Bug: 254445952
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I25f928cc9fa4b3338b1885412e5f894b4155da71
Change-Id: I25f928cc9fa4b3338b1885412e5f894b4155da71

Bug: 255304475
Test: atest net_test_stack_btm
Ignore-AOSP-First: security
Tag: #security
Merged-In: I3d1523b6dbadf75f682663504a0c932624c33d08
Change-Id: I3d1523b6dbadf75f682663504a0c932624c33d08

Regression test: I3d1523b6dbadf75f682663504a0c932624c33d08

Bug: 255304475
Test: atest net_test_stack_btm
Tag: #security
Ignore-AOSP-First: security
Merged-In: I3a8158a5db7e59acdaaa47e2327f6bdf492e47e7
Change-Id: I3a8158a5db7e59acdaaa47e2327f6bdf492e47e7

Bug: 260078907
Test: atest net_test_stack_btm
Ignore-AOSP-First: security
Tag: #security
Merged-In: Ie8c6cb188cf7cde94d2f7dc0db04b3de51e08678
Change-Id: Ie8c6cb188cf7cde94d2f7dc0db04b3de51e08678

Regression test: Ie8c6cb188cf7cde94d2f7dc0db04b3de51e08678

Bug: 260078907
Test: atest net_test_stack_btm
Tag: #security
Ignore-AOSP-First: security
Merged-In: I4aec266e09e33e8a19a9e33715fdb7ed7f4d4f58
Change-Id: I4aec266e09e33e8a19a9e33715fdb7ed7f4d4f58

The size of the packet is not checked when
`vendor_cap_supported_version >= kBqrIsoVersion` holds.
This patch adds a check on the size in this code path.

Bug: 242993878
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I3191701c54b342ef3cf2296de075666b13e3096e
Change-Id: I3191701c54b342ef3cf2296de075666b13e3096e

Bug: 259675705
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I13be3103903631de4a0fa2080151bc89884c65c9
Change-Id: I13be3103903631de4a0fa2080151bc89884c65c9

There is a use-after-free bug in AttributionProcessor::OnWakelockReleased
resulted from a well-known misuse of using iterators to delete
items in containers (the deleted items are used for calculating the next iterator
in the next round). This patch fix it with correct usage.

see the regression test is in I1709af943b6fa238dd4df41a62e6add36984c9ec

Bug: 254774758
Ignore-AOSP-First: security
Test: atest bluetooth_test_gd_unit
Merged-In: If9f14d5fe2fbf2150f2ab0d1f90ce0f263399227
Change-Id: If9f14d5fe2fbf2150f2ab0d1f90ce0f263399227

When the `attr_pad` becomes full, it is possible
that un index of `-1` is computed write
a zero byte to `p_val`, rusulting OOB write.

```
  p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\0';
```

Bug: 261867748
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I937d22a2df26fca1d7f06b10182c4e713ddfed1b
Change-Id: I937d22a2df26fca1d7f06b10182c4e713ddfed1b

In  A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the
`-=` operation on it may result in integer underflow and
OOB write with the computed pointer passed to
A2DP_BuildMediaPayloadHeaderSbc.

The regression test is I2e026025ce49a02280dfcacd08f4bfc1b5d12264

Bug: 186803518
Test: atest net_test_stack_a2dp_codecs_native
Ignore-AOSP-First: security
Merged-In: I45320085b1e458d3b0e0d86162a35aaaae7b34cb
Change-Id: I45320085b1e458d3b0e0d86162a35aaaae7b34cb

Bug: 258652631
Test: manual
Ignore-AOSP-First: security
Merged-In: Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084
Change-Id: Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084

Bug: 259631398

This reverts commit c5eee33a.

Reason for revert: Causing b/259631398. Connection will be terminated unexpectedly when connection is in the middle of role switching with the device that does not support EPR.

Test: Regression test
Change-Id: I063e31fd74a8b319439386ecde4ce1a633b6d7bf
Merged-In: I063e31fd74a8b319439386ecde4ce1a633b6d7bf
(cherry picked from commit b2156728)

Bug: 258057241
Test: atest net_test_stack_avdtp
Ignore-AOSP-First: security
Merged-In: I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54
Change-Id: I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54

The current implementation uses `pad_len = *(p_start + len);`
to read the last byte from the packet, resulting one-byte
out-of-bound read.

Also avdt_scb_hdl_pkt_no_frag passes zero-lenth packets to
upper-layer, this patch adds code to detect such packets
and err out if detected.

The regression test is I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54

Bug: 258057241
Test: atest net_test_stack_avdtp
Ignore-AOSP-First: security
Merged-In: If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4
Change-Id: If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4

A crash may occur when creating a bluetooth AVRCP connection to a
device.

