Bug: 277590580
bug: 275553827
Test: atest net_test_main_shim
Ignore-AOSP-First: security
Tag: #security
Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f
Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f

This change is intended to be used to factor out
dup code for parsing GapData in StartAdvertisingSet
and make it easier to be tested.

Backport of Ia39886c415218353b6f9d59d7d3f6d1160477d6c

Bug: 296291440
Test: atest net_test_main_shim
Merged-In: Ia39886c415218353b6f9d59d7d3f6d1160477d6c
Change-Id: Ia39886c415218353b6f9d59d7d3f6d1160477d6c

This reverts commit bbd88e88.

Reason for revert: b/281788858

Merged-In: Id5f74a0f9c27f67050ffef497bb42580f30bfe38
Merged-In: If6fb57064b5b2da40842e2c1cf95aadc6f0351b6
Merged-In: I608fd8b8838a2476bf0b1d9dbb86c75032eec2f3

Change-Id: I0f45c87ba5f0b2c84843e568ca117439b42d1ed3

Bug: 275057843
Bug: 275057678
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I4c8ec50c15e2727839a49da0e582164557bcd38a
Change-Id: I4c8ec50c15e2727839a49da0e582164557bcd38a

When p_buf->len is mtu - 1 and p_cmd->multi_req.variable_len
evaluates to true, integer underflow is triggered
in the following line, resulting OOB access.

```
 len = p_rsp->attr_value.len - (total_len - mtu);
```

Bug: 273874525
Test: manual
Ignore-AOSP-First: security
Tag: #security

Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4

Plus some cleanup

Bug: 271962784
Test: manual
Ignore-AOSP-First: security
Tag: #security
Merged-In: Ice5ad780ac0b177c73d84ed37960b4540df1ec86
Change-Id: Ice5ad780ac0b177c73d84ed37960b4540df1ec86

Bug: 280633699
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2

Local variables tracking structure size in build_read_multi_rsp are of
uint16 type but accept a full uint16 range from function arguments while
appending a fixed-length offset.  This can lead to an integer overflow
and unexpected behavior.

Change the locals to size_t, and add a check during reasssignment.

Bug: 273966636
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I3a74bdb0d003cb6bf4f282615be8c68836676715
(cherry picked from commit 70a4d628)

The tx mtu in EATT can be controlled by remote device. With malicious
mtu values, it is possible to trigger integer overflow and
OOB write at multiple places (see the bug below).

This fix enforces a max tx mtu in EATT.

Bug: 271335899
Test: manual
Ignore-AOSP-First: security
Tag: #security
Merged-In: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31
Change-Id: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31

Bug: 278279023
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: I6727c9a071170baadb2292daa52f71190972ecca

Bug: 260726311
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: I199fdd0651ebc29f130ebb5f5fa07e13f22a7d37

tBTA_AV_CI_SETCONFIG is treated as tBTA_AV_STR_MSG
in bta_av_setconfig_rej, resulting OOB access.

Bug: 260230151
Test: manual
Ignore-AOSP-First: security
Tag: #security
Merged-In: I78a1ee50dea0113381e51f8521711d758dc759cf
Change-Id: I78a1ee50dea0113381e51f8521711d758dc759cf

Bug: 266433017
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: I4a8959ac6e5980a6c6d20edcf103482b9916656a

Merge "Fix a potential OOB in BleAdvertiserVscHciInterfaceImpl::VendorSpecificEventCback" into tm-dev

Plus move macros used in struct bt_oob_data_s
to bluetooth.h

Bug: 274722185
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: Ie12feb4090a1eb88f5c9e097546f55a076839fb0

Bug: 276975913
Test: manual
Ignore-AOSP-First: security
Tag: security
Change-Id: I38353a573168e18f06b2b311e532a937044fd92f

Bug: 274722163
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: Ie4b30bbc19ba0bd191839af35880a4831d8005b1

This CL fixes the following 3 bugs:
1. Integer underflow triggered by malicious MTU from peer device
2. Integer overflow caused by maliciously long item names
3. Bug caused by typo: item_len_left -> attribute_len_left

Bug: 242994452
Tag: #security
Ignore-AOSP-First: security
Test: manual
Change-Id: I0d2af48b7eb3469d9d1923910e4facc8f2cdbc95

This reverts commit f173fcb4.

Reason for revert: Head tracking broken as reported in b/277995800

Change-Id: I0c9c95afed6f73712d0a1a5024651cba960eb9d0

gatt_cl.cc accesses a header field after the buffer holding it may have
been freed.

Track the relevant state as a local variable instead.

Bug: 274617156
Test: atest: bluetooth, validated against fuzzer
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724

btm_ble_periodic_av_sync_lost internally calls the function
btm_ble_get_psync_index_from_handle, which polls the internal periodic
sync buffer and returns a matching index if one exists.  If no matching
handle is found, it returns MAX_SYNC_TRANSACTION.

However, here the calling function lacks the check for this case present
in similar functions.  If no handle is matched, it will attempt to index
the buffer with MAX_SYNC_TRANSACTION, which will overrun it by a single
width and lead to OOB access.

Add handling for this case.

Bug: 273502002
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm, validated
against researcher POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I2e1e95b277f81b2668f721a7693df50841968ec5