorWriteLog(0x534e4554, "79266386");
|
||||
break;
|
||||
}
|
||||
if (utl_isdialchar(number[i])) {
|
||||
dialnum[newidx++] = number[i];
|
||||
}
|
||||
}
|
||||
dialnum[newidx] = 0;
|
||||
snprintf(&ag_res.str[res_strlen], rem_bytes, ",\"%s\",%d", dialnum,
|
||||
type);
|
||||
// Reserve 5 bytes for ["][,][3_digit_type]
|
||||
snprintf(&ag_res.str[res_strlen], rem_bytes - 5, ",\"%s", dialnum);
|
||||
std::stringstream remaining_string;
|
||||
remaining_string << "\"," << type;
|
||||
strncat(&ag_res.str[res_strlen], remaining_string.str().c_str(), 5);
|
||||
}
|
||||
}
|
||||
BTA_AgResult(btif_hf_cb[idx].handle, BTA_AG_CLCC_RES, &ag_res);
|
||||
|
|
@ -1357,6 +1365,13 @@ static bt_status_t phone_state_change(int num_active, int num_held,
|
|||
else
|
||||
xx = snprintf(ag_res.str, sizeof(ag_res.str), "\"%s\"", number);
|
||||
ag_res.num = type;
|
||||
// 5 = [,][3_digit_type][null_terminator]
|
||||
if (xx > static_cast<int>(sizeof(ag_res.str) - 5)) {
|
||||
android_errorWriteLog(0x534e4554, "79431031");
|
||||
xx = sizeof(ag_res.str) - 5;
|
||||
// Null terminating the string
|
||||
memset(&ag_res.str[xx], 0, 5);
|
||||
}
|
||||
|
||||
if (res == BTA_AG_CALL_WAIT_RES)
|
||||
snprintf(&ag_res.str[xx], sizeof(ag_res.str) - xx, ",%d", type);
|
||||
|
|
|
|||
7
android/system/bt/btif/src/btif_rc.cc
Normal file → Executable file
7
android/system/bt/btif/src/btif_rc.cc
Normal file → Executable file
|
|
@ -45,6 +45,7 @@
|
|||
#include "btif_util.h"
|
||||
#include "btu.h"
|
||||
#include "device/include/interop.h"
|
||||
#include "log/log.h"
|
||||
#include "osi/include/list.h"
|
||||
#include "osi/include/osi.h"
|
||||
#include "osi/include/properties.h"
|
||||
|
|
@ -3502,6 +3503,12 @@ static void handle_app_cur_val_response(tBTA_AV_META_MSG* pmeta_msg,
|
|||
RawAddress rc_addr = p_dev->rc_addr;
|
||||
|
||||
app_settings.num_attr = p_rsp->num_val;
|
||||
|
||||
if (app_settings.num_attr > BTRC_MAX_APP_SETTINGS) {
|
||||
android_errorWriteLog(0x534e4554, "73824150");
|
||||
app_settings.num_attr = BTRC_MAX_APP_SETTINGS;
|
||||
}
|
||||
|
||||
for (xx = 0; xx < app_settings.num_attr; xx++) {
|
||||
app_settings.attr_ids[xx] = p_rsp->p_vals[xx].attr_id;
|
||||
app_settings.attr_values[xx] = p_rsp->p_vals[xx].attr_val;
|
||||
|
|
|
|||
4
android/system/bt/btif/src/btif_storage.cc
Normal file → Executable file
4
android/system/bt/btif/src/btif_storage.cc
Normal file → Executable file
|
|
@ -235,6 +235,10 @@ static int prop2cfg(const RawAddress* remote_bd_addr, bt_property_t* prop) {
|
|||
bt_uuid_t* p_uuid = (bt_uuid_t*)prop->val + i;
|
||||
memset(buf, 0, sizeof(buf));
|
||||
uuid_to_string_legacy(p_uuid, buf, sizeof(buf));
|
||||
if (strlen(value) + strlen(buf) + 1 > (int) sizeof(value) - 1) {
|
||||
android_errorWriteLog(0x534e4554, "73963551");
|
||||
return false;
|
||||
}
|
||||
strcat(value, buf);
|
||||
// strcat(value, ";");
|
||||
strcat(value, " ");
|
||||
|
|
|
|||
|
|
@ -75,6 +75,7 @@ cc_library_shared {
|
|||
required: [
|
||||
"bt_did.conf",
|
||||
"bt_stack.conf",
|
||||
"bt_vendor.conf",
|
||||
"libbt-hci",
|
||||
"libldacBT_enc",
|
||||
"libldacBT_abr",
|
||||
|
|
|
|||
15
android/system/bt/stack/avct/avct_bcb_act.cc
Normal file → Executable file
15
android/system/bt/stack/avct/avct_bcb_act.cc
Normal file → Executable file
|
|
@ -25,6 +25,7 @@
|
|||
*
|
||||
*****************************************************************************/
|
||||
|
||||
#include <log/log.h>
|
||||
#include <string.h>
|
||||
#include "avct_api.h"
|
||||
#include "avct_int.h"
|
||||
|
|
@ -68,6 +69,12 @@ static BT_HDR* avct_bcb_msg_asmbl(UNUSED_ATTR tAVCT_BCB* p_bcb, BT_HDR* p_buf) {
|
|||
uint8_t* p;
|
||||
uint8_t pkt_type;
|
||||
|
||||
if (p_buf->len == 0) {
|
||||
osi_free_and_reset((void**)&p_buf);
|
||||
android_errorWriteLog(0x534e4554, "79944113");
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
/* parse the message header */
|
||||
p = (uint8_t*)(p_buf + 1) + p_buf->offset;
|
||||
pkt_type = AVCT_PKT_TYPE(p);
|
||||
|
|
@ -520,6 +527,14 @@ void avct_bcb_msg_ind(tAVCT_BCB* p_bcb, tAVCT_LCB_EVT* p_data) {
|
|||
return;
|
||||
}
|
||||
|
||||
if (p_data->p_buf->len < AVCT_HDR_LEN_SINGLE) {
|
||||
AVCT_TRACE_WARNING("Invalid AVCTP packet length %d: must be at least %d",
|
||||
p_data->p_buf->len, AVCT_HDR_LEN_SINGLE);
|
||||
osi_free_and_reset((void**)&p_data->p_buf);
|
||||
android_errorWriteLog(0x534e4554, "79944113");
|
||||
return;
|
||||
}
|
||||
|
||||
p = (uint8_t*)(p_data->p_buf + 1) + p_data->p_buf->offset;
|
||||
|
||||
/* parse header byte */
|
||||
|
|
|
|||
11
android/system/bt/stack/avdt/avdt_msg.cc
Normal file → Executable file
11
android/system/bt/stack/avdt/avdt_msg.cc
Normal file → Executable file
|
|
@ -26,6 +26,7 @@
|
|||
*
|
||||
******************************************************************************/
|
||||
|
||||
#include <log/log.h>
|
||||
#include <string.h>
|
||||
#include "avdt_api.h"
|
||||
#include "avdt_int.h"
|
||||
|
|
@ -602,6 +603,11 @@ static uint8_t avdt_msg_prs_cfg(tAVDT_CFG* p_cfg, uint8_t* p, uint16_t len,
|
|||
|
||||
case AVDT_CAT_PROTECT:
|
||||
p_cfg->psc_mask &= ~AVDT_PSC_PROTECT;
|
||||
if (p + elem_len > p_end) {
|
||||
err = AVDT_ERR_LENGTH;
|
||||
android_errorWriteLog(0x534e4554, "78288378");
|
||||
break;
|
||||
}
|
||||
if ((elem_len + protect_offset) < AVDT_PROTECT_SIZE) {
|
||||
p_cfg->num_protect++;
|
||||
p_cfg->protect_info[protect_offset] = elem_len;
|
||||
|
|
@ -622,6 +628,11 @@ static uint8_t avdt_msg_prs_cfg(tAVDT_CFG* p_cfg, uint8_t* p, uint16_t len,
|
|||
if (elem_len >= AVDT_CODEC_SIZE) {
|
||||
tmp = AVDT_CODEC_SIZE - 1;
|
||||
}
|
||||
if (p + tmp > p_end) {
|
||||
err = AVDT_ERR_LENGTH;
|
||||
android_errorWriteLog(0x534e4554, "78288378");
|
||||
break;
|
||||
}
|
||||
p_cfg->num_codec++;
|
||||
p_cfg->codec_info[0] = elem_len;
|
||||
memcpy(&p_cfg->codec_info[1], p, tmp);
|
||||
|
|
|
|||
36
android/system/bt/stack/avrc/avrc_api.cc
Normal file → Executable file
36
android/system/bt/stack/avrc/avrc_api.cc
Normal file → Executable file
|
|
@ -24,6 +24,8 @@
|
|||
#include <base/logging.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <log/log.h>
|
||||
|
||||
#include "avrc_api.h"
|
||||
#include "avrc_int.h"
|
||||
#include "bt_common.h"
|
||||
|
|
@ -425,15 +427,15 @@ static BT_HDR* avrc_proc_vendor_command(uint8_t handle, uint8_t label,
|
|||
}
|
||||
|
||||
if (status != AVRC_STS_NO_ERROR) {
|
||||
/* use the current GKI buffer to build/send the reject message */
|
||||
p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
|
||||
p_rsp = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
|
||||
p_rsp->offset = p_pkt->offset;
|
||||
p_data = (uint8_t*)(p_rsp + 1) + p_pkt->offset;
|
||||
*p_data++ = AVRC_RSP_REJ;
|
||||
p_data += AVRC_VENDOR_HDR_SIZE; /* pdu */
|
||||
*p_data++ = 0; /* pkt_type */
|
||||
UINT16_TO_BE_STREAM(p_data, 1); /* len */
|
||||
*p_data++ = status; /* error code */
|
||||
p_pkt->len = AVRC_VENDOR_HDR_SIZE + 5;
|
||||
p_rsp = p_pkt;
|
||||
p_rsp->len = AVRC_VENDOR_HDR_SIZE + 5;
|
||||
}
|
||||
|
||||
return p_rsp;
|
||||
|
|
@ -574,6 +576,7 @@ static uint8_t avrc_proc_far_msg(uint8_t handle, uint8_t label, uint8_t cr,
|
|||
p_rsp = avrc_proc_vendor_command(handle, label, *pp_pkt, p_msg);
|
||||
if (p_rsp) {
|
||||
AVCT_MsgReq(handle, label, AVCT_RSP, p_rsp);
|
||||
osi_free_and_reset((void**)pp_pkt);
|
||||
drop_code = 3;
|
||||
} else if (p_msg->hdr.opcode == AVRC_OP_DROP) {
|
||||
drop_code = 1;
|
||||
|
|
@ -662,6 +665,13 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr,
|
|||
msg.browse.browse_len = p_pkt->len;
|
||||
msg.browse.p_browse_pkt = p_pkt;
|
||||
} else {
|
||||
if (p_pkt->len < AVRC_AVC_HDR_SIZE) {
|
||||
android_errorWriteLog(0x534e4554, "111803925");
|
||||
AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
|
||||
__func__, p_pkt->len, AVRC_AVC_HDR_SIZE);
|
||||
osi_free(p_pkt);
|
||||
return;
|
||||
}
|
||||
msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK;
|
||||
AVRC_TRACE_DEBUG("%s handle:%d, ctype:%d, offset:%d, len: %d", __func__,
|
||||
handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
|
||||
|
|
@ -695,6 +705,15 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr,
|
|||
p_drop_msg = "auto respond";
|
||||
} else {
|
||||
/* parse response */
|
||||
if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) {
|
||||
AVRC_TRACE_WARNING(
|
||||
"%s: message length %d too short: must be at least %d",
|
||||
