Fix to the regression reported in b/264708304 and b/266585826 added:
The root cause of the regression, the sensor HAL layer expects the HID feature
reports to contain 40 bytes, even less bytes are contained in the data
field.

This updated fix restores the length of data fields with the len arg.

Bug: 259675705
Test: manual verification with a Pixel 6 and LinkBuds
Ignore-AOSP-First: security
Tag: security
Change-Id: I02f16c360965b049fc6c8fdfa0132b7aa54bc1d3

This reverts commit 367ed057.

Reason for revert: Reverting from May QPR, will reinstate unchanged for a later release

Change-Id: I36ae57ec7e81ac0357fa1c6fb98dff219ee6dade

sdpu_build_uuid_seq accepts a UUID sequence of arbitrary length
but does not validate against the boundaries of the buffer it's
filling.  This can lead to an OOB write.

Add validation.

Bug: 239414876
Test: atest: bluetooth, validated against POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I6c0b91428bd37d73ae707b8a1843338998fb9562

For NCIS certification, we need to drop the connection or
reestablish encryption after receiving a command to disable link
layer encryption on an encrypted link.  However, dropping the
connection for all devices breaks compatibility during role switch
with devices running Bluetooth 2.1 or earlier, a category including
many cars still in the field.

Add a check forcing connections to drop in this case, conditioned on
Common Criteria mode..

Bug: 251436534
Test: atest: bluetooth, lab validation forthcoming
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I94654ebeb16774643107ee41473725cfae3764ab

Bug: 261857395
Test: manual
Tag: #security
Ignore-AOSP-First: security
Change-Id: I1ba4d1f1e62b1d77ac635cfb6b16cf175bfbf254

Bug: 254445961
Test: manual
Ignore-AOSP-First: security
Change-Id: I1d3c208a5281b88ed25c0028f1a0000d6957637c

Bug: 245517503
Test: manual
Ignore-AOSP-First: security
Change-Id: If768b0b2e11bbc4444835fda28e246e285a7e8ab

Bug: 251427561
Test: manual
Ignore-AOSP-First: security

Change-Id: I2db2339631d521515cb34536e358ae72ebeaaa8b

Bug: 233879420
Test: manual
Ignore-AOSP-First: security
Change-Id: Ic740e5ff3ceabf3df1e78431f7d31adf356479f0

Bug: 236688764
Test: manul
Ignore-AOSP-First: security
Tag: #security
Change-Id: I0ef4855e715be8fa9a69916e35d3a6c97498a9cc

This reverts commit d2e67f50.

Reason for revert: regression caused in  266585826

Change-Id: I86a5bb0b96332880a2a173ad57b96fb007e3ea83

Bug: 260079141
Test: manual
Ignore-AOSP-First: security
Change-Id: If8be70e134fdf1f6edb43d0360c524fffed6045b

Bug: 245916076
Test: manual
Ignore-AOSP-First: security
Change-Id: I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f

Bug: 263545186
Test: manual
Ignore-AOSP-First: security
Change-Id: I0abbb67842850cc2f1298b43dc49a89445b40a43

Bug: 260569232
Test: manual, to add regression
Tag: #security
Ignore-AOSP-First: security
Merged-In: I3d56c64f205c3675ba3856c1e553878b945ec261
Change-Id: I3d56c64f205c3675ba3856c1e553878b945ec261

Bug: 254774758
Ignore-AOSP-First: security
Test: atest bluetooth_test_gd_unit
Merged-In: I1709af943b6fa238dd4df41a62e6add36984c9ec
Change-Id: I1709af943b6fa238dd4df41a62e6add36984c9ec

Several bounds checks in btif_rc.cc are not validated against
AVRC_MAX_APP_ATTR_SIZE, leading to a potential buffer overflow when
processing AVRCP responses exceeding that length.

This is a patch from Qualcomm which has been adapted to T.

Bug: 261468700
Test: atest bluetooth_test_gd_unit
Tag: #security
Ignore-AOSP-First: Security
Change-Id: Ia71c9f22fa3eb0d2c2b50bf751a873a78919c38f

This CL also fix one of vendor specific event callbacks:
BleAdvertiserVscHciInterfaceImpl::VendorSpecificEventCback.

Other issues in the callbacks of this function are:
- b/261857395, fix in I1ba4d1f1e62b1d77ac635cfb6b16cