Skip to content
Snippets Groups Projects
Select Git revision
  • fifteen-qpr0
  • fourteen-qpr1
  • fourteen default
  • fifteen-qpr1
  • fifteen-qpr2
  • thirteen
  • staging/fourteen
7 results
Search by author
  • Any Author
  • Adithya R Adithya R adithya2306
  • Ali Ali ali-nasiri-80
  • Dhina17 Dhina17 Dhina17
  • electimon electimon electimon
  • Erfan Abdi Erfan Abdi erfanoabdi
  • Farzin Kazemzadeh Farzin Kazemzadeh itisFarzin
  • LMO BuildBot LMO BuildBot lmo-buildbot
  • LMO GerritBot LMO GerritBot lmo-gerritbot
  • Mohammad Hasan Keramat J Mohammad Hasan Keramat J ikeramat
  • Nick Nick nift4
10 authors
  1. Jan 10, 2023
  3. Jan 09, 2023
  5. Jan 07, 2023
  7. Jan 06, 2023
    • Ted Wang's avatar
      Revert "Drop connection when atttempting to disable encryption" · 638e4875
      Ted Wang authored 
      Bug: 259631398

This reverts commit c5eee33a.

Reason for revert: Causing b/259631398. Connection will be terminated unexpectedly when connection is in the middle of role switching with the device that does not support EPR.

Test: Regression test
Change-Id: I063e31fd74a8b319439386ecde4ce1a633b6d7bf
Merged-In: I063e31fd74a8b319439386ecde4ce1a633b6d7bf
(cherry picked from commit b2156728)
      638e4875
  9. Dec 13, 2022
    • Hui Peng's avatar
      Add regression test for b/258057241 · 5f8babc9
      Hui Peng authored 
      Bug: 258057241
Test: atest net_test_stack_avdtp
Ignore-AOSP-First: security
Merged-In: I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54
Change-Id: I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54
      5f8babc9
    • Hui Peng's avatar
      Fix an OOB read in avdt_scb_hdl_pkt_no_frag · 89255db5
      Hui Peng authored 
      The current implementation uses `pad_len = *(p_start + len);`
to read the last byte from the packet, resulting one-byte
out-of-bound read.

Also avdt_scb_hdl_pkt_no_frag passes zero-lenth packets to
upper-layer, this patch adds code to detect such packets
and err out if detected.

The regression test is I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54

Bug: 258057241
Test: atest net_test_stack_avdtp
Ignore-AOSP-First: security
Merged-In: If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4
Change-Id: If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4
      89255db5
  11. Dec 07, 2022
  13. Dec 05, 2022
  15. Dec 02, 2022
    • Robert Werthman's avatar
      Report failure when not able to connect to AVRCP · e74ee03c
      Robert Werthman authored 
      A crash may occur when creating a bluetooth AVRCP connection to a
device.

The code fails to check a return value from an AVRCP function
being used to index into an array. The return value may exceed the
size of the array causing memory outside the bounds of the array to be
accessed leading to memory corruption and a crash.

The fix is to ensure the return value is within the bounds of the
array before accessing the array contents. If the return value is
not within the bounds of the array report it as a failure to the
bluetooth stack.

This change is relevant for android automotive because the IVI
(in-vehicle infotainment system) acts as the an AVRCP controller
which still executes this code.

Note: this is a backport of b/214569798, inducted as a non-security
issue.  Per b/226927612 it has been found to have security impact
and should be backported to earlier branches.

Bug: 226927612
Test: Manual - set return value to be out of bounds, verify no crash
Tag: #security
Ignore-AOSP-First: Security
Change-Id: Ic284268c2241b6a7de146057b9842873907de59c
      e74ee03c
  17. Nov 30, 2022
    • Brian Delwiche's avatar
      Merge "Fix OPP comparison" into tm-dev · d9948659
      Brian Delwiche authored
      d9948659
    • Brian Delwiche's avatar
      Fix OPP comparison · bbbbdb52
      Brian Delwiche authored 
      isBluetoothShareUri_correctlyCheckUri (under
com.android.bluetooth.opp.BluetoothOppUtilityTest) is failing
on null input due to an incorrect comparison in
isBluetoothShareUri.  Change the comparison to one which can
cope with null input.

Bug: 257190999
Test: atest: BluetoothOppUtilityTest
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I61118f22577de7b975fb0df8dac8583e91f7b8c7
(cherry picked from commit c9b53b95)
Merged-In: I61118f22577de7b975fb0df8dac8583e91f7b8c7
      bbbbdb52
  19. Nov 08, 2022
    • Brian Delwiche's avatar
      Fix buffer overflow in BRSF · f8adec66
      Brian Delwiche authored 
      bta_hf_client_at does not properly check bounds on its inputs,
allowing a buffer overflow when fed a buffer that is more than
twice the expected maximum size.  Add a new bounds check to
enforce, and a new security test to validate.

Bug: 231156521
Test: atest: BtaHfClientSecurityTest
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I2cf89a786ba7cd0423eaccd8082bd824ac2f0d43
      f8adec66