diff --git a/system/bta/hf_client/bta_hf_client_sdp.cc b/system/bta/hf_client/bta_hf_client_sdp.cc
index 91077f08af6dda8cfc28714cdc0a12c1ce56b92d..e3be9461ea4b4c928ba565c5b37ee70c6df97ec2 100644
--- a/system/bta/hf_client/bta_hf_client_sdp.cc
+++ b/system/bta/hf_client/bta_hf_client_sdp.cc
@@ -343,6 +343,19 @@ void bta_hf_client_do_disc(tBTA_HF_CLIENT_CB* client_cb) {
uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_AG_HANDSFREE);
}
+ /* If we already have a non-null discovery database at this point, we can get
+ * into a race condition leading to UAF once this connection is closed.
+ * This should only happen with malicious modifications to a client. */
+ if (client_cb->p_disc_db != NULL) {
+ log::error(
+ "Tried to set up a HF client with a preexisting discovery database.");
+ client_cb->p_disc_db = NULL;
+ // We manually set the state here because it's possible to call this from an
+ // OPEN state, in which case the discovery fail event will be ignored.
+ client_cb->state = 0; // BTA_HF_CLIENT_INIT_ST
+ return;
+ }
+
/* allocate buffer for sdp database */
client_cb->p_disc_db = (tSDP_DISCOVERY_DB*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
diff --git a/system/stack/avct/avct_api.cc b/system/stack/avct/avct_api.cc
index f50f592b19187875e51b63a07189cdb7d8f711a4..f812e8e7ea39574896f46989ce3e83963d7a6ef5 100644
--- a/system/stack/avct/avct_api.cc
+++ b/system/stack/avct/avct_api.cc
@@ -61,9 +61,11 @@ void AVCT_Register() {
/* initialize AVCTP data structures */
memset(&avct_cb, 0, sizeof(tAVCT_CB));
+ uint16_t sec = BTA_SEC_AUTHENTICATE | BTA_SEC_ENCRYPT;
+
/* register PSM with L2CAP */
L2CA_Register2(AVCT_PSM, avct_l2c_appl, true /* enable_snoop */, nullptr,
- kAvrcMtu, 0, BTA_SEC_AUTHENTICATE);
+ kAvrcMtu, 0, sec);
/* Include the browsing channel which uses eFCR */
tL2CAP_ERTM_INFO ertm_info;
@@ -71,7 +73,7 @@ void AVCT_Register() {
L2CA_Register2(AVCT_BR_PSM, avct_l2c_br_appl, true /*enable_snoop*/,
&ertm_info, kAvrcBrMtu, AVCT_MIN_BROWSE_MTU,
- BTA_SEC_AUTHENTICATE);
+ sec);
}
/*******************************************************************************
diff --git a/system/stack/avct/avct_bcb_act.cc b/system/stack/avct/avct_bcb_act.cc
index a2264b8f9afb00d72219f55d997de3ee2053993c..46a47b2f4a4e8a3ff16f4814446a42d016aba43e 100644
--- a/system/stack/avct/avct_bcb_act.cc
+++ b/system/stack/avct/avct_bcb_act.cc
@@ -115,8 +115,9 @@ void avct_bcb_chnl_open(tAVCT_BCB* p_bcb, UNUSED_ATTR tAVCT_LCB_EVT* p_data) {
/* call l2cap connect req */
p_bcb->ch_state = AVCT_CH_CONN;
- p_bcb->ch_lcid =
- L2CA_ConnectReq2(AVCT_BR_PSM, p_lcb->peer_addr, BTA_SEC_AUTHENTICATE);
+ p_bcb->ch_lcid = L2CA_ConnectReq2(AVCT_BR_PSM, p_lcb->peer_addr,
+ BTA_SEC_AUTHENTICATE | BTA_SEC_ENCRYPT);
+
if (p_bcb->ch_lcid == 0) {
/* if connect req failed, send ourselves close event */
tAVCT_LCB_EVT avct_lcb_evt;
