At various points in gatt_sr.cc, the output of the
gatt_tcb_get_payload_size function is used without checking for a
positive length.  However, in exceptional cases it is possible for the
channel to be closed at the time the function is called, which will lead
to a zero length and cause an OOB write in subsequent processing.

Fix all of these.

Bug: 364026473
Bug: 364027038
Bug: 364027949
Bug: 364025411
Test: m libbluetooth
Test: researcher POC
Flag: EXEMPT trivial validity checks
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 7de5617f)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:130861eadc3d9eda593df949666e561dd1f020fc)
Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404

0 length value is perfectly fine, and should result in just length
added into the packet.
Currently, for 0 length value we just break out of loop, and don't add
any value.
This means, that if first characetristic in response had 0 length, we
would return empty packet.

Ignore-AOSP-First: security fix
Test: mma -j32;
Bug: 352696105
Bug: 356886209
Flag: exempt, obvious logic fix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba907afffe1fdc00570f935ce3563d28ea45f5cd)
Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608

build_read_multi_rsp is missing a bounds check, which can lead to an
OOB write when the mtu parameter is set to zero.

Add that bounds check.

Bug: 323850943
Test: atest GattSrTest
Test: researcher POC
Tag: #security
Flag: EXEMPT trivial validity checks
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cad927034a371b82a4a07a16ec442eb261f6153f)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d5c170681e728ec3b72f6f0799207b2f7e5ea1d)
Merged-In: I18e4325dbc9d6814220332288c85b114d0415c2f
Change-Id: I18e4325dbc9d6814220332288c85b114d0415c2f

When p_buf->len is mtu - 1 and p_cmd->multi_req.variable_len
evaluates to true, integer underflow is triggered
in the following line, resulting OOB access.

```
 len = p_rsp->attr_value.len - (total_len - mtu);
```

Bug: 273874525
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23)
Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4

Local variables tracking structure size in build_read_multi_rsp are of
uint16 type but accept a full uint16 range from function arguments while
appending a fixed-length offset.  This can lead to an integer overflow
and unexpected behavior.

Change the locals to size_t, and add a check during reasssignment.

Bug: 273966636
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I3a74bdb0d003cb6bf4f282615be8c68836676715
(cherry picked from commit 70a4d628)

Local variables tracking structure size in build_read_multi_rsp are of
uint16 type but accept a full uint16 range from function arguments while
appending a fixed-length offset.  This can lead to an integer overflow
and unexpected behavior.

Change the locals to size_t, and add a check during reasssignment.

Bug: 273966636
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I3a74bdb0d003cb6bf4f282615be8c68836676715

With this patch Android will always do only one MTU Exchange request as
per specification. For this reason Android always uses
GATT_MAX_MTU_SIZE as this is what easly GATT can handle in the Bluetooth
Stack.

This is done so the single application request cannot block other
applications from using bigger MTU than the one requested by the first
application.

For backward compatibility, the for Data Length Extension the MTU from
the User is used and not the one which was internally requested by the GATT

Bug: 257250188
Bug: 239776509
Test: atest BluetoothInstrumentationTests
Test: manual testing
Tag: #feature
Change-Id: I157d40040b53cd4595403d99e58e105709099684

Snoop MTU_REQ/RSP packets from legacy stack, and use them to track the
MTU used in the isolated server.

Bug: 255880936
Test: unit

Change-Id: Ifcaa35be47abdbf714b592318184701645b55800

Test: refactoring CL. Existing unit tests still pass
Bug: 174487588
Tag: #security
Change-Id: I4a1e628e9adc88474a196f8158829f2170094d79

Bug: 245578454
Test: atest BluetoothInstrumentationTests
Test: Build + Pre-submit
Merged-In: If698c5a951043d877a05cf513d82c4d0e50de01b
Change-Id: If698c5a951043d877a05cf513d82c4d0e50de01b

