Skip to content
Snippets Groups Projects
Select Git revision
0 results
Search by author
  • Any Author
0 authors
  1. Jan 10, 2023
  3. Jan 09, 2023
  5. Jan 07, 2023
  7. Jan 06, 2023
    • Ted Wang's avatar
      Revert "Drop connection when atttempting to disable encryption" · 638e4875
      Ted Wang authored 
      Bug: 259631398

This reverts commit c5eee33a.

Reason for revert: Causing b/259631398. Connection will be terminated unexpectedly when connection is in the middle of role switching with the device that does not support EPR.

Test: Regression test
Change-Id: I063e31fd74a8b319439386ecde4ce1a633b6d7bf
Merged-In: I063e31fd74a8b319439386ecde4ce1a633b6d7bf
(cherry picked from commit b2156728)
      638e4875
  9. Dec 13, 2022
    • Hui Peng's avatar
      Add regression test for b/258057241 · 5f8babc9
      Hui Peng authored 
      Bug: 258057241
Test: atest net_test_stack_avdtp
Ignore-AOSP-First: security
Merged-In: I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54
Change-Id: I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54
      5f8babc9
    • Hui Peng's avatar
      Fix an OOB read in avdt_scb_hdl_pkt_no_frag · 89255db5
      Hui Peng authored 
      The current implementation uses `pad_len = *(p_start + len);`
to read the last byte from the packet, resulting one-byte
out-of-bound read.

Also avdt_scb_hdl_pkt_no_frag passes zero-lenth packets to
upper-layer, this patch adds code to detect such packets
and err out if detected.

The regression test is I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54

Bug: 258057241
Test: atest net_test_stack_avdtp
Ignore-AOSP-First: security
Merged-In: If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4
Change-Id: If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4
      89255db5
  11. Dec 07, 2022
  13. Dec 05, 2022
  15. Dec 02, 2022
    • Robert Werthman's avatar
      Report failure when not able to connect to AVRCP · e74ee03c
      Robert Werthman authored 
      A crash may occur when creating a bluetooth AVRCP connection to a
device.

The code fails to check a return value from an AVRCP function
being used to index into an array. The return value may exceed the
size of the array causing memory outside the bounds of the array to be
accessed leading to memory corruption and a crash.

The fix is to ensure the return value is within the bounds of the
array before accessing the array contents. If the return value is
not within the bounds of the array report it as a failure to the
bluetooth stack.

This change is relevant for android automotive because the IVI
(in-vehicle infotainment system) acts as the an AVRCP controller
which still executes this code.

Note: this is a backport of b/214569798, inducted as a non-security
issue.  Per b/226927612 it has been found to have security impact
and should be backported to earlier branches.

Bug: 226927612
Test: Manual - set return value to be out of bounds, verify no crash
Tag: #security
Ignore-AOSP-First: Security
Change-Id: Ic284268c2241b6a7de146057b9842873907de59c
      e74ee03c
  17. Nov 30, 2022