At various points in gatt_sr.cc, the output of the
gatt_tcb_get_payload_size function is used without checking for a
positive length.  However, in exceptional cases it is possible for the
channel to be closed at the time the function is called, which will lead
to a zero length and cause an OOB write in subsequent processing.

Fix all of these.

Bug: 364026473
Bug: 364027038
Bug: 364027949
Bug: 364025411
Test: m libbluetooth
Test: researcher POC
Flag: EXEMPT trivial validity checks
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 7de5617f)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:130861eadc3d9eda593df949666e561dd1f020fc)
Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404

0 length value is perfectly fine, and should result in just length
added into the packet.
Currently, for 0 length value we just break out of loop, and don't add
any value.
This means, that if first characetristic in response had 0 length, we
would return empty packet.

Ignore-AOSP-First: security fix
Test: mma -j32;
Bug: 352696105
Bug: 356886209
Flag: exempt, obvious logic fix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba907afffe1fdc00570f935ce3563d28ea45f5cd)
Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608

build_read_multi_rsp is missing a bounds check, which can lead to an
OOB write when the mtu parameter is set to zero.

Add that bounds check.

Bug: 323850943
Test: atest GattSrTest
Test: researcher POC
Tag: #security
Flag: EXEMPT trivial validity checks
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cad927034a371b82a4a07a16ec442eb261f6153f)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d5c170681e728ec3b72f6f0799207b2f7e5ea1d)
Merged-In: I18e4325dbc9d6814220332288c85b114d0415c2f
Change-Id: I18e4325dbc9d6814220332288c85b114d0415c2f

Bug: 295887535
Bug: 315127634
Test: m com.android.btservices
Test: atest net_test_stack_gatt
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ae5e736813bf2928bfc8c71e3dacf3b78394046)
Merged-In: I291fd665a68d90813b8c21c80d23cc438f84f285
Change-Id: I291fd665a68d90813b8c21c80d23cc438f84f285

This reverts commit a0d4425c.

Reason for revert: LE Device name is incorrect after the change. See b/315127634
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6dbe94fe556ef67f3bbb7d7bb2da3320d68619df)
Merged-In: I93906e7ab768b4015fe3491e171fdb0ec8cf3077
Change-Id: I93906e7ab768b4015fe3491e171fdb0ec8cf3077

Bug: 295887535
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b927f3fb660dafaf97b2fa0398353a8c39125efc)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a0d4425c3964f99f589d449deed2f1bbe520218c)
Merged-In: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48
Change-Id: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48

This reverts commit a0d4425c.

Reason for revert: LE Device name is incorrect after the change. See b/315127634
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6dbe94fe556ef67f3bbb7d7bb2da3320d68619df)
Merged-In: I93906e7ab768b4015fe3491e171fdb0ec8cf3077
Change-Id: I93906e7ab768b4015fe3491e171fdb0ec8cf3077

Bug: 295887535
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b927f3fb660dafaf97b2fa0398353a8c39125efc)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a0d4425c3964f99f589d449deed2f1bbe520218c)
Merged-In: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48
Change-Id: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48

Bug: 297524203
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140c41e3553bc59fe97e3f5ee96c64e2251971e2)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e9b40c3dfd81c3fa99b3f115135de7e2c356ece9)
Merged-In: I2a95bbcce9a16ac84dd714eb4561428711a9872e
Change-Id: I2a95bbcce9a16ac84dd714eb4561428711a9872e

When p_buf->len is mtu - 1 and p_cmd->multi_req.variable_len
evaluates to true, integer underflow is triggered
in the following line, resulting OOB access.

```
 len = p_rsp->attr_value.len - (total_len - mtu);
```

Bug: 273874525
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23)
Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4

Local variables tracking structure size in build_read_multi_rsp are of
uint16 type but accept a full uint16 range from function arguments while
appending a fixed-length offset.  This can lead to an integer overflow
and unexpected behavior.

Change the locals to size_t, and add a check during reasssignment.

Bug: 273966636
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I3a74bdb0d003cb6bf4f282615be8c68836676715
(cherry picked from commit 70a4d628)

The extern specifier in this case has no effect as the default
for functions is to have external linkage. However the extern
specifier affects code search ability to explore function
declarations and occurences as the prototype differs from
the declaration.

Test: mmm packages/modules/Bluetooth
Bug: 279964152
Change-Id: I4f2e680d49068a0f708c40373bbe865e110f7db1

Local variables tracking structure size in build_read_multi_rsp are of
uint16 type but accept a full uint16 range from function arguments while
appending a fixed-length offset.  This can lead to an integer overflow
and unexpected behavior.

Change the locals to size_t, and add a check during reasssignment.

Bug: 273966636
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I3a74bdb0d003cb6bf4f282615be8c68836676715

gatt_cl.cc accesses a header field after the buffer holding it may have
been freed.

