[resolved conflict] Fix multiple OOB bugs resulted from tx mtu in EATT am: ea76b7d9

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/23152794



Bug: 271335899
Test: manual
Ignore-AOSP-First: security
Tag: #security
Merged-In: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31
Change-Id: I02f1aec42e0c12c8f53fe03090b0c40c6e8e51c5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

system/stack/eatt/eatt.h

@@ -17,6 +17,7 @@
 
 #pragma once
 
+#include <algorithm>
 #include <queue>
 
 #include "stack/gatt/gatt_int.h"
@@ -25,6 +26,7 @@
 #define EATT_MIN_MTU_MPS (64)
 #define EATT_DEFAULT_MTU (256)
 #define EATT_ALL_CIDS (0xFFFF)
+#define EATT_MAX_TX_MTU  (1024)
 
 namespace bluetooth {
 namespace eatt {
@@ -59,12 +61,13 @@ class EattChannel {
   EattChannel(RawAddress& bda, uint16_t cid, uint16_t tx_mtu, uint16_t rx_mtu)
       : bda_(bda),
         cid_(cid),
-        tx_mtu_(tx_mtu),
         rx_mtu_(rx_mtu),
         state_(EattChannelState::EATT_CHANNEL_PENDING),
         indicate_handle_(0),
         ind_ack_timer_(NULL),
-        ind_confirmation_timer_(NULL) {}
+        ind_confirmation_timer_(NULL) {
+    EattChannelSetTxMTU(tx_mtu);
+  }
 
   ~EattChannel() {
     if (ind_ack_timer_ != NULL) {
@@ -93,7 +96,10 @@ class EattChannel {
     }
     state_ = state;
   }
-  void EattChannelSetTxMTU(uint16_t tx_mtu) { this->tx_mtu_ = tx_mtu; }
+
+  void EattChannelSetTxMTU(uint16_t tx_mtu) {
+    this->tx_mtu_ = std::min<uint16_t>(tx_mtu, EATT_MAX_TX_MTU);
+  }
 };
 
 /* Interface class */

system/stack/eatt/eatt_impl.h

@@ -276,7 +276,7 @@ struct eatt_impl {
     if (is_local_cfg)
       channel->rx_mtu_ = p_cfg->mtu;
     else
-      channel->tx_mtu_ = p_cfg->mtu;
+      channel->EattChannelSetTxMTU(p_cfg->mtu);
 
     /* Go back to open state */
     channel->EattChannelSetState(EattChannelState::EATT_CHANNEL_OPENED);