Bug: 245578454
Test: atest BluetoothInstrumentationTests
Test: Build + Pre-submit
Merged-In: If698c5a951043d877a05cf513d82c4d0e50de01b
Change-Id: If698c5a951043d877a05cf513d82c4d0e50de01b
(cherry picked from commit f1739af0e4e84c867f37496181f6a7f7effb23d7)

Bug: 245578454
Test: atest BluetoothInstrumentationTests
Test: Build + Pre-submit
Change-Id: If698c5a951043d877a05cf513d82c4d0e50de01b
(cherry picked from commit f1739af0e4e84c867f37496181f6a7f7effb23d7)

This patch fixes GATT/SR/GAW/BV-12-C and GATT/SR/GAW/BV-13-C.

Make sure to use proper mtu when preparing response on the EATT channel.

Bug: 235352514
Test: atest BluetoothInstrumentationTests
Test: PTS
Tag: #feature
Merged-In: I3af2577fe348200d55c9aa781959600b9f9118dc
Change-Id: I3af2577fe348200d55c9aa781959600b9f9118dc
(cherry picked from commit 73f5678b)

This patch fixes GATT/SR/GAW/BV-12-C and GATT/SR/GAW/BV-13-C.

Make sure to use proper mtu when preparing response on the EATT channel.

Bug: 235352514
Test: atest BluetoothInstrumentationTests
Test: PTS
Tag: #feature
Change-Id: I3af2577fe348200d55c9aa781959600b9f9118dc

The response will contain length, then the bytes with actual content.
Account for the 2 byte length field when computing how much data can be
squezed into a packet.

Bug: 227618988
Test: compilation
Change-Id: I6ddee3e5c50ce395fa4cc1b538d256a406a415f0

base/logging.h won't be implicitly included at Chrome OS libchrome.

Bug: 186486897
Test: emerge floss
Tag: #floss
Change-Id: I0328847b25b971ebf1c8a29e540950b3c784b0e5

Bug: 197478351
Tag: #refactor
Test: gd/cert/run

Change-Id: I90b27a61820ce138f1ebf33a74f26cd26ff365c8

Bug: 197478351
Tag: #refactor
Test: gd/cert/run

Change-Id: I00e134727e7c5b3051b6224eeb55a0c9ebfd6eaa

Bug: 197478351
Tag: #refactor
Test: gd/cert/run

Change-Id: I028b984fc6262ef8905a84864bfe8cbed159c5f5

Should also account for L2CAP header size (4)

Bug: 199009840
Tag: #feature
Test: NRF connect
Change-Id: I6b51a8ef046d81836a4ca4850d052b68e0f4dd46

Should also account for L2CAP header size (4)

Bug: 199009840
Tag: #feature
Test: NRF connect
Change-Id: I6b51a8ef046d81836a4ca4850d052b68e0f4dd46

Bug: 197478351
Tag: #refactor
Test: gd/cert/run

Change-Id: Ic83aa6ba29ae7227a37d6b3a64797977b1b2f9ce

Bug: 159815595
Tag: #refactor
Test: compile & verify basic functions working
Change-Id: I325719f509d044f14701b6fe1d0706531ee0d417

Bug: 188297860
Test: gd/cert/run
Tag: #refactor

Change-Id: I978882db6b77236eb7a48adb06d29541b84dd008

Bug: 183374320
Test: gd/cert/run
Tag: #refactor

Change-Id: I5bb782f3d019535cd53129cfe450bb233c912975

Test: compile
Change-Id: Ie3c4f7c7625a50863200930c71f2e66a1cb77a9b

Since only GATT, hearing aid (hardcoded), JNI (hidden API) can set data
length, we just skip L2cap set data length path, and directly send HCI
command.

Test: cert/run
Tag: #gd-refactor
Bug: 141555841
Change-Id: Id9dd7f9bdea69b025650ff7a287ba55c0d31db75

Multi read variable is added to GATT server.
Multi notification handling as a GATT client.