__func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);
|
||||
android_errorWriteLog(0x534e4554, "79883824");
|
||||
drop = true;
|
||||
p_drop_msg = "UNIT_INFO_RSP too short";
|
||||
break;
|
||||
}
|
||||
p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/
|
||||
msg.unit.unit_type =
|
||||
(*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
|
||||
|
|
@ -724,6 +743,15 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr,
|
|||
p_drop_msg = "auto responded";
|
||||
} else {
|
||||
/* parse response */
|
||||
if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) {
|
||||
AVRC_TRACE_WARNING(
|
||||
"%s: message length %d too short: must be at least %d",
|
||||
__func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
|
||||
android_errorWriteLog(0x534e4554, "79883824");
|
||||
drop = true;
|
||||
p_drop_msg = "SUB_UNIT_INFO_RSP too short";
|
||||
break;
|
||||
}
|
||||
p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */
|
||||
msg.sub.page =
|
||||
(*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;
|
||||
|
|
|
|||
196
android/system/bt/stack/avrc/avrc_pars_ct.cc
Normal file → Executable file
196
android/system/bt/stack/avrc/avrc_pars_ct.cc
Normal file → Executable file
|
|
@ -31,6 +31,8 @@
|
|||
|
||||
#if (AVRC_METADATA_INCLUDED == TRUE)
|
||||
|
||||
#define MIN(x, y) ((x) < (y) ? (x) : (y))
|
||||
|
||||
/*******************************************************************************
|
||||
*
|
||||
* Function avrc_pars_vendor_rsp
|
||||
|
|
@ -56,13 +58,33 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
if (p_msg->vendor_len == 0) return AVRC_STS_NO_ERROR;
|
||||
if (p_msg->p_vendor_data == NULL) return AVRC_STS_INTERNAL_ERR;
|
||||
|
||||
if (p_msg->vendor_len < 4) {
|
||||
android_errorWriteLog(0x534e4554, "111450531");
|
||||
AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
|
||||
__func__, p_msg->vendor_len);
|
||||
return AVRC_STS_INTERNAL_ERR;
|
||||
}
|
||||
p = p_msg->p_vendor_data;
|
||||
BE_STREAM_TO_UINT8(p_result->pdu, p);
|
||||
p++; /* skip the reserved/packe_type byte */
|
||||
BE_STREAM_TO_UINT16(len, p);
|
||||
AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x", __func__,
|
||||
p_msg->hdr.ctype, p_result->pdu, len, len);
|
||||
AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x vendor_len=0x%x",
|
||||
__func__, p_msg->hdr.ctype, p_result->pdu, len, len,
|
||||
p_msg->vendor_len);
|
||||
if (p_msg->vendor_len < len + 4) {
|
||||
android_errorWriteLog(0x534e4554, "111450531");
|
||||
AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
|
||||
__func__, p_msg->vendor_len, len + 4);
|
||||
return AVRC_STS_INTERNAL_ERR;
|
||||
}
|
||||
|
||||
if (p_msg->hdr.ctype == AVRC_RSP_REJ) {
|
||||
if (len < 1) {
|
||||
android_errorWriteLog(0x534e4554, "111450531");
|
||||
AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least 1",
|
||||
__func__, len);
|
||||
return AVRC_STS_INTERNAL_ERR;
|
||||
}
|
||||
p_result->rsp.status = *p;
|
||||
return p_result->rsp.status;
|
||||
}
|
||||
|
|
@ -83,12 +105,26 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
|
||||
case AVRC_PDU_REGISTER_NOTIFICATION: /* 0x31 */
|
||||
#if (AVRC_ADV_CTRL_INCLUDED == TRUE)
|
||||
if (len < 1) {
|
||||
android_errorWriteLog(0x534e4554, "111450531");
|
||||
AVRC_TRACE_WARNING(
|
||||
"%s: invalid parameter length %d: must be at least 1", __func__,
|
||||
len);
|
||||
return AVRC_STS_INTERNAL_ERR;
|
||||
}
|
||||
BE_STREAM_TO_UINT8(eventid, p);
|
||||
if (AVRC_EVT_VOLUME_CHANGE == eventid &&
|
||||
(AVRC_RSP_CHANGED == p_msg->hdr.ctype ||
|
||||
AVRC_RSP_INTERIM == p_msg->hdr.ctype ||
|
||||
AVRC_RSP_REJ == p_msg->hdr.ctype ||
|
||||
AVRC_RSP_NOT_IMPL == p_msg->hdr.ctype)) {
|
||||
if (len < 2) {
|
||||
android_errorWriteLog(0x534e4554, "111450531");
|
||||
AVRC_TRACE_WARNING(
|
||||
"%s: invalid parameter length %d: must be at least 2", __func__,
|
||||
len);
|
||||
return AVRC_STS_INTERNAL_ERR;
|
||||
}
|
||||
p_result->reg_notif.status = p_msg->hdr.ctype;
|
||||
p_result->reg_notif.event_id = eventid;
|
||||
BE_STREAM_TO_UINT8(p_result->reg_notif.param.volume, p);
|
||||
|
|
@ -105,20 +141,35 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
return status;
|
||||
}
|
||||
|
||||
void avrc_parse_notification_rsp(uint8_t* p_stream,
|
||||
tAVRC_REG_NOTIF_RSP* p_rsp) {
|
||||
tAVRC_STS avrc_parse_notification_rsp(uint8_t* p_stream, uint16_t len,
|
||||
tAVRC_REG_NOTIF_RSP* p_rsp) {
|
||||
uint16_t min_len = 1;
|
||||
|
||||
if (len < min_len) goto length_error;
|
||||
BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream);
|
||||
switch (p_rsp->event_id) {
|
||||
case AVRC_EVT_PLAY_STATUS_CHANGE:
|
||||
min_len += 1;
|
||||
if (len < min_len) goto length_error;
|
||||
BE_STREAM_TO_UINT8(p_rsp->param.play_status, p_stream);
|
||||
break;
|
||||
|
||||
case AVRC_EVT_TRACK_CHANGE:
|
||||
min_len += 8;
|
||||
if (len < min_len) goto length_error;
|
||||
BE_STREAM_TO_ARRAY(p_stream, p_rsp->param.track, 8);
|
||||
break;
|
||||
|
||||
case AVRC_EVT_APP_SETTING_CHANGE:
|
||||
min_len += 1;
|
||||
if (len < min_len) goto length_error;
|
||||
BE_STREAM_TO_UINT8(p_rsp->param.player_setting.num_attr, p_stream);
|
||||
if (p_rsp->param.player_setting.num_attr > AVRC_MAX_APP_SETTINGS) {
|
||||
android_errorWriteLog(0x534e4554, "73782082");
|
||||
p_rsp->param.player_setting.num_attr = AVRC_MAX_APP_SETTINGS;
|
||||
}
|
||||
min_len += p_rsp->param.player_setting.num_attr * 2;
|
||||
if (len < min_len) goto length_error;
|
||||
for (int index = 0; index < p_rsp->param.player_setting.num_attr;
|
||||
index++) {
|
||||
BE_STREAM_TO_UINT8(p_rsp->param.player_setting.attr_id[index],
|
||||
|
|
@ -148,6 +199,14 @@ void avrc_parse_notification_rsp(uint8_t* p_stream,
|
|||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
return AVRC_STS_NO_ERROR;
|
||||
|
||||
length_error:
|
||||
android_errorWriteLog(0x534e4554, "111450417");
|
||||
AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least %d",
|
||||
__func__, len, min_len);
|
||||
return AVRC_STS_INTERNAL_ERR;
|
||||
}
|
||||
|
||||
static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
|
||||
|
|
@ -402,16 +461,32 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
|
|||
static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
||||
tAVRC_RESPONSE* p_result,
|
||||
uint8_t* p_buf, uint16_t* buf_len) {
|
||||
if (p_msg->vendor_len < 4) {
|
||||
android_errorWriteLog(0x534e4554, "111450417");
|
||||
AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
|
||||
__func__, p_msg->vendor_len);
|
||||
return AVRC_STS_INTERNAL_ERR;
|
||||
}
|
||||
|
||||
uint8_t* p = p_msg->p_vendor_data;
|
||||
BE_STREAM_TO_UINT8(p_result->pdu, p);
|
||||
p++; /* skip the reserved/packe_type byte */
|
||||
|
||||
uint16_t len;
|
||||
uint16_t min_len = 0;
|
||||
BE_STREAM_TO_UINT16(len, p);
|
||||
AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d", __func__, p_msg->hdr.ctype,
|
||||
p_result->pdu, len);
|
||||
AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d vendor_len=0x%x", __func__,
|
||||
p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len);
|
||||
if (p_msg->vendor_len < len + 4) {
|
||||
android_errorWriteLog(0x534e4554, "111450417");
|
||||
AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
|
||||
__func__, p_msg->vendor_len, len + 4);
|
||||
return AVRC_STS_INTERNAL_ERR;
|
||||
}
|
||||
/* Todo: Issue in handling reject, check */
|
||||
if (p_msg->hdr.ctype == AVRC_RSP_REJ) {
|
||||
min_len += 1;
|
||||
if (len < min_len) goto length_error;
|
||||
p_result->rsp.status = *p;
|
||||
return p_result->rsp.status;
|
||||
}
|
||||
|
|
@ -422,8 +497,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
/* case AVRC_PDU_ABORT_CONTINUATION_RSP: 0x41 */
|
||||
|
||||
case AVRC_PDU_REGISTER_NOTIFICATION:
|
||||
avrc_parse_notification_rsp(p, &p_result->reg_notif);
|
||||
break;
|
||||
return avrc_parse_notification_rsp(p, len, &p_result->reg_notif);
|
||||
|
||||
case AVRC_PDU_GET_CAPABILITIES:
|
||||
if (len == 0) {
|
||||
|
|
@ -431,12 +505,16 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
p_result->get_caps.capability_id = 0;
|
||||
break;
|
||||
}
|
||||
min_len += 2;
|
||||
if (len < min_len) goto length_error;
|
||||
BE_STREAM_TO_UINT8(p_result->get_caps.capability_id, p);
|
||||
BE_STREAM_TO_UINT8(p_result->get_caps.count, p);
|
||||
AVRC_TRACE_DEBUG("%s cap id = %d, cap_count = %d ", __func__,
|
||||
p_result->get_caps.capability_id,
|
||||