diff --git a/system/stack/avct/avct_lcb_act.cc b/system/stack/avct/avct_lcb_act.cc
index 2aa38d56f8c98482f8b86832781bb81619d95b03..04c3295b29b13c6b703516f442bd304664d29625 100644
--- a/system/stack/avct/avct_lcb_act.cc
+++ b/system/stack/avct/avct_lcb_act.cc
@@ -185,7 +185,8 @@ void avct_lcb_chnl_open(tAVCT_LCB* p_lcb, UNUSED_ATTR tAVCT_LCB_EVT* p_data) {
p_lcb->ch_state = AVCT_CH_CONN;
p_lcb->ch_lcid =
- L2CA_ConnectReq2(AVCT_PSM, p_lcb->peer_addr, BTA_SEC_AUTHENTICATE);
+ L2CA_ConnectReq2(AVCT_PSM, p_lcb->peer_addr,
+ BTA_SEC_AUTHENTICATE | BTA_SEC_ENCRYPT);
if (p_lcb->ch_lcid == 0) {
/* if connect req failed, send ourselves close event */
tAVCT_LCB_EVT avct_lcb_evt;
diff --git a/system/stack/avdt/avdt_ad.cc b/system/stack/avdt/avdt_ad.cc
index 378d6d4c59a87043b07eb167c66d05405e33fc79..9f735231e8d9923b88e1bc5ae582d3269763ace8 100644
--- a/system/stack/avdt/avdt_ad.cc
+++ b/system/stack/avdt/avdt_ad.cc
@@ -544,7 +544,8 @@ void avdt_ad_open_req(uint8_t type, AvdtpCcb* p_ccb, AvdtpScb* p_scb,
/* call l2cap connect req */
lcid =
- L2CA_ConnectReq2(AVDT_PSM, p_ccb->peer_addr, BTM_SEC_OUT_AUTHENTICATE);
+ L2CA_ConnectReq2(AVDT_PSM, p_ccb->peer_addr,
+ BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
if (lcid != 0) {
/* if connect req ok, store tcid in lcid table */
avdtp_cb.ad.lcid_tbl[lcid] = avdt_ad_tc_tbl_to_idx(p_tbl);
diff --git a/system/stack/avdt/avdt_api.cc b/system/stack/avdt/avdt_api.cc
index 923641ebac3afa4c3def4152c9ee00c09ead8e67..7248fd83af3f2bfa107335682919677e960a1ad1 100644
--- a/system/stack/avdt/avdt_api.cc
+++ b/system/stack/avdt/avdt_api.cc
@@ -95,9 +95,10 @@ void avdt_scb_transport_channel_timer_timeout(void* data) {
*
******************************************************************************/
void AVDT_Register(AvdtpRcb* p_reg, tAVDT_CTRL_CBACK* p_cback) {
+ uint16_t sec = BTA_SEC_AUTHENTICATE | BTA_SEC_ENCRYPT;
/* register PSM with L2CAP */
L2CA_Register2(AVDT_PSM, avdt_l2c_appl, true /* enable_snoop */, nullptr,
- kAvdtpMtu, 0, BTA_SEC_AUTHENTICATE);
+ kAvdtpMtu, 0, sec);
/* initialize AVDTP data structures */
avdt_scb_init();
diff --git a/system/stack/sdp/sdp_discovery.cc b/system/stack/sdp/sdp_discovery.cc
index a007c1e7da1725cafb4d28d07df9a30e9a961ed6..590d81bd161f3472b8c5e3d45168621675d942f7 100644
--- a/system/stack/sdp/sdp_discovery.cc
+++ b/system/stack/sdp/sdp_discovery.cc
@@ -598,6 +598,15 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
uint8_t* p;
uint16_t bytes_left = SDP_DATA_BUF_SIZE;
+ /* If we don't have a valid discovery database, we can't do anything. */
+ if (p_ccb->p_db == NULL) {
+ log::warn(
+ "Attempted continuation or first time request with invalid discovery "
+ "database");
+ sdp_disconnect(p_ccb, tSDP_STATUS::SDP_INVALID_CONT_STATE);
+ return;
+ }
+
p_msg->offset = L2CAP_MIN_OFFSET;
p = p_start = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET;