diff --git a/system/stack/acl/btm_acl.cc b/system/stack/acl/btm_acl.cc
index f86484de23d3bb64d0e28f97ded4a3d180d1b8d1..04c4dc4a12d9bea29d7434488e7d2001bb3cce08 100644
--- a/system/stack/acl/btm_acl.cc
+++ b/system/stack/acl/btm_acl.cc
@@ -62,6 +62,7 @@
#include "rust/src/core/ffi/types.h"
#include "stack/acl/acl.h"
#include "stack/acl/peer_packet_types.h"
+#include "stack/btm/btm_ble_sec.h"
#include "stack/btm/btm_dev.h"
#include "stack/btm/btm_int_types.h"
#include "stack/btm/btm_sco.h"
@@ -1068,6 +1069,17 @@ void StackAclBtmAcl::btm_establish_continue(tACL_CONN* p_acl) {
ADDRESS_TO_LOGGABLE_CSTR(p_acl->RemoteAddress()));
}
btm_set_link_policy(p_acl, btm_cb.acl_cb_.DefaultLinkPolicy());
+ } else if (p_acl->is_transport_ble()) {
+ tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_acl->remote_addr);
+
+ if (p_dev_rec == nullptr) {
+ log::warn("No security record for {}",
+ ADDRESS_TO_LOGGABLE_CSTR(p_acl->RemoteAddress()));
+ } else if (p_dev_rec->sec_rec.is_le_link_key_known()) {
+ btm_ble_set_encryption(
+ p_acl->remote_addr, BTM_BLE_SEC_ENCRYPT,
+ p_dev_rec->role_central ? HCI_ROLE_CENTRAL : HCI_ROLE_PERIPHERAL);
+ }
}
NotifyAclLinkUp(*p_acl);
}
diff --git a/system/stack/eatt/eatt.h b/system/stack/eatt/eatt.h
index 62bf2482066dfeebe97aaf03e886cf829717ceaa..bd0b858acfb0a78b3c10be39d30e1dbabf43c20a 100644
--- a/system/stack/eatt/eatt.h
+++ b/system/stack/eatt/eatt.h
@@ -100,6 +100,7 @@ class EattChannel {
void EattChannelSetTxMTU(uint16_t tx_mtu) {
this->tx_mtu_ = std::min<uint16_t>(tx_mtu, EATT_MAX_TX_MTU);
+ this->tx_mtu_ = std::max<uint16_t>(this->tx_mtu_, EATT_MIN_MTU_MPS);
}
};
diff --git a/system/stack/gatt/gatt_sr.cc b/system/stack/gatt/gatt_sr.cc
index e7809a1490bc68a8eeedee37fbbfaf503703c4df..1dffb0a59bb0e2c3f0bd5c56f4b7091908a128dd 100644
--- a/system/stack/gatt/gatt_sr.cc
+++ b/system/stack/gatt/gatt_sr.cc
@@ -167,6 +167,13 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
uint8_t* p;
bool is_overflow = false;
+ // We need at least one extra byte for the opcode
+ if (mtu == 0) {
+ LOG(ERROR) << "Invalid MTU";
+ p_cmd->status = GATT_ILLEGAL_PARAMETER;
+ return;
+ }
+
len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu;
BT_HDR* p_buf = (BT_HDR*)osi_calloc(len);
p_buf->offset = L2CAP_MIN_OFFSET;
@@ -210,7 +217,7 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
- if (len == 0) {
+ if (total_len == mtu && p_rsp->attr_value.len > 0) {
log::verbose("Buffer space not enough for this data item, skipping");
break;
}
@@ -753,6 +760,11 @@ void gatts_process_primary_service_req(tGATT_TCB& tcb, uint16_t cid,
uint16_t payload_size = gatt_tcb_get_payload_size(tcb, cid);
+ // This can happen if the channel is already closed.
+ if (payload_size == 0) {
+ return;
+ }
+
uint16_t msg_len =
(uint16_t)(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
BT_HDR* p_msg = (BT_HDR*)osi_calloc(msg_len);
@@ -788,6 +800,12 @@ static void gatts_process_find_info(tGATT_TCB& tcb, uint16_t cid,
}
uint16_t payload_size = gatt_tcb_get_payload_size(tcb, cid);
+
+ // This can happen if the channel is already closed.
+ if (payload_size == 0) {
+ return;
+ }
+
uint16_t buf_len =
(uint16_t)(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
@@ -929,6 +947,11 @@ static void gatts_process_read_by_type_req(tGATT_TCB& tcb, uint16_t cid,
uint16_t payload_size = gatt_tcb_get_payload_size(tcb, cid);
+ // This can happen if the channel is already closed.
+ if (payload_size == 0) {
+ return;
+ }
+
size_t msg_len = sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET;
BT_HDR* p_msg = (BT_HDR*)osi_calloc(msg_len);
uint8_t* p = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET;
@@ -1076,6 +1099,11 @@ static void gatts_process_read_req(tGATT_TCB& tcb, uint16_t cid,
uint8_t* p_data) {
uint16_t payload_size = gatt_tcb_get_payload_size(tcb, cid);
+ // This can happen if the channel is already closed.
+ if (payload_size == 0) {
+ return;
+ }
+
size_t buf_len = sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET;
uint16_t offset = 0;