p_result->get_caps.count);
|
||||
if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID) {
|
||||
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3;
|
||||
if (len < min_len) goto length_error;
|
||||
for (int xx = 0; ((xx < p_result->get_caps.count) &&
|
||||
(xx < AVRC_CAP_MAX_NUM_COMP_ID));
|
||||
xx++) {
|
||||
|
|
@ -444,6 +522,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
}
|
||||
} else if (p_result->get_caps.capability_id ==
|
||||
AVRC_CAP_EVENTS_SUPPORTED) {
|
||||
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID);
|
||||
if (len < min_len) goto length_error;
|
||||
for (int xx = 0; ((xx < p_result->get_caps.count) &&
|
||||
(xx < AVRC_CAP_MAX_NUM_EVT_ID));
|
||||
xx++) {
|
||||
|
|
@ -457,6 +537,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
p_result->list_app_attr.num_attr = 0;
|
||||
break;
|
||||
}
|
||||
min_len += 1;
|
||||
BE_STREAM_TO_UINT8(p_result->list_app_attr.num_attr, p);
|
||||
AVRC_TRACE_DEBUG("%s attr count = %d ", __func__,
|
||||
p_result->list_app_attr.num_attr);
|
||||
|
|
@ -466,6 +547,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
p_result->list_app_attr.num_attr = AVRC_MAX_APP_ATTR_SIZE;
|
||||
}
|
||||
|
||||
min_len += p_result->list_app_attr.num_attr;
|
||||
if (len < min_len) goto length_error;
|
||||
for (int xx = 0; xx < p_result->list_app_attr.num_attr; xx++) {
|
||||
BE_STREAM_TO_UINT8(p_result->list_app_attr.attrs[xx], p);
|
||||
}
|
||||
|
|
@ -476,9 +559,17 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
p_result->list_app_values.num_val = 0;
|
||||
break;
|
||||
}
|
||||
min_len += 1;
|
||||
BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p);
|
||||
if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE) {
|
||||
android_errorWriteLog(0x534e4554, "78526423");
|
||||
p_result->list_app_values.num_val = AVRC_MAX_APP_ATTR_SIZE;
|
||||
}
|
||||
|
||||
AVRC_TRACE_DEBUG("%s value count = %d ", __func__,
|
||||
p_result->list_app_values.num_val);
|
||||
min_len += p_result->list_app_values.num_val;
|
||||
if (len < min_len) goto length_error;
|
||||
for (int xx = 0; xx < p_result->list_app_values.num_val; xx++) {
|
||||
BE_STREAM_TO_UINT8(p_result->list_app_values.vals[xx], p);
|
||||
}
|
||||
|
|
@ -489,9 +580,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
p_result->get_cur_app_val.num_val = 0;
|
||||
break;
|
||||
}
|
||||
min_len += 1;
|
||||
BE_STREAM_TO_UINT8(p_result->get_cur_app_val.num_val, p);
|
||||
tAVRC_APP_SETTING* app_sett = (tAVRC_APP_SETTING*)osi_malloc(
|
||||
p_result->get_cur_app_val.num_val * sizeof(tAVRC_APP_SETTING));
|
||||
AVRC_TRACE_DEBUG("%s attr count = %d ", __func__,
|
||||
p_result->get_cur_app_val.num_val);
|
||||
|
||||
|
|
@ -500,6 +590,13 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
p_result->get_cur_app_val.num_val = AVRC_MAX_APP_ATTR_SIZE;
|
||||
}
|
||||
|
||||
min_len += p_result->get_cur_app_val.num_val * 2;
|
||||
if (len < min_len) {
|
||||
p_result->get_cur_app_val.num_val = 0;
|
||||
goto length_error;
|
||||
}
|
||||
tAVRC_APP_SETTING* app_sett = (tAVRC_APP_SETTING*)osi_calloc(
|
||||
p_result->get_cur_app_val.num_val * sizeof(tAVRC_APP_SETTING));
|
||||
for (int xx = 0; xx < p_result->get_cur_app_val.num_val; xx++) {
|
||||
BE_STREAM_TO_UINT8(app_sett[xx].attr_id, p);
|
||||
BE_STREAM_TO_UINT8(app_sett[xx].attr_val, p);
|
||||
|
|
@ -514,6 +611,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
p_result->get_app_attr_txt.num_attr = 0;
|
||||
break;
|
||||
}
|
||||
min_len += 1;
|
||||
BE_STREAM_TO_UINT8(num_attrs, p);
|
||||
if (num_attrs > AVRC_MAX_APP_ATTR_SIZE) {
|
||||
num_attrs = AVRC_MAX_APP_ATTR_SIZE;
|
||||
|
|
@ -522,15 +620,33 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
p_result->get_app_attr_txt.num_attr);
|
||||
p_result->get_app_attr_txt.num_attr = num_attrs;
|
||||
|
||||
p_result->get_app_attr_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_malloc(
|
||||
p_result->get_app_attr_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_calloc(
|
||||
num_attrs * sizeof(tAVRC_APP_SETTING_TEXT));
|
||||
for (int xx = 0; xx < num_attrs; xx++) {
|
||||
min_len += 4;
|
||||
if (len < min_len) {
|
||||
for (int j = 0; j < xx; j++) {
|
||||
osi_free(p_result->get_app_attr_txt.p_attrs[j].p_str);
|
||||
}
|
||||
osi_free_and_reset((void**)&p_result->get_app_attr_txt.p_attrs);
|
||||
p_result->get_app_attr_txt.num_attr = 0;
|
||||
goto length_error;
|
||||
}
|
||||
BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].attr_id, p);
|
||||
BE_STREAM_TO_UINT16(p_result->get_app_attr_txt.p_attrs[xx].charset_id,
|
||||
p);
|
||||
BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].str_len, p);
|
||||
min_len += p_result->get_app_attr_txt.p_attrs[xx].str_len;
|
||||
if (len < min_len) {
|
||||
for (int j = 0; j < xx; j++) {
|
||||
osi_free(p_result->get_app_attr_txt.p_attrs[j].p_str);
|
||||
}
|
||||
osi_free_and_reset((void**)&p_result->get_app_attr_txt.p_attrs);
|
||||
p_result->get_app_attr_txt.num_attr = 0;
|
||||
goto length_error;
|
||||
}
|
||||
if (p_result->get_app_attr_txt.p_attrs[xx].str_len != 0) {
|
||||
uint8_t* p_str = (uint8_t*)osi_malloc(
|
||||
uint8_t* p_str = (uint8_t*)osi_calloc(
|
||||
p_result->get_app_attr_txt.p_attrs[xx].str_len);
|
||||
BE_STREAM_TO_ARRAY(p, p_str,
|
||||
p_result->get_app_attr_txt.p_attrs[xx].str_len);
|
||||
|
|
@ -548,6 +664,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
p_result->get_app_val_txt.num_attr = 0;
|
||||
break;
|
||||
}
|
||||
min_len += 1;
|
||||
BE_STREAM_TO_UINT8(num_vals, p);
|
||||
if (num_vals > AVRC_MAX_APP_ATTR_SIZE) {
|
||||
num_vals = AVRC_MAX_APP_ATTR_SIZE;
|
||||
|
|
@ -556,14 +673,32 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
AVRC_TRACE_DEBUG("%s value count = %d ", __func__,
|
||||
p_result->get_app_val_txt.num_attr);
|
||||
|
||||
p_result->get_app_val_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_malloc(
|
||||
p_result->get_app_val_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_calloc(
|
||||
num_vals * sizeof(tAVRC_APP_SETTING_TEXT));
|
||||
for (int i = 0; i < num_vals; i++) {
|
||||
min_len += 4;
|
||||
if (len < min_len) {
|
||||
for (int j = 0; j < i; j++) {
|
||||
osi_free(p_result->get_app_val_txt.p_attrs[j].p_str);
|
||||
}
|
||||
osi_free_and_reset((void**)&p_result->get_app_val_txt.p_attrs);
|
||||
p_result->get_app_val_txt.num_attr = 0;
|
||||
goto length_error;
|
||||
}
|
||||
BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].attr_id, p);
|
||||
BE_STREAM_TO_UINT16(p_result->get_app_val_txt.p_attrs[i].charset_id, p);
|
||||
BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].str_len, p);
|
||||
min_len += p_result->get_app_val_txt.p_attrs[i].str_len;
|
||||
if (len < min_len) {
|
||||
for (int j = 0; j < i; j++) {
|
||||
osi_free(p_result->get_app_val_txt.p_attrs[j].p_str);
|
||||
}
|
||||
osi_free_and_reset((void**)&p_result->get_app_val_txt.p_attrs);
|
||||
p_result->get_app_val_txt.num_attr = 0;
|
||||
goto length_error;
|
||||
}
|
||||
if (p_result->get_app_val_txt.p_attrs[i].str_len != 0) {
|
||||
uint8_t* p_str = (uint8_t*)osi_malloc(
|
||||
uint8_t* p_str = (uint8_t*)osi_calloc(
|
||||
p_result->get_app_val_txt.p_attrs[i].str_len);
|
||||
BE_STREAM_TO_ARRAY(p, p_str,
|
||||
p_result->get_app_val_txt.p_attrs[i].str_len);
|
||||
|
|
@ -585,20 +720,41 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
p_result->get_attrs.num_attrs = 0;
|
||||
break;
|
||||
}
|
||||
min_len += 1;
|
||||
BE_STREAM_TO_UINT8(num_attrs, p);
|
||||
p_result->get_attrs.num_attrs = num_attrs;
|
||||
if (num_attrs) {
|
||||
tAVRC_ATTR_ENTRY* p_attrs =
|
||||
(tAVRC_ATTR_ENTRY*)osi_malloc(num_attrs * sizeof(tAVRC_ATTR_ENTRY));
|
||||
(tAVRC_ATTR_ENTRY*)osi_calloc(num_attrs * sizeof(tAVRC_ATTR_ENTRY));
|
||||
for (int i = 0; i < num_attrs; i++) {
|
||||
min_len += 8;
|
||||
if (len < min_len) {
|
||||
for (int j = 0; j < i; j++) {
|
||||
osi_free(p_attrs[j].name.p_str);
|
||||
}
|
||||
osi_free(p_attrs);
|
||||
p_result->get_attrs.num_attrs = 0;
|
||||
goto length_error;
|
||||
}
|
||||
BE_STREAM_TO_UINT32(p_attrs[i].attr_id, p);
|
||||
BE_STREAM_TO_UINT16(p_attrs[i].name.charset_id, p);
|
||||
BE_STREAM_TO_UINT16(p_attrs[i].name.str_len, p);
|
||||
min_len += p_attrs[i].name.str_len;
|
||||
if (len < min_len) {
|
||||
for (int j = 0; j < i; j++) {
|
||||
osi_free(p_attrs[j].name.p_str);
|
||||
}
|
||||
osi_free(p_attrs);
|
||||
p_result->get_attrs.num_attrs = 0;
|
||||
goto length_error;
