Bug: 266433017
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: I4a8959ac6e5980a6c6d20edcf103482b9916656a

Merge "Fix a potential OOB in BleAdvertiserVscHciInterfaceImpl::VendorSpecificEventCback" into tm-dev

Plus move macros used in struct bt_oob_data_s
to bluetooth.h

Bug: 274722185
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: Ie12feb4090a1eb88f5c9e097546f55a076839fb0

Bug: 276975913
Test: manual
Ignore-AOSP-First: security
Tag: security
Change-Id: I38353a573168e18f06b2b311e532a937044fd92f

Bug: 274722163
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: Ie4b30bbc19ba0bd191839af35880a4831d8005b1

This CL fixes the following 3 bugs:
1. Integer underflow triggered by malicious MTU from peer device
2. Integer overflow caused by maliciously long item names
3. Bug caused by typo: item_len_left -> attribute_len_left

Bug: 242994452
Tag: #security
Ignore-AOSP-First: security
Test: manual
Change-Id: I0d2af48b7eb3469d9d1923910e4facc8f2cdbc95

This reverts commit f173fcb4.

Reason for revert: Head tracking broken as reported in b/277995800

Change-Id: I0c9c95afed6f73712d0a1a5024651cba960eb9d0

btm_ble_periodic_av_sync_lost internally calls the function
btm_ble_get_psync_index_from_handle, which polls the internal periodic
sync buffer and returns a matching index if one exists.  If no matching
handle is found, it returns MAX_SYNC_TRANSACTION.

However, here the calling function lacks the check for this case present
in similar functions.  If no handle is matched, it will attempt to index
the buffer with MAX_SYNC_TRANSACTION, which will overrun it by a single
width and lead to OOB access.

Add handling for this case.

Bug: 273502002
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm, validated
against researcher POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I2e1e95b277f81b2668f721a7693df50841968ec5

Added boundary check for gatt_end_operation to prevent writing out of
boundary.

Since response of the GATT server is handled in
gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum
lenth that can be passed into the handlers is bounded by
GATT_MAX_MTU_SIZE, which is set to 517, which is greater than
GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec
that gaurentees MTU response to be less than or equal to 512 bytes can
cause a buffer overflow when performing memcpy without length check.

Bug: 261068592
Test: No test since not affecting behavior
Tag: #security
Ignore-AOSP-First: security

Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873

Fix to the regression reported in b/264708304 and b/266585826 added:
The root cause of the regression, the sensor HAL layer expects the HID feature
reports to contain 40 bytes, even less bytes are contained in the data
field.

This updated fix restores the length of data fields with the len arg.

Bug: 259675705
Test: manual verification with a Pixel 6 and LinkBuds
Ignore-AOSP-First: security
Tag: security
Change-Id: I02f16c360965b049fc6c8fdfa0132b7aa54bc1d3

This reverts commit e6cf2700.

Reason for revert: Reinstate original change for QPR

Change-Id: I3e039f1b8f8ffbcc4875b663d417462451fb76a0

This reverts commit 367ed057.

Reason for revert: Reverting from May QPR, will reinstate unchanged for a later release

Change-Id: I36ae57ec7e81ac0357fa1c6fb98dff219ee6dade

Structure length is checked in pan_api.cc after the structure may
be freed, leading to a potential use after free.

Save the buffer length to a local instead.  Note that BNEP_WriteBuf
may alter the length being written internally; this does not appear
to be an issue in this use case because the octet count being tracked
is used only for logging purposes within PAN.

Bug: 259939435
Test: atest bluetooth_test_gd_unit, validate against researcher POC
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I613b3dd3684182bdc725f9e1512061484448d367

sdpu_build_uuid_seq accepts a UUID sequence of arbitrary length
but does not validate against the boundaries of the buffer it's
filling.  This can lead to an OOB write.

Add validation.

Bug: 239414876
Test: atest: bluetooth, validated against POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I6c0b91428bd37d73ae707b8a1843338998fb9562

For NCIS certification, we need to drop the connection or
reestablish encryption after receiving a command to disable link
layer encryption on an encrypted link.  However, dropping the
connection for all devices breaks compatibility during role switch
with devices running Bluetooth 2.1 or earlier, a category including
many cars still in the field.

Add a check forcing connections to drop in this case, conditioned on
Common Criteria mode..

Bug: 251436534
Test: atest: bluetooth, lab validation forthcoming
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I94654ebeb16774643107ee41473725cfae3764ab

Bug: 261857395
Test: manual
Tag: #security
Ignore-AOSP-First: security
Change-Id: I1ba4d1f1e62b1d77ac635cfb6b16cf175bfbf254

Bug: 254445961
Test: manual
Ignore-AOSP-First: security
Change-Id: I1d3c208a5281b88ed25c0028f1a0000d6957637c

Bug: 245517503
Test: manual
Ignore-AOSP-First: security
Change-Id: If768b0b2e11bbc4444835fda28e246e285a7e8ab

Bug: 251427561
Test: manual
Ignore-AOSP-First: security

Change-Id: I2db2339631d521515cb34536e358ae72ebeaaa8b

Bug: 233879420
Test: manual
Ignore-AOSP-First: security
Change-Id: Ic740e5ff3ceabf3df1e78431f7d31adf356479f0