The code fails to check a return value from an AVRCP function
being used to index into an array. The return value may exceed the
size of the array causing memory outside the bounds of the array to be
accessed leading to memory corruption and a crash.

The fix is to ensure the return value is within the bounds of the
array before accessing the array contents. If the return value is
not within the bounds of the array report it as a failure to the
bluetooth stack.

This change is relevant for android automotive because the IVI
(in-vehicle infotainment system) acts as the an AVRCP controller
which still executes this code.

Note: this is a backport of b/214569798, inducted as a non-security
issue.  Per b/226927612 it has been found to have security impact
and should be backported to earlier branches.

Bug: 226927612
Test: Manual - set return value to be out of bounds, verify no crash
Tag: #security
Ignore-AOSP-First: Security
Change-Id: Ic284268c2241b6a7de146057b9842873907de59c

isBluetoothShareUri_correctlyCheckUri (under
com.android.bluetooth.opp.BluetoothOppUtilityTest) is failing
on null input due to an incorrect comparison in
isBluetoothShareUri.  Change the comparison to one which can
cope with null input.

Bug: 257190999
Test: atest: BluetoothOppUtilityTest
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I61118f22577de7b975fb0df8dac8583e91f7b8c7
(cherry picked from commit c9b53b95)
Merged-In: I61118f22577de7b975fb0df8dac8583e91f7b8c7

bta_hf_client_at does not properly check bounds on its inputs,
allowing a buffer overflow when fed a buffer that is more than
twice the expected maximum size.  Add a new bounds check to
enforce, and a new security test to validate.

Bug: 231156521
Test: atest: BtaHfClientSecurityTest
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I2cf89a786ba7cd0423eaccd8082bd824ac2f0d43

Pixel devices in the field appear not to drop the connection or
reestablish encryption after receiving a command to disable link
layer encryption on an encrypted link, a certification
requirement.  Add a check forcing connections to drop in this case.

Bug: 251436534
Test: atest: bluetooth, lab validation forthcoming
Tag: #security
Ignore-AOSP-First: Security
Change-Id: Ie9d69be65fa1163c1ee10ca19153e98e737743cb

Ignore-AOSP-First: Security fix
Test: Flashed build, set the prop and watched the stack restart
Bug: 195410559
Change-Id: I6496b34c144e697308109d5ee9528f4ae5c9b4b4
Merged-In: I6496b34c144e697308109d5ee9528f4ae5c9b4b4

Based on discussion in linked bug, to prevent further regressions if the
latest fixes are still incomplete.

Bug: 195410559
Test: compiles
Ignore-AOSP-First: security
Change-Id: I1741929c639f2dbc6417974bf3287d8d141e33df
(cherry picked from commit 924c3a96)
Merged-In: I1741929c639f2dbc6417974bf3287d8d141e33df

Otherwise we stop rotating our address and lose all benefits of privacy.

Ignore-AOSP-First: Security fix
Bug: 246692649
Bug: 195410559
Test: Nearby QA test, and I'll write a cert test eventually
Tag: #stability
Change-Id: Ib63d79256acbb956413849c17f761aa902fa2eae
(cherry picked from commit 279e3c3a)
Merged-In: Ib63d79256acbb956413849c17f761aa902fa2eae

We need to pause all advertising before changing the random address, and
we need to also change the addresses used for each advertising set. We
also should ensure no active connections etc. are taking place when the
address is changed.

Note that this means there will be some latency between the address
change in legacy before it is changed in GD, but I don't know how to
avoid this.

Ignore-AOSP-First: Security fix
Test: manual / TODO
Bug: 245453591
Bug: 195410559
Tag: #stability
BYPASS_LONG_LINES_REASON: Bluetooth likes 120 lines

Change-Id: Ia897a55320741993467d286550949a802657d399
(cherry picked from commit b275c66d)
Merged-In: Ia897a55320741993467d286550949a802657d399

This reverts commit cde75cf5.

Bug: 249815584

Reason for revert: ag/249815584 Breaks P1 feature

Change-Id: Ia146484522ba0eab118e74c65122bc1cd1a5f2a0

Bug: 225880741
Test: BT unit tests, validated against researcher POC
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I1330080abfd638fb36aad9535b6f5f5872986a7f

Bug: 242535997
Test: BT unit tests, validated against researcher POC
Tag: #security
Ignore-AOSP-First: Security
Change-Id: Id3b665da0214e3c93f277e31077214fcd1d936e7

Auto-generated-cl: translation import
Change-Id: Iacb66fdceff28c4c33b0be589f3536788bf6bef5