|
||||
}
|
||||
if (p_attrs[i].name.str_len > 0) {
|
||||
p_attrs[i].name.p_str =
|
||||
(uint8_t*)osi_malloc(p_attrs[i].name.str_len);
|
||||
(uint8_t*)osi_calloc(p_attrs[i].name.str_len);
|
||||
BE_STREAM_TO_ARRAY(p, p_attrs[i].name.p_str,
|
||||
p_attrs[i].name.str_len);
|
||||
} else {
|
||||
p_attrs[i].name.p_str = NULL;
|
||||
}
|
||||
}
|
||||
p_result->get_attrs.p_attrs = p_attrs;
|
||||
|
|
@ -609,6 +765,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
if (len == 0) {
|
||||
break;
|
||||
}
|
||||
min_len += 9;
|
||||
if (len < min_len) goto length_error;
|
||||
BE_STREAM_TO_UINT32(p_result->get_play_status.song_len, p);
|
||||
BE_STREAM_TO_UINT32(p_result->get_play_status.song_pos, p);
|
||||
BE_STREAM_TO_UINT8(p_result->get_play_status.status, p);
|
||||
|
|
@ -626,6 +784,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
|||
return AVRC_STS_BAD_CMD;
|
||||
}
|
||||
return AVRC_STS_NO_ERROR;
|
||||
|
||||
length_error:
|
||||
android_errorWriteLog(0x534e4554, "111450417");
|
||||
AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least %d",
|
||||
__func__, len, min_len);
|
||||
return AVRC_STS_INTERNAL_ERR;
|
||||
}
|
||||
|
||||
/*******************************************************************************
|
||||
|
|
|
|||
9
android/system/bt/stack/bnep/bnep_api.cc
Normal file → Executable file
9
android/system/bt/stack/bnep/bnep_api.cc
Normal file → Executable file
|
|
@ -23,6 +23,7 @@
|
|||
******************************************************************************/
|
||||
|
||||
#include "bnep_api.h"
|
||||
#include <log/log.h>
|
||||
#include <string.h>
|
||||
#include "bnep_int.h"
|
||||
|
||||
|
|
@ -383,6 +384,10 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr,
|
|||
protocol = 0;
|
||||
else {
|
||||
new_len += 4;
|
||||
if (new_len > org_len) {
|
||||
android_errorWriteLog(0x534e4554, "74947856");
|
||||
return BNEP_IGNORE_CMD;
|
||||
}
|
||||
p_data[2] = 0;
|
||||
p_data[3] = 0;
|
||||
}
|
||||
|
|
@ -479,6 +484,10 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr,
|
|||
protocol = 0;
|
||||
else {
|
||||
new_len += 4;
|
||||
if (new_len > org_len) {
|
||||
android_errorWriteLog(0x534e4554, "74947856");
|
||||
return BNEP_IGNORE_CMD;
|
||||
}
|
||||
p_data[2] = 0;
|
||||
p_data[3] = 0;
|
||||
}
|
||||
|
|
|
|||
37
android/system/bt/stack/bnep/bnep_main.cc
Normal file → Executable file
37
android/system/bt/stack/bnep/bnep_main.cc
Normal file → Executable file
|
|
@ -431,6 +431,11 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) {
|
|||
tBNEP_CONN* p_bcb;
|
||||
uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset;
|
||||
uint16_t rem_len = p_buf->len;
|
||||
if (rem_len == 0) {
|
||||
android_errorWriteLog(0x534e4554, "78286118");
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
uint8_t type, ctrl_type, ext_type = 0;
|
||||
bool extension_present, fw_ext_present;
|
||||
uint16_t protocol = 0;
|
||||
|
|
@ -479,24 +484,35 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) {
|
|||
uint16_t org_len, new_len;
|
||||
/* parse the extension headers and process unknown control headers */
|
||||
org_len = rem_len;
|
||||
new_len = 0;
|
||||
do {
|
||||
if (org_len < 2) break;
|
||||
if (org_len < 2) {
|
||||
android_errorWriteLog(0x534e4554, "67863755");
|
||||
break;
|
||||
}
|
||||
ext = *p++;
|
||||
length = *p++;
|
||||
p += length;
|
||||
|
||||
new_len = (length + 2);
|
||||
if (new_len > org_len) break;
|
||||
if (new_len > org_len) {
|
||||
android_errorWriteLog(0x534e4554, "67863755");
|
||||
break;
|
||||
}
|
||||
|
||||
if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))
|
||||
bnep_send_command_not_understood(p_bcb, *p);
|
||||
if ((ext & 0x7F) == BNEP_EXTENSION_FILTER_CONTROL) {
|
||||
if (length == 0) {
|
||||
android_errorWriteLog(0x534e4554, "79164722");
|
||||
break;
|
||||
}
|
||||
if (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG) {
|
||||
bnep_send_command_not_understood(p_bcb, *p);
|
||||
}
|
||||
}
|
||||
|
||||
p += length;
|
||||
|
||||
org_len -= new_len;
|
||||
} while (ext & 0x80);
|
||||
android_errorWriteLog(0x534e4554, "67863755");
|
||||
}
|
||||
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
|
|
@ -540,13 +556,13 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) {
|
|||
while (extension_present && p && rem_len) {
|
||||
ext_type = *p++;
|
||||
rem_len--;
|
||||
android_errorWriteLog(0x534e4554, "69271284");
|
||||
extension_present = ext_type >> 7;
|
||||
ext_type &= 0x7F;
|
||||
|
||||
/* if unknown extension present stop processing */
|
||||
if (ext_type) break;
|
||||
if (ext_type != BNEP_EXTENSION_FILTER_CONTROL) break;
|
||||
|
||||
android_errorWriteLog(0x534e4554, "69271284");
|
||||
p = bnep_process_control_packet(p_bcb, p, &rem_len, true);
|
||||
}
|
||||
}
|
||||
|
|
@ -607,7 +623,6 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) {
|
|||
if (bnep_cb.p_data_buf_cb) {
|
||||
(*bnep_cb.p_data_buf_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol,
|
||||
p_buf, fw_ext_present);
|
||||
osi_free(p_buf);
|
||||
} else if (bnep_cb.p_data_ind_cb) {
|
||||
(*bnep_cb.p_data_ind_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol,
|
||||
p, rem_len, fw_ext_present);
|
||||
|
|
|
|||
20
android/system/bt/stack/btm/btm_dev.cc
Normal file → Executable file
20
android/system/bt/stack/btm/btm_dev.cc
Normal file → Executable file
|
|
@ -147,17 +147,16 @@ bool BTM_SecAddDevice(const RawAddress& bd_addr, DEV_CLASS dev_class,
|
|||
return true;
|
||||
}
|
||||
|
||||
/*******************************************************************************
|
||||
/** Free resources associated with the device associated with |bd_addr| address.
|
||||
*
|
||||
* Function BTM_SecDeleteDevice
|
||||
* *** WARNING ***
|
||||
* tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
|
||||
* is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
|
||||
* no longer valid!
|
||||
* *** WARNING ***
|
||||
*
|
||||
* Description Free resources associated with the device.
|
||||
*
|
||||
* Parameters: bd_addr - BD address of the peer
|
||||
*
|
||||
* Returns true if removed OK, false if not found or ACL link is active
|
||||
*
|
||||
******************************************************************************/
|
||||
* Returns true if removed OK, false if not found or ACL link is active.
|
||||
*/
|
||||
bool BTM_SecDeleteDevice(const RawAddress& bd_addr) {
|
||||
if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) ||
|
||||
BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) {
|
||||
|
|
@ -168,9 +167,10 @@ bool BTM_SecDeleteDevice(const RawAddress& bd_addr) {
|
|||
|
||||
tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
|
||||
if (p_dev_rec != NULL) {
|
||||
RawAddress bda = p_dev_rec->bd_addr;
|
||||
btm_sec_free_dev(p_dev_rec);
|
||||
/* Tell controller to get rid of the link key, if it has one stored */
|
||||
BTM_DeleteStoredLinkKey(&p_dev_rec->bd_addr, NULL);
|
||||
BTM_DeleteStoredLinkKey(&bda, NULL);
|
||||
}
|
||||
|
||||
return true;
|
||||
|
|
|
|||
22
android/system/bt/stack/gatt/gatt_cl.cc
Normal file → Executable file
22
android/system/bt/stack/gatt/gatt_cl.cc
Normal file → Executable file
|
|
@ -29,6 +29,7 @@
|
|||
#include "bt_utils.h"
|
||||
#include "gatt_int.h"
|
||||
#include "l2c_int.h"
|
||||
#include "log/log.h"
|
||||
#include "osi/include/osi.h"
|
||||
|
||||
#define GATT_WRITE_LONG_HDR_SIZE 5 /* 1 opcode + 2 handle + 2 offset */
|
||||
|
|
@ -507,9 +508,24 @@ void gatt_process_error_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
|
|||
tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
|
||||
|
||||
VLOG(1) << __func__;
|
||||
STREAM_TO_UINT8(opcode, p);
|
||||
STREAM_TO_UINT16(handle, p);
|
||||
STREAM_TO_UINT8(reason, p);
|
||||
|
||||
if (len < 4) {
|
||||
android_errorWriteLog(0x534e4554, "79591688");
|
||||
LOG(ERROR) << "Error response too short";
|
||||
// Specification does not clearly define what should happen if error
|
||||
// response is too short. General rule in BT Spec 5.0 Vol 3, Part F 3.4.1.1
|
||||
// is: "If an error code is received in the Error Response that is not
|
||||
// understood by the client, for example an error code that was reserved for
|
||||
// future use that is now being used in a future version of this
|
||||
// specification, then the Error Response shall still be considered to state
|
||||
// that the given request cannot be performed for an unknown reason."