Tag: #feature
Bug: 159786353
Sponsor: jpawlowski@
Test: compile & manual testing
Change-Id: Ibeb27a0eb7f0c9c241bc9dbac24d6f4306140005

Flag:
- Use flag to enable/disable robust caching on server side

btif_storage
- Add APIs to set/get/remove database hash and client supported features

Database Hash
- Add database hash definition into GATT profile
- Set client to change aware when reading database hash

Client Supported Features
- Add write check for client supported features characteristic
- Store client supported feature into btif_storage

Behaviors
- When a service is added/removed
  . Update database hash
  . Set clients that support robust caching to change unaware
- After ack for service changed indication is received
  . Set the client to change aware
- When the client is change unaware
  . Allow request of reading database hash (by handle or by uuid)
  . Allow write_execute, config_mtu and handle_value_conf
  . Send DATABASE_OUT_OF_SYNC error when it is a request
  . Ignore if it is a command
  . After the response is sent, set the client to change aware
- When a client is set from change unaware to change aware
  . Store current database hash to btif_stroage for that client

Connect and Disconnect:
- When a tGATT_TCB instance is allocated, load status from btif_storage
- When disconnected, if the device is untrusted, remove data from btif_storage

Tag: #feature
Test: atest net_test_stack_gatt_native:GattSrRobustCachingTest
Bug: 154056389
Change-Id: I81971012618472dd9e0e6a9e41868caa68998ad4

Tag: #feature
Bug: 159786353
Sponsor: jpawlowski@
Test: atest --host net_test_eatt
Change-Id: I934153625e69b1e20af657ded8f17238484cb65e

Tag: #feature
Test: build & test service change behavior
Bug: 159786353
Change-Id: Idb9811e8dd3b0a7bcacc482501f348c477a918c5

This is preparation for EATT

Tag: #feature
Bug: 159786353
Sponsor: jpawlowski@
Test: atest net_test_stack
Change-Id: Ie209b705f6cc458286e9566919280ed5e2de60c9

Bug: 143604331
Test: net_test_stack_gatt_native

Change-Id: I88704d74ba0c265872fbfd20c8bcd3bc1dd60360
Merged-In: I88704d74ba0c265872fbfd20c8bcd3bc1dd60360

Remove more complicated l2c_int usage in upcoming CL

Bug: 159815595
Tag: #refactor
Test: compile & verify basic functions working
Change-Id: Iff0387d8dc3ef209d1730f3be6271ef5262ecc49

Bug: 143604331
Test: net_test_stack_gatt_native

Change-Id: I88704d74ba0c265872fbfd20c8bcd3bc1dd60360
(cherry picked from commit af0919f967eef7fffaf698fa0a30f0efe7d941b5)

Bug: 143604331
Test: net_test_stack_gatt_native

Change-Id: I88704d74ba0c265872fbfd20c8bcd3bc1dd60360

Test: Connect with ruwido remote when magictether service is registered
Bug: 122994857
(cherry picked from commit fb252b47ca9478c3678532d04e777fd6f848132a)
Merged-In: Ibb2c1272bb08c7a127c8f7d37ee6a05f15618fc2
Change-Id: Ibb2c1272bb08c7a127c8f7d37ee6a05f15618fc2

Test: Connect with ruwido remote when magictether service is registered
Bug: 122994857
Change-Id: Ibb2c1272bb08c7a127c8f7d37ee6a05f15618fc2

* cutils/log.h -> log/log.h
* add missing #include "log/log.h"
* add android_errorWriteWithInfoLog stub

Test: compile on linux using ninja
Change-Id: I720921a2fbf86b5ce5e2a2f691f1e769c91672b6

Add FALLTHROUGH_INTENDED for clang compiler.

Bug: 112564944
Test: build with global -Wimplicit-fallthrough.
Change-Id: Iedf7e46445101a5e3358473e1200212d67cf58d1