Track the relevant state as a local variable instead.

Bug: 274617156
Test: atest: bluetooth, validated against fuzzer
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724

Bug: 276975913
Test: manual
Ignore-AOSP-First: security
Tag: security
Change-Id: I38353a573168e18f06b2b311e532a937044fd92f

We are basically taking all the old entry points for the C++ connection manager,
as well as all other entrypoints into le_impl, and sending them to Rust instead.

Note that APIs are not implemented and so will crash on invocation.

Bug: 272572974
Test: compiles
Change-Id: I918d0ede0f42c74e1d00082c97854b0359b57ef6

gatt_cl.cc accesses a header field after the buffer holding it may have
been freed.

Track the relevant state as a local variable instead.

Bug: 274617156
Test: atest: bluetooth, validated against fuzzer
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724

Added boundary check for gatt_end_operation to prevent writing out of
boundary.

Since response of the GATT server is handled in
gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum
lenth that can be passed into the handlers is bounded by
GATT_MAX_MTU_SIZE, which is set to 517, which is greater than
GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec
that gaurentees MTU response to be less than or equal to 512 bytes can
cause a buffer overflow when performing memcpy without length check.

Bug: 261068592
Test: No test since not affecting behavior
Tag: #security
Ignore-AOSP-First: security

Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873

Use the direct connect parameters for the background connect the LE Audio device
after receiving the Target Announcements advertising.

Bug: 273596634
Test: atest BleConnectionManager
Test: Manual, check the connection parameters
Change-Id: Ib49ba2cccc4c75e12a45cc3a24db052944b0b2d9

Dead code removal. The only logical change is that now, on unbond, we
unconditionally remove the device from the allowlist, rather than
checking before doing so. But the le_impl checks for this anyway,
here: https://source.corp.google.com/aosp-master/packages/modules/Bluetooth/system/gd/hci/acl_manager/le_impl.h;l=794?q=%22acceptlist%20and%20cannot%20be%20removed%22

Bug: 272572974
Test: compiles
Change-Id: I3414348552e02426b9b210517cd5c5da862b9f78

With this patch Android will always do only one MTU Exchange request as
per specification. For this reason Android always uses
GATT_MAX_MTU_SIZE as this is what easly GATT can handle in the Bluetooth
Stack.

This is done so the single application request cannot block other
applications from using bigger MTU than the one requested by the first
application.

For backward compatibility, the for Data Length Extension the MTU from
the User is used and not the one which was internally requested by the GATT

Bug: 257250188
Bug: 239776509
Test: atest BluetoothInstrumentationTests
Test: manual testing
Tag: #feature
Change-Id: I157d40040b53cd4595403d99e58e105709099684

libprocessgroup.so was pulling in libcgrouprc.so
which added a requireNativeLib to our apex requiring
coverage for it.

libprocessgroup.so was only used to raise the priority
of a uipc task, which is a legacy way of the stack to send
audio and should be replaced by HIDL or AIDL.

Test: libcgrouprc is not part of requireNativeLibs in apex_manifest
Fix: 274006628
Fix: 274008074
Fix: 274008052
Fix: 274008062
Fix: 274006620
Fix: 274004991
Change-Id: I5f38bf4c80b29c3c603b59f641ec86cdac608204

This is needed when LE Audio device pairs through FP. Existing LE
connection should be reused.

Bug: 270102261
Test: manual, pair with LE Audio capable device using FP
Change-Id: Id3fee14dd292a88055501fb71a5d13a15694bf61

Snoop MTU_REQ/RSP packets from legacy stack, and use them to track the
MTU used in the isolated server.

Bug: 255880936
Test: unit

Change-Id: Ifcaa35be47abdbf714b592318184701645b55800

Bug: 239768625
Test: atest BluetoothInstrumentationTests
Test: manual test
Change-Id: I19dca62a16a5132db6d257c1e7a2683cb4687878

Bug: 266449499
Tag: #feature
Test: atest BluetoothInstrumentationTests;
      manual testing with LE device
Change-Id: I4da9d9c78287312b611ca66dd3fe2ef556f9d4cb

```
warning: argument name 'chg_aware' in comment does not match parameter
name 'chg_unaware' [bugprone-argument-comment]
    if (tcb.in_use) gatt_sr_update_cl_status(tcb, /* chg_aware= */ false);
                                                  ^~~~~~~~~~~~~~~~
                                                  /* chg_unaware= */
note: 'chg_unaware' declared here
extern void gatt_sr_update_cl_status(tGATT_TCB& tcb, bool chg_unaware);
                                                          ^
warning: the parameter 'name' is copied for each invocation but only
used as a const reference; consider making it a const reference
tGATT_IF GATT_Register(const Uuid& app_uuid128, std::string name,
                                                            ^
                                                const      &
warning: the parameter 's' is copied for each invocation but only used
as a const reference; consider making it a const reference
  void Push(std::string s) {
                        ^
            const      &
```

Test: build with tidy
Change-Id: I0827dd82bb90505a63e0ad4a87b6dfb1f78dd3b5

Prepare list of bonded devices that will need service change updates
after BT restarted.