|
||||
opcode = handle = 0;
|
||||
reason = 0x7F;
|
||||
} else {
|
||||
STREAM_TO_UINT8(opcode, p);
|
||||
STREAM_TO_UINT16(handle, p);
|
||||
STREAM_TO_UINT8(reason, p);
|
||||
}
|
||||
|
||||
if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY) {
|
||||
gatt_proc_disc_error_rsp(tcb, p_clcb, opcode, handle, reason);
|
||||
|
|
|
|||
29
android/system/bt/stack/gatt/gatt_sr.cc
Normal file → Executable file
29
android/system/bt/stack/gatt/gatt_sr.cc
Normal file → Executable file
|
|
@ -22,6 +22,7 @@
|
|||
*
|
||||
******************************************************************************/
|
||||
|
||||
#include <log/log.h>
|
||||
#include "bt_target.h"
|
||||
#include "bt_utils.h"
|
||||
#include "osi/include/osi.h"
|
||||
|
|
@ -281,8 +282,8 @@ tGATT_STATUS gatt_sr_process_app_rsp(tGATT_TCB& tcb, tGATT_IF gatt_if,
|
|||
* Returns void
|
||||
*
|
||||
******************************************************************************/
|
||||
void gatt_process_exec_write_req(tGATT_TCB& tcb, uint8_t op_code,
|
||||
UNUSED_ATTR uint16_t len, uint8_t* p_data) {
|
||||
void gatt_process_exec_write_req(tGATT_TCB& tcb, uint8_t op_code, uint16_t len,
|
||||
uint8_t* p_data) {
|
||||
uint8_t *p = p_data, flag, i = 0;
|
||||
uint32_t trans_id = 0;
|
||||
tGATT_IF gatt_if;
|
||||
|
|
@ -301,6 +302,13 @@ void gatt_process_exec_write_req(tGATT_TCB& tcb, uint8_t op_code,
|
|||
}
|
||||
#endif
|
||||
|
||||
if (len < sizeof(flag)) {
|
||||
android_errorWriteLog(0x534e4554, "73172115");
|
||||
LOG(ERROR) << __func__ << "invalid length";
|
||||
gatt_send_error_rsp(tcb, GATT_INVALID_PDU, GATT_REQ_EXEC_WRITE, 0, false);
|
||||
return;
|
||||
}
|
||||
|
||||
STREAM_TO_UINT8(flag, p);
|
||||
|
||||
/* mask the flag */
|
||||
|
|
@ -780,7 +788,8 @@ static void gatts_process_mtu_req(tGATT_TCB& tcb, uint16_t len,
|
|||
void gatts_process_read_by_type_req(tGATT_TCB& tcb, uint8_t op_code,
|
||||
uint16_t len, uint8_t* p_data) {
|
||||
tBT_UUID uuid;
|
||||
uint16_t s_hdl, e_hdl, err_hdl = 0;
|
||||
uint16_t s_hdl = 0, e_hdl = 0, err_hdl = 0;
|
||||
if (len < 4) android_errorWriteLog(0x534e4554, "73125709");
|
||||
tGATT_STATUS reason =
|
||||
gatts_validate_packet_format(op_code, len, p_data, &uuid, s_hdl, e_hdl);
|
||||
|
||||
|
|
@ -940,9 +949,19 @@ void gatts_process_write_req(tGATT_TCB& tcb, tGATT_SRV_LIST_ELEM& el,
|
|||
*/
|
||||
static void gatts_process_read_req(tGATT_TCB& tcb, tGATT_SRV_LIST_ELEM& el,
|
||||
uint8_t op_code, uint16_t handle,
|
||||
UNUSED_ATTR uint16_t len, uint8_t* p_data) {
|
||||
uint16_t len, uint8_t* p_data) {
|
||||
size_t buf_len = sizeof(BT_HDR) + tcb.payload_size + L2CAP_MIN_OFFSET;
|
||||
uint16_t offset = 0;
|
||||
|
||||
if (op_code == GATT_REQ_READ_BLOB && len < sizeof(uint16_t)) {
|
||||
/* Error: packet length is too short */
|
||||
LOG(ERROR) << __func__ << ": packet length=" << len
|
||||
<< " too short. min=" << sizeof(uint16_t);
|
||||
android_errorWriteWithInfoLog(0x534e4554, "73172115", -1, NULL, 0);
|
||||
gatt_send_error_rsp(tcb, GATT_INVALID_PDU, op_code, 0, false);
|
||||
return;
|
||||
}
|
||||
|
||||
BT_HDR* p_msg = (BT_HDR*)osi_calloc(buf_len);
|
||||
|
||||
if (op_code == GATT_REQ_READ_BLOB) STREAM_TO_UINT16(offset, p_data);
|
||||
|
|
@ -964,7 +983,7 @@ static void gatts_process_read_req(tGATT_TCB& tcb, tGATT_SRV_LIST_ELEM& el,
|
|||
if (reason != GATT_SUCCESS) {
|
||||
osi_free(p_msg);
|
||||
|
||||
/* in theroy BUSY is not possible(should already been checked), protected
|
||||
/* in theory BUSY is not possible(should already been checked), protected
|
||||
* check */
|
||||
if (reason != GATT_PENDING && reason != GATT_BUSY)
|
||||
gatt_send_error_rsp(tcb, reason, op_code, handle, false);
|
||||
|
|
|
|||
9
android/system/bt/stack/hid/hidh_conn.cc
Normal file → Executable file
9
android/system/bt/stack/hid/hidh_conn.cc
Normal file → Executable file
|
|
@ -42,6 +42,7 @@
|
|||
#include "hidh_api.h"
|
||||
#include "hidh_int.h"
|
||||
|
||||
#include "log/log.h"
|
||||
#include "osi/include/osi.h"
|
||||
|
||||
static uint8_t find_conn_by_cid(uint16_t cid);
|
||||
|
|
@ -799,6 +800,14 @@ static void hidh_l2cif_data_ind(uint16_t l2cap_cid, BT_HDR* p_msg) {
|
|||
return;
|
||||
}
|
||||
|
||||
if (p_msg->len < 1) {
|
||||
HIDH_TRACE_WARNING("Rcvd L2CAP data, invalid length %d, should be >= 1",
|
||||
p_msg->len);
|
||||
osi_free(p_msg);
|
||||
android_errorWriteLog(0x534e4554, "80493272");
|
||||
return;
|
||||
}
|
||||
|
||||
ttype = HID_GET_TRANS_FROM_HDR(*p_data);
|
||||
param = HID_GET_PARAM_FROM_HDR(*p_data);
|
||||
rep_type = param & HID_PAR_REP_TYPE_MASK;
|
||||
|
|
|
|||
15
android/system/bt/stack/include/btm_api.h
Normal file → Executable file
15
android/system/bt/stack/include/btm_api.h
Normal file → Executable file
|
|
@ -1411,15 +1411,16 @@ extern bool BTM_SecAddDevice(const RawAddress& bd_addr, DEV_CLASS dev_class,
|
|||
uint8_t key_type, tBTM_IO_CAP io_cap,
|
||||
uint8_t pin_length);
|
||||
|
||||
/*******************************************************************************
|
||||
/** Free resources associated with the device associated with |bd_addr| address.
|
||||
*
|
||||
* Function BTM_SecDeleteDevice
|
||||
* *** WARNING ***
|
||||
* tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
|
||||
* is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
|
||||
* no longer valid!
|
||||
* *** WARNING ***
|
||||
*
|
||||
* Description Free resources associated with the device.
|
||||
*
|
||||
* Returns true if rmoved OK, false if not found
|
||||
*
|
||||
******************************************************************************/
|
||||
* Returns true if removed OK, false if not found or ACL link is active.
|
||||
*/
|
||||
extern bool BTM_SecDeleteDevice(const RawAddress& bd_addr);
|
||||
|
||||
/*******************************************************************************
|
||||
|
|
|
|||
7
android/system/bt/stack/include/rfcdefs.h
Normal file → Executable file
7
android/system/bt/stack/include/rfcdefs.h
Normal file → Executable file
|
|
@ -89,13 +89,6 @@
|
|||
(pf) = (*(p_data)++ & RFCOMM_PF_MASK) >> RFCOMM_PF_OFFSET; \
|
||||
}
|
||||
|
||||
#define RFCOMM_PARSE_LEN_FIELD(ea, length, p_data) \
|
||||
{ \
|
||||
(ea) = (*(p_data)&RFCOMM_EA); \
|
||||
(length) = (*(p_data)++ >> RFCOMM_SHIFT_LENGTH1); \
|
||||
if (!(ea)) (length) += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2); \
|
||||
}
|
||||
|
||||
#define RFCOMM_FRAME_IS_CMD(initiator, cr) \
|
||||
(((initiator) && !(cr)) || (!(initiator) && (cr)))
|
||||
|
||||
|
|
|
|||
40
android/system/bt/stack/l2cap/l2c_ble.cc
Normal file → Executable file
40
android/system/bt/stack/l2cap/l2c_ble.cc
Normal file → Executable file
|
|
@ -33,6 +33,7 @@
|
|||
#include "hcimsgs.h"
|
||||
#include "l2c_int.h"
|
||||
#include "l2cdefs.h"
|
||||
#include "log/log.h"
|
||||
#include "osi/include/osi.h"
|
||||
#include "stack_config.h"
|
||||
|
||||
|
|
@ -573,6 +574,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
uint16_t credit;
|
||||
p_pkt_end = p + pkt_len;
|
||||
|
||||
if (p + 4 > p_pkt_end) {
|
||||
android_errorWriteLog(0x534e4554, "80261585");
|
||||
LOG(ERROR) << "invalid read";
|
||||
return;
|
||||
}
|
||||
|
||||
STREAM_TO_UINT8(cmd_code, p);
|
||||
STREAM_TO_UINT8(id, p);
|
||||
STREAM_TO_UINT16(cmd_len, p);
|
||||
|
|
@ -598,6 +605,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
break;
|
||||
|
||||
case L2CAP_CMD_BLE_UPDATE_REQ:
|
||||
if (p + 8 > p_pkt_end) {
|
||||
android_errorWriteLog(0x534e4554, "80261585");
|
||||
LOG(ERROR) << "invalid read";
|
||||
return;
|
||||
}
|
||||
|
||||
STREAM_TO_UINT16(min_interval, p); /* 0x0006 - 0x0C80 */
|
||||
STREAM_TO_UINT16(max_interval, p); /* 0x0006 - 0x0C80 */
|
||||
STREAM_TO_UINT16(latency, p); /* 0x0000 - 0x03E8 */
|
||||
|
|
@ -646,6 +659,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
break;
|
||||
|
||||
case L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ:
|
||||
if (p + 10 > p_pkt_end) {
|
||||
android_errorWriteLog(0x534e4554, "80261585");
|
||||
LOG(ERROR) << "invalid read";
|
||||
return;
|
||||
}
|
||||
|
||||
STREAM_TO_UINT16(con_info.psm, p);
|
||||
STREAM_TO_UINT16(rcid, p);
|
||||
STREAM_TO_UINT16(mtu, p);
|
||||
|
|
@ -729,6 +748,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
}
|
||||
if (p_ccb) {
|
||||
L2CAP_TRACE_DEBUG("I remember the connection req");
|
||||
if (p + 10 > p_pkt_end) {
|
||||
android_errorWriteLog(0x534e4554, "80261585");
|
||||
LOG(ERROR) << "invalid read";
|
||||
return;
|
||||
}
|
||||
|
||||
STREAM_TO_UINT16(p_ccb->remote_cid, p);
|
||||
STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mtu, p);
|
||||
STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mps, p);
|
||||
|
|
@ -774,6 +799,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
break;
|
||||
|
||||
case L2CAP_CMD_BLE_FLOW_CTRL_CREDIT:
|
||||
if (p + 4 > p_pkt_end) {
|
||||
android_errorWriteLog(0x534e4554, "80261585");
|
||||
LOG(ERROR) << "invalid read";
|
||||
return;
|
||||
}
|
||||
|
||||
STREAM_TO_UINT16(lcid, p);
|
||||
p_ccb = l2cu_find_ccb_by_remote_cid(p_lcb, lcid);
|
||||
if (p_ccb == NULL) {
|
||||
|
|
@ -788,6 +819,10 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
break;
|
||||
|
||||
case L2CAP_CMD_DISC_REQ:
|
||||
if (p + 4 > p_pkt_end) {
|
||||
android_errorWriteLog(0x534e4554, "74121659");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(lcid, p);
|
||||
STREAM_TO_UINT16(rcid, p);
|
||||
|
||||
|
|
@ -803,6 +838,11 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
break;
|
||||
|
||||
case L2CAP_CMD_DISC_RSP:
|
||||
if (p + 4 > p_pkt_end) {
|
||||
android_errorWriteLog(0x534e4554, "80261585");
|
||||
LOG(ERROR) << "invalid read";
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(rcid, p);
|
||||
STREAM_TO_UINT16(lcid, p);
|
||||
|
||||
|
|
|
|||
22
android/system/bt/stack/l2cap/l2c_fcr.cc
Normal file → Executable file
22
android/system/bt/stack/l2cap/l2c_fcr.cc
Normal file → Executable file
|
|
@ -24,6 +24,7 @@
|
|||
******************************************************************************/
|
||||
|
||||
#include <base/logging.h>
|
||||
#include <log/log.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
|
@ -855,8 +856,24 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) {
|
|||
p_buf->offset += sizeof(sdu_length);
|
||||
p_data->offset = 0;
|
||||
|
||||
} else
|
||||
} else {
|
||||
p_data = p_ccb->ble_sdu;
|
||||
if (p_buf->len > (p_ccb->ble_sdu_length - p_data->len)) {
|
||||
L2CAP_TRACE_ERROR("%s: buffer length=%d too big. max=%d. Dropped",
|
||||
__func__, p_data->len,
|
||||
(p_ccb->ble_sdu_length - p_data->len));
|
||||
android_errorWriteWithInfoLog(0x534e4554, "75298652", -1, NULL, 0);
|
||||
osi_free(p_buf);
|
||||
|
||||
/* Throw away all pending fragments and disconnects */
|
||||
p_ccb->is_first_seg = true;
|
||||
osi_free(p_ccb->ble_sdu);
|
||||
p_ccb->ble_sdu = NULL;
|
||||
p_ccb->ble_sdu_length = 0;
|
||||
l2cu_disconnect_chnl(p_ccb);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
memcpy((uint8_t*)(p_data + 1) + p_data->offset + p_data->len,
|
||||
(uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
|
||||
|
|
@ -869,9 +886,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) {
|
|||
p_ccb->ble_sdu_length = 0;
|
||||
} else if (p_data->len < p_ccb->ble_sdu_length) {
|
||||
p_ccb->is_first_seg = false;
|
||||
} else {
|
||||
L2CAP_TRACE_ERROR("%s Length in the SDU messed up", __func__);
|
||||
// TODO: reset every thing may be???
|
||||
}
|
||||
|
||||
osi_free(p_buf);
|
||||
|
|
|
|||
108
android/system/bt/stack/l2cap/l2c_main.cc
Normal file → Executable file
108
android/system/bt/stack/l2cap/l2c_main.cc
Normal file → Executable file
|
|
@ -320,8 +320,16 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
|
||||
switch (cmd_code) {
|
||||
case L2CAP_CMD_REJECT:
|
||||
if (p + 2 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(rej_reason, p);
|
||||
if (rej_reason == L2CAP_CMD_REJ_MTU_EXCEEDED) {
|
||||
if (p + 2 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(rej_mtu, p);
|
||||
/* What to do with the MTU reject ? We have negotiated an MTU. For now
|
||||
*/
|
||||
|
|
@ -332,6 +340,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
p_lcb->handle, rej_mtu);
|
||||
}
|
||||
if (rej_reason == L2CAP_CMD_REJ_INVALID_CID) {
|
||||
if (p + 4 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(rcid, p);
|
||||
STREAM_TO_UINT16(lcid, p);
|
||||
|
||||
|
|
@ -365,6 +377,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
break;
|
||||
|
||||
case L2CAP_CMD_CONN_REQ:
|
||||
if (p + 4 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(con_info.psm, p);
|
||||
STREAM_TO_UINT16(rcid, p);
|
||||
p_rcb = l2cu_find_rcb_by_psm(con_info.psm);
|
||||
|
|
@ -396,6 +412,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
break;
|
||||
|
||||
case L2CAP_CMD_CONN_RSP:
|
||||
if (p + 8 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(con_info.remote_cid, p);
|
||||
STREAM_TO_UINT16(lcid, p);
|
||||
STREAM_TO_UINT16(con_info.l2cap_result, p);
|
||||
|
|
@ -427,6 +447,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
cfg_rej = false;
|
||||
cfg_rej_len = 0;
|
||||
|
||||
if (p + 4 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(lcid, p);
|
||||
STREAM_TO_UINT16(cfg_info.flags, p);
|
||||
|
||||
|
|
@ -437,22 +461,38 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
false;
|
||||
|
||||
while (p < p_cfg_end) {
|
||||
if (p + 2 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT8(cfg_code, p);
|
||||
STREAM_TO_UINT8(cfg_len, p);
|
||||
|
||||
switch (cfg_code & 0x7F) {
|
||||
case L2CAP_CFG_TYPE_MTU:
|
||||
cfg_info.mtu_present = true;
|
||||
if (p + 2 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(cfg_info.mtu, p);
|
||||
break;
|
||||
|
||||
case L2CAP_CFG_TYPE_FLUSH_TOUT:
|
||||
cfg_info.flush_to_present = true;
|
||||
if (p + 2 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(cfg_info.flush_to, p);
|
||||
break;
|
||||
|
||||
case L2CAP_CFG_TYPE_QOS:
|
||||
cfg_info.qos_present = true;
|
||||
if (p + 2 + 5 * 4 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT8(cfg_info.qos.qos_flags, p);
|
||||
STREAM_TO_UINT8(cfg_info.qos.service_type, p);
|
||||
STREAM_TO_UINT32(cfg_info.qos.token_rate, p);
|
||||
|
|
@ -464,6 +504,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
|
||||
case L2CAP_CFG_TYPE_FCR:
|
||||
cfg_info.fcr_present = true;
|
||||
if (p + 3 + 3 * 2 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT8(cfg_info.fcr.mode, p);
|
||||
STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p);
|
||||
STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p);
|
||||
|
|
@ -474,11 +518,19 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
|
||||
case L2CAP_CFG_TYPE_FCS:
|
||||
cfg_info.fcs_present = true;
|
||||
if (p + 1 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT8(cfg_info.fcs, p);
|
||||
break;
|
||||
|
||||
case L2CAP_CFG_TYPE_EXT_FLOW:
|
||||
cfg_info.ext_flow_spec_present = true;
|
||||
if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p);
|
||||
STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p);
|
||||
STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p);
|
||||
|
|
@ -490,6 +542,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
default:
|
||||
/* sanity check option length */
|
||||
if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= cmd_len) {
|
||||
if (p + cfg_len > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "79488381");
|
||||
return;
|
||||
}
|
||||
p += cfg_len;
|
||||
if ((cfg_code & 0x80) == 0) {
|
||||
cfg_rej_len += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
|
||||
|
|
@ -523,6 +579,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
|
||||
case L2CAP_CMD_CONFIG_RSP:
|
||||
p_cfg_end = p + cmd_len;
|
||||
if (p + 6 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(lcid, p);
|
||||
STREAM_TO_UINT16(cfg_info.flags, p);
|
||||
STREAM_TO_UINT16(cfg_info.result, p);
|
||||
|
|
@ -532,22 +592,38 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
false;
|
||||
|
||||
while (p < p_cfg_end) {
|
||||
if (p + 2 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT8(cfg_code, p);
|
||||
STREAM_TO_UINT8(cfg_len, p);
|
||||
|
||||
switch (cfg_code & 0x7F) {
|
||||
case L2CAP_CFG_TYPE_MTU:
|
||||
cfg_info.mtu_present = true;
|
||||
if (p + 2 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(cfg_info.mtu, p);
|
||||
break;
|
||||
|
||||
case L2CAP_CFG_TYPE_FLUSH_TOUT:
|
||||
cfg_info.flush_to_present = true;
|
||||
if (p + 2 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(cfg_info.flush_to, p);
|
||||
break;
|
||||
|
||||
case L2CAP_CFG_TYPE_QOS:
|
||||
cfg_info.qos_present = true;
|
||||
if (p + 2 + 5 * 4 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT8(cfg_info.qos.qos_flags, p);
|
||||
STREAM_TO_UINT8(cfg_info.qos.service_type, p);
|
||||
STREAM_TO_UINT32(cfg_info.qos.token_rate, p);
|
||||
|
|
@ -559,6 +635,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
|
||||
case L2CAP_CFG_TYPE_FCR:
|
||||
cfg_info.fcr_present = true;
|
||||
if (p + 3 + 3 * 2 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT8(cfg_info.fcr.mode, p);
|
||||
STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p);
|
||||
STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p);
|
||||
|
|
@ -569,11 +649,19 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
|
||||
case L2CAP_CFG_TYPE_FCS:
|
||||
cfg_info.fcs_present = true;
|
||||
if (p + 1 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT8(cfg_info.fcs, p);
|
||||
break;
|
||||
|
||||
case L2CAP_CFG_TYPE_EXT_FLOW:
|
||||
cfg_info.ext_flow_spec_present = true;
|
||||
if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p);
|
||||
STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p);
|
||||
STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p);
|
||||
|
|
@ -603,6 +691,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
break;
|
||||
|
||||
case L2CAP_CMD_DISC_REQ:
|
||||
if (p + 4 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(lcid, p);
|
||||
STREAM_TO_UINT16(rcid, p);
|
||||
|
||||
|
|
@ -618,6 +710,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
break;
|
||||
|
||||
case L2CAP_CMD_DISC_RSP:
|
||||
if (p + 4 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(rcid, p);
|
||||
STREAM_TO_UINT16(lcid, p);
|
||||
|
||||
|
|
@ -645,6 +741,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
break;
|
||||
|
||||
case L2CAP_CMD_INFO_REQ:
|
||||
if (p + 2 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(info_type, p);
|
||||
l2cu_send_peer_info_rsp(p_lcb, id, info_type);
|
||||
break;
|
||||
|
|
@ -656,6 +756,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
p_lcb->w4_info_rsp = false;
|
||||
}
|
||||
|
||||
if (p + 4 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT16(info_type, p);
|
||||
STREAM_TO_UINT16(result, p);
|
||||
|
||||
|
|
@ -663,6 +767,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
|
|||
|
||||
if ((info_type == L2CAP_EXTENDED_FEATURES_INFO_TYPE) &&
|
||||
(result == L2CAP_INFO_RESP_RESULT_SUCCESS)) {
|
||||
if (p + 4 > p_next_cmd) {
|
||||
android_errorWriteLog(0x534e4554, "74202041");
|
||||
return;
|
||||
}
|
||||
STREAM_TO_UINT32(p_lcb->peer_ext_fea, p);
|
||||
|
||||
#if (L2CAP_NUM_FIXED_CHNLS > 0)
|
||||
|
|
|
|||
9
android/system/bt/stack/mcap/mca_cact.cc
Normal file → Executable file
9
android/system/bt/stack/mcap/mca_cact.cc
Normal file → Executable file
|
|
@ -22,6 +22,7 @@
|
|||
* Functions.