Cherry-picked from wear os

Bug: 263323082
Bug: 162948473
Bug: 251157966
Test: atest net_test_stack
Change-Id: I7f3541a21e2c4a629498fd91d3a6438135a760e0
(cherry picked from commit 5f3719499b6ca547086d5a2ad8f6d3fca748deb3)
(cherry picked from commit 3d83a0ff)
Merged-In: I7f3541a21e2c4a629498fd91d3a6438135a760e0

Bug: 197478351
Tag: #refactor
Test: gd/cert/run
Bug: 263323082
Change-Id: I69dd0bb22521face4c6186e2ddca4b184e47d751
(cherry picked from commit 04418c97)
Merged-In: I69dd0bb22521face4c6186e2ddca4b184e47d751

Prepare list of bonded devices that will need service change updates
after BT restarted.

Cherry-picked from wear os

Bug: 263323082
Bug: 162948473
Bug: 251157966
Test: atest net_test_stack
Change-Id: I7f3541a21e2c4a629498fd91d3a6438135a760e0
(cherry picked from commit 5f3719499b6ca547086d5a2ad8f6d3fca748deb3)

Adding these records would be misleading since the services are not
available over BR/EDR. In particular, Generic Attribute Profile
record is an indicator that GATT over BR/EDR is supported.

Renaming the property for homogeneity

Cherry-picked from wear-os

Bug: 263323082
Bug: 234331631
Bug: 248147531
Test: manual - verified iOS no longer tries to use GATT over BR/EDR
Change-Id: I3f608352b3ae78769ac8d087f19ed7494109d214
(cherry picked from commit afb96e955b55b9f33fd08cc05235ff15573e428c)
(cherry picked from commit b059caa9)
Merged-In: I3f608352b3ae78769ac8d087f19ed7494109d214

Adding these records would be misleading since the services are not
available over BR/EDR. In particular, Generic Attribute Profile
record is an indicator that GATT over BR/EDR is supported.

Renaming the property for homogeneity

Cherry-picked from wear-os

Bug: 263323082
Bug: 234331631
Bug: 248147531
Test: manual - verified iOS no longer tries to use GATT over BR/EDR
Change-Id: I3f608352b3ae78769ac8d087f19ed7494109d214
(cherry picked from commit afb96e955b55b9f33fd08cc05235ff15573e428c)

Arbitration is done based on advertiser ID and packet type.
This links the legacy stack to the new implementation.

Bug: 255880936
Test: unit
Change-Id: Ia62aacb0bdeab67dd202dc6ad4239f7c553d84d6

These headers are now in base/functional/.

Bug: 266161904
Tag: #floss
Test: ./floss/build/build-in-container.py and emerge floss

Change-Id: Iaac7673f7c61d55e2d1572c92799d670fef65e72

Bug: 265295429
Test: gd/cert/run
Tag: #refactor
Change-Id: I5172963aae865b8f7275e3aa5ed48971eed9653c

replace GATT_DEFAULT_START_HANDLE and GATT_LAST_HANDLE with system
properties to allow configuration on wear target. New properties are:
  bluetooth.gatt.default_start_handle.value
  bluetooth.gatt.last_handle.value

Bug: 263323082
Test: Build + manual on watches / no-op for phone
Change-Id: I816766103db26bcfbbf3dd1bfc7544bdb491ea31
(cherry picked from commit 19b74ec9)
Merged-In: I816766103db26bcfbbf3dd1bfc7544bdb491ea31

Bug: 265300705
Test: gd/cert/run
Tag: #refactor
Change-Id: I3060f3770dd8a289721c83c3ca941e44943147f4

replace GATT_DEFAULT_START_HANDLE and GATT_LAST_HANDLE with system
properties to allow configuration on wear target. New properties are:
  bluetooth.gatt.default_start_handle.value
  bluetooth.gatt.last_handle.value

Bug: 263323082
Test: Build + manual on watches / no-op for phone
Change-Id: I816766103db26bcfbbf3dd1bfc7544bdb491ea31

Bug: 265304496
Test: gd/cert/run
Tag: #refactor
Change-Id: Icc53e75268d0774eaf27d193042b9da9f80b69b7

Bug: 266049504
Test: gd/cert/run
Tag: #refactor
Ignore-AOSP-First: cherry-pick

Merged-In: I4a715be80adb14c0650aca1dfde0f922bffa59a1
Change-Id: I4a715be80adb14c0650aca1dfde0f922bffa59a1