|
||||
*
|
||||
******************************************************************************/
|
||||
#include <log/log.h>
|
||||
#include <string.h>
|
||||
#include "bt_common.h"
|
||||
#include "bt_target.h"
|
||||
|
|
@ -251,9 +252,15 @@ void mca_ccb_hdl_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
|
|||
p_rx_msg = (tMCA_CCB_MSG*)p_pkt;
|
||||
p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
|
||||
evt_data.hdr.op_code = *p++;
|
||||
BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);
|
||||
reject_opcode = evt_data.hdr.op_code + 1;
|
||||
|
||||
if (p_pkt->len >= 3) {
|
||||
BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);
|
||||
} else {
|
||||
android_errorWriteLog(0x534e4554, "110791536");
|
||||
evt_data.hdr.mdl_id = 0;
|
||||
}
|
||||
|
||||
MCA_TRACE_DEBUG("received mdl id: %d ", evt_data.hdr.mdl_id);
|
||||
if (p_ccb->status == MCA_CCB_STAT_PENDING) {
|
||||
MCA_TRACE_DEBUG("received req inpending state");
|
||||
|
|
|
|||
12
android/system/bt/stack/pan/pan_main.cc
Normal file → Executable file
12
android/system/bt/stack/pan/pan_main.cc
Normal file → Executable file
|
|
@ -595,12 +595,11 @@ void pan_data_buf_ind_cb(uint16_t handle, const RawAddress& src,
|
|||
if (pan_cb.pan_data_buf_ind_cb)
|
||||
(*pan_cb.pan_data_buf_ind_cb)(pcb->handle, src, dst, protocol, p_buf,
|
||||
ext, forward);
|
||||
else if (pan_cb.pan_data_ind_cb) {
|
||||
else if (pan_cb.pan_data_ind_cb)
|
||||
(*pan_cb.pan_data_ind_cb)(pcb->handle, src, dst, protocol, p_data, len,
|
||||
ext, forward);
|
||||
osi_free(p_buf);
|
||||
}
|
||||
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
@ -625,13 +624,10 @@ void pan_data_buf_ind_cb(uint16_t handle, const RawAddress& src,
|
|||
if (pan_cb.pan_data_buf_ind_cb)
|
||||
(*pan_cb.pan_data_buf_ind_cb)(pcb->handle, src, dst, protocol, p_buf, ext,
|
||||
forward);
|
||||
else if (pan_cb.pan_data_ind_cb) {
|
||||
else if (pan_cb.pan_data_ind_cb)
|
||||
(*pan_cb.pan_data_ind_cb)(pcb->handle, src, dst, protocol, p_data, len, ext,
|
||||
forward);
|
||||
osi_free(p_buf);
|
||||
} else
|
||||
osi_free(p_buf);
|
||||
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
|||
35
android/system/bt/stack/rfcomm/rfc_ts_frames.cc
Normal file → Executable file
35
android/system/bt/stack/rfcomm/rfc_ts_frames.cc
Normal file → Executable file
|
|
@ -26,6 +26,7 @@
|
|||
#include "bt_common.h"
|
||||
#include "bt_target.h"
|
||||
#include "l2c_api.h"
|
||||
#include "log/log.h"
|
||||
#include "port_api.h"
|
||||
#include "port_int.h"
|
||||
#include "rfc_int.h"
|
||||
|
|
@ -516,7 +517,16 @@ uint8_t rfc_parse_data(tRFC_MCB* p_mcb, MX_FRAME* p_frame, BT_HDR* p_buf) {
|
|||
return (RFC_EVENT_BAD_FRAME);
|
||||
}
|
||||
RFCOMM_PARSE_TYPE_FIELD(p_frame->type, p_frame->pf, p_data);
|
||||
RFCOMM_PARSE_LEN_FIELD(eal, len, p_data);
|
||||
|
||||
eal = *(p_data)&RFCOMM_EA;
|
||||
len = *(p_data)++ >> RFCOMM_SHIFT_LENGTH1;
|
||||
if (eal == 0 && p_buf->len > RFCOMM_CTRL_FRAME_LEN) {
|
||||
len += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2);
|
||||
} else if (eal == 0) {
|
||||
RFCOMM_TRACE_ERROR("Bad Length when EAL = 0: %d", p_buf->len);
|
||||
android_errorWriteLog(0x534e4554, "78288018");
|
||||
return RFC_EVENT_BAD_FRAME;
|
||||
}
|
||||
|
||||
p_buf->len -= (3 + !ead + !eal + 1); /* Additional 1 for FCS */
|
||||
p_buf->offset += (3 + !ead + !eal);
|
||||
|
|
@ -611,6 +621,14 @@ void rfc_process_mx_message(tRFC_MCB* p_mcb, BT_HDR* p_buf) {
|
|||
uint8_t ea, cr, mx_len;
|
||||
bool is_command;
|
||||
|
||||
if (length < 2) {
|
||||
RFCOMM_TRACE_ERROR(
|
||||
"%s: Illegal MX Frame len when reading EA, C/R. len:%d < 2", __func__,
|
||||
length);
|
||||
android_errorWriteLog(0x534e4554, "111937065");
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
p_rx_frame->ea = *p_data & RFCOMM_EA;
|
||||
p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
|
||||
p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK);
|
||||
|
|
@ -631,6 +649,13 @@ void rfc_process_mx_message(tRFC_MCB* p_mcb, BT_HDR* p_buf) {
|
|||
length--;
|
||||
|
||||
if (!ea) {
|
||||
if (length < 1) {
|
||||
RFCOMM_TRACE_ERROR("%s: Illegal MX Frame when EA = 0. len:%d < 1",
|
||||
__func__, length);
|
||||
android_errorWriteLog(0x534e4554, "111937065");
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2;
|
||||
length--;
|
||||
}
|
||||
|
|
@ -699,7 +724,13 @@ void rfc_process_mx_message(tRFC_MCB* p_mcb, BT_HDR* p_buf) {
|
|||
return;
|
||||
|
||||
case RFCOMM_MX_MSC:
|
||||
|
||||
if (length != RFCOMM_MX_MSC_LEN_WITH_BREAK &&
|
||||
length != RFCOMM_MX_MSC_LEN_NO_BREAK) {
|
||||
RFCOMM_TRACE_ERROR("%s: Illegal MX MSC Frame len:%d", __func__, length);
|
||||
android_errorWriteLog(0x534e4554, "111937065");
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
ea = *p_data & RFCOMM_EA;
|
||||
cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
|
||||
p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI;
|
||||
|
|
|
|||
30
android/system/bt/stack/sdp/sdp_discovery.cc
Normal file → Executable file
30
android/system/bt/stack/sdp/sdp_discovery.cc
Normal file → Executable file
|
|
@ -332,7 +332,7 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
|
|||
******************************************************************************/
|
||||
#if (SDP_RAW_DATA_INCLUDED == TRUE)
|
||||
static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) {
|
||||
unsigned int cpy_len;
|
||||
unsigned int cpy_len, rem_len;
|
||||
uint32_t list_len;
|
||||
uint8_t* p;
|
||||
uint8_t type;
|
||||
|
|
@ -354,12 +354,24 @@ static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) {
|
|||
p = &p_ccb->rsp_list[0];
|
||||
|
||||
if (offset) {
|
||||
cpy_len -= 1;
|
||||
type = *p++;
|
||||
uint8_t* old_p = p;
|
||||
p = sdpu_get_len_from_type(p, type, &list_len);
|
||||
if ((int)cpy_len < (p - old_p)) {
|
||||
SDP_TRACE_WARNING("%s: no bytes left for data", __func__);
|
||||
return;
|
||||
}
|
||||
cpy_len -= (p - old_p);
|
||||
}
|
||||
if (list_len && list_len < cpy_len) {
|
||||
if (list_len < cpy_len) {
|
||||
cpy_len = list_len;
|
||||
}
|
||||
rem_len = SDP_MAX_LIST_BYTE_COUNT - (unsigned int)(p - &p_ccb->rsp_list[0]);
|
||||
if (cpy_len > rem_len) {
|
||||
SDP_TRACE_WARNING("rem_len :%d less than cpy_len:%d", rem_len, cpy_len);
|
||||
cpy_len = rem_len;
|
||||
}
|
||||
SDP_TRACE_WARNING(
|
||||
"%s: list_len:%d cpy_len:%d p:%p p_ccb:%p p_db:%p raw_size:%d "
|
||||
"raw_used:%d raw_data:%p",
|
||||
|
|
@ -531,6 +543,13 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
|
|||
#endif
|
||||
/* If p_reply is NULL, we were called for the initial read */
|
||||
if (p_reply) {
|
||||
if (p_reply + 4 /* transaction ID and length */ + sizeof(lists_byte_count) >
|
||||
p_reply_end) {
|
||||
android_errorWriteLog(0x534e4554, "79884292");
|
||||
sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
|
||||
return;
|
||||
}
|
||||
|
||||
#if (SDP_DEBUG_RAW == TRUE)
|
||||
SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x", p_reply[0], p_reply[1],
|
||||
p_reply[2], p_reply[3]);
|
||||
|
|
@ -554,6 +573,13 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
|
|||
SDP_TRACE_WARNING("list_len: %d, list_byte_count: %d", p_ccb->list_len,
|
||||
lists_byte_count);
|
||||
#endif
|
||||
|
||||
if (p_reply + lists_byte_count + 1 /* continuation */ > p_reply_end) {
|
||||
android_errorWriteLog(0x534e4554, "79884292");
|
||||
sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
|
||||
return;
|
||||
}
|
||||
|
||||
if (p_ccb->rsp_list == NULL)
|
||||
p_ccb->rsp_list = (uint8_t*)osi_malloc(SDP_MAX_LIST_BYTE_COUNT);
|
||||
memcpy(&p_ccb->rsp_list[p_ccb->list_len], p_reply, lists_byte_count);
|
||||
|
|
|
|||
17
android/system/bt/stack/sdp/sdp_server.cc
Normal file → Executable file
17
android/system/bt/stack/sdp/sdp_server.cc
Normal file → Executable file
|
|
@ -333,9 +333,11 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
|
|||
|
||||
/* Extract the record handle */
|
||||
BE_STREAM_TO_UINT32(rec_handle, p_req);
|
||||
param_len -= sizeof(rec_handle);
|
||||
|
||||
/* Get the max list length we can send. Cap it at MTU size minus overhead */
|
||||
BE_STREAM_TO_UINT16(max_list_len, p_req);
|
||||
param_len -= sizeof(max_list_len);
|
||||
|
||||
if (max_list_len > (p_ccb->rem_mtu_size - SDP_MAX_ATTR_RSPHDR_LEN))
|
||||
max_list_len = p_ccb->rem_mtu_size - SDP_MAX_ATTR_RSPHDR_LEN;
|
||||
|
|
@ -419,6 +421,13 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
|
|||
attr_len = sdpu_get_attrib_entry_len(p_attr);
|
||||
/* if there is a partial attribute pending to be sent */
|
||||
if (p_ccb->cont_info.attr_offset) {
|
||||
if (attr_len < p_ccb->cont_info.attr_offset) {
|
||||
android_errorWriteLog(0x534e4554, "79217770");
|
||||
LOG(ERROR) << "offset is bigger than attribute length";
|
||||
sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
|
||||
SDP_TEXT_BAD_CONT_LEN);
|
||||
return;
|
||||
}
|
||||
p_rsp = sdpu_build_partial_attrib_entry(p_rsp, p_attr, rem_len,
|
||||
&p_ccb->cont_info.attr_offset);
|
||||
|
||||
|
|
@ -567,6 +576,7 @@ static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
|
|||
if (max_list_len > (p_ccb->rem_mtu_size - SDP_MAX_SERVATTR_RSPHDR_LEN))
|
||||
max_list_len = p_ccb->rem_mtu_size - SDP_MAX_SERVATTR_RSPHDR_LEN;
|
||||
|
||||
param_len = static_cast<uint16_t>(p_req_end - p_req);
|
||||
p_req = sdpu_extract_attr_seq(p_req, param_len, &attr_seq);
|
||||
|
||||
if ((!p_req) || (!attr_seq.num_attr) ||
|
||||
|
|
@ -658,6 +668,13 @@ static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
|
|||
attr_len = sdpu_get_attrib_entry_len(p_attr);
|
||||
/* if there is a partial attribute pending to be sent */
|
||||
if (p_ccb->cont_info.attr_offset) {
|
||||
if (attr_len < p_ccb->cont_info.attr_offset) {
|
||||
android_errorWriteLog(0x534e4554, "79217770");
|
||||
LOG(ERROR) << "offset is bigger than attribute length";
|
||||
sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
|
||||
SDP_TEXT_BAD_CONT_LEN);
|
||||
return;
|
||||
}
|
||||
p_rsp = sdpu_build_partial_attrib_entry(
|
||||
p_rsp, p_attr, rem_len, &p_ccb->cont_info.attr_offset);
|
||||
|
||||
|
|
|
|||
22
android/system/bt/stack/smp/p_256_ecc_pp.cc
Normal file → Executable file
22
android/system/bt/stack/smp/p_256_ecc_pp.cc
Normal file → Executable file
|
|
@ -245,3 +245,25 @@ void ECC_PointMult_Bin_NAF(Point* q, Point* p, uint32_t* n,
|
|||
multiprecision_mersenns_mult_mod(q->z, q->z, minus_p.x, keyLength);
|
||||
multiprecision_mersenns_mult_mod(q->y, q->y, q->z, keyLength);
|
||||
}
|
||||
|
||||
bool ECC_ValidatePoint(const Point& pt) {
|
||||
const size_t kl = KEY_LENGTH_DWORDS_P256;
|
||||
p_256_init_curve(kl);
|
||||
|
||||
// Ensure y^2 = x^3 + a*x + b (mod p); a = -3
|
||||
|
||||
// y^2 mod p
|
||||
uint32_t y2_mod[kl] = {0};
|
||||
multiprecision_mersenns_squa_mod(y2_mod, (uint32_t*)pt.y, kl);
|
||||
|
||||
// Right hand side calculation
|
||||
uint32_t rhs[kl] = {0};
|
||||
multiprecision_mersenns_squa_mod(rhs, (uint32_t*)pt.x, kl);
|
||||
uint32_t three[kl] = {0};
|
||||
three[0] = 3;
|
||||
multiprecision_sub_mod(rhs, rhs, three, kl);
|
||||
multiprecision_mersenns_mult_mod(rhs, rhs, (uint32_t*)pt.x, kl);
|
||||
multiprecision_add_mod(rhs, rhs, curve_p256.b, kl);
|
||||
|
||||
return multiprecision_compare(rhs, y2_mod, kl) == 0;
|
||||
}
|
||||
|
|
|
|||
3
android/system/bt/stack/smp/p_256_ecc_pp.h
Normal file → Executable file
3
android/system/bt/stack/smp/p_256_ecc_pp.h
Normal file → Executable file
|
|
@ -25,6 +25,7 @@
|
|||
|
||||
#pragma once
|
||||
|
||||
#include <cstdbool>
|
||||
#include "p_256_multprecision.h"
|
||||
|
||||
typedef struct {
|
||||
|
|
@ -55,6 +56,8 @@ typedef struct {
|
|||
extern elliptic_curve_t curve;
|
||||
extern elliptic_curve_t curve_p256;
|
||||
|
||||
bool ECC_ValidatePoint(const Point& p);
|
||||
|
||||
void ECC_PointMult_Bin_NAF(Point* q, Point* p, uint32_t* n, uint32_t keyLength);
|
||||
|
||||
#define ECC_PointMult(q, p, n, keyLength) \
|
||||
|
|
|
|||
45
android/system/bt/stack/smp/smp_act.cc
Normal file → Executable file
45
android/system/bt/stack/smp/smp_act.cc
Normal file → Executable file
|
|
@ -16,12 +16,14 @@
|
|||
*
|
||||
******************************************************************************/
|
||||
|
||||
#include <log/log.h>
|
||||
#include <string.h>
|
||||
#include "btif_common.h"
|
||||
#include "device/include/interop.h"
|
||||
#include "include/bt_target.h"
|
||||
#include "stack/btm/btm_int.h"
|
||||
#include "stack/include/l2c_api.h"
|
||||
#include "stack/smp/p_256_ecc_pp.h"
|
||||
#include "stack/smp/smp_int.h"
|
||||
#include "utils/include/bt_utils.h"
|
||||
|
||||
|
|
@ -655,6 +657,17 @@ void smp_process_pairing_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
|
|||
|
||||
STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
|
||||
STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
|
||||
|
||||
Point pt;
|
||||
memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
|
||||
memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
|
||||
|
||||
if (!ECC_ValidatePoint(pt)) {
|
||||
android_errorWriteLog(0x534e4554, "72377774");
|
||||
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
|
||||
return;
|
||||
}
|
||||
|
||||
p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
|
||||
|
||||
smp_wait_for_both_public_keys(p_cb, NULL);
|
||||
|
|
@ -713,13 +726,17 @@ void smp_process_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
|
|||
uint8_t reason = SMP_INVALID_PARAMETERS;
|
||||
|
||||
SMP_TRACE_DEBUG("%s", __func__);
|
||||
p_cb->status = *(uint8_t*)p_data;
|
||||
|
||||
if (smp_command_has_invalid_parameters(p_cb)) {
|
||||
if (p_cb->rcvd_cmd_len < 2) { // 1 (opcode) + 1 (Notif Type) bytes
|
||||
android_errorWriteLog(0x534e4554, "111936834");
|
||||
}
|
||||
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
|
||||
return;
|
||||
}
|
||||
|
||||
p_cb->status = *(uint8_t*)p_data;
|
||||
|
||||
if (p != NULL) {
|
||||
STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
|
||||
} else {
|
||||
|
|
@ -882,6 +899,14 @@ void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
|
|||
uint8_t* p = (uint8_t*)p_data;
|
||||
|
||||
SMP_TRACE_DEBUG("%s", __func__);
|
||||
|
||||
if (smp_command_has_invalid_parameters(p_cb)) {
|
||||
uint8_t reason = SMP_INVALID_PARAMETERS;
|
||||
android_errorWriteLog(0x534e4554, "111937065");
|
||||
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
|
||||
return;
|
||||
}
|
||||
|
||||
STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);
|
||||
|
||||
smp_key_distribution(p_cb, NULL);
|
||||
|
|
@ -895,6 +920,14 @@ void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
|
|||
tBTM_LE_PENC_KEYS le_key;
|
||||
|
||||
SMP_TRACE_DEBUG("%s", __func__);
|
||||
|
||||
if (p_cb->rcvd_cmd_len < 11) { // 1(Code) + 2(EDIV) + 8(Rand)
|
||||
android_errorWriteLog(0x534e4554, "111937027");
|
||||
SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11",
|
||||
__func__, p_cb->rcvd_cmd_len);
|
||||
return;
|
||||
}
|
||||
|
||||
smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
|
||||
|
||||
STREAM_TO_UINT16(le_key.ediv, p);
|
||||
|
|
@ -914,13 +947,21 @@ void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
|
|||
}
|
||||
|
||||
/*******************************************************************************
|
||||
* Function smp_proc_enc_info
|
||||
* Function smp_proc_id_info
|
||||
* Description process identity information from peer device
|
||||
******************************************************************************/
|
||||
void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
|
||||
uint8_t* p = (uint8_t*)p_data;
|
||||
|
||||
SMP_TRACE_DEBUG("%s", __func__);
|
||||
|
||||
if (smp_command_has_invalid_parameters(p_cb)) {
|
||||
uint8_t reason = SMP_INVALID_PARAMETERS;
|
||||
android_errorWriteLog(0x534e4554, "111937065");
|
||||
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
|
||||
return;
|
||||
}
|
||||
|
||||
STREAM_TO_ARRAY(p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */
|
||||
smp_key_distribution_by_transport(p_cb, NULL);
|
||||
}
|
||||
|
|
|
|||
7
android/system/bt/stack/smp/smp_br_main.cc
Normal file → Executable file
7
android/system/bt/stack/smp/smp_br_main.cc
Normal file → Executable file
|
|
@ -19,6 +19,7 @@
|
|||
#include "bt_target.h"
|
||||
|
||||
#include <string.h>
|
||||
#include "log/log.h"
|
||||
#include "smp_int.h"
|
||||
|
||||
const char* const smp_br_state_name[SMP_BR_STATE_MAX + 1] = {
|
||||
|
|
@ -308,6 +309,12 @@ void smp_br_state_machine_event(tSMP_CB* p_cb, tSMP_BR_EVENT event,
|
|||
return;
|
||||
}
|
||||
|
||||
if (p_cb->role > HCI_ROLE_SLAVE) {
|
||||
SMP_TRACE_ERROR("%s: invalid role %d", __func__, p_cb->role);
|
||||
android_errorWriteLog(0x534e4554, "80145946");
|
||||
return;
|
||||
}
|
||||
|
||||
SMP_TRACE_DEBUG("SMP Role: %s State: [%s (%d)], Event: [%s (%d)]",
|
||||
(p_cb->role == HCI_ROLE_SLAVE) ? "Slave" : "Master",
|
||||
smp_get_br_state_name(p_cb->br_state), p_cb->br_state,
|
||||
|
|
|
|||
8
android/system/bt/stack/smp/smp_main.cc
Normal file → Executable file
8
android/system/bt/stack/smp/smp_main.cc
Normal file → Executable file
|
|
@ -18,6 +18,7 @@
|
|||
|
||||
#include "bt_target.h"
|
||||
|
||||
#include <cutils/log.h>
|
||||
#include <string.h>
|
||||
#include "smp_int.h"
|
||||
|
||||
|
|
@ -954,6 +955,13 @@ void smp_sm_event(tSMP_CB* p_cb, tSMP_EVENT event, void* p_data) {
|
|||
uint8_t curr_state = p_cb->state;
|
||||
tSMP_SM_TBL state_table;
|
||||
uint8_t action, entry, i;
|
||||
|
||||
if (p_cb->role >= 2) {
|
||||
SMP_TRACE_DEBUG("Invalid role: %d", p_cb->role);
|
||||
android_errorWriteLog(0x534e4554, "74121126");
|
||||
return;
|
||||
}
|
||||
|
||||
tSMP_ENTRY_TBL entry_table = smp_entry_table[p_cb->role];
|
||||
|
||||
SMP_TRACE_EVENT("main smp_sm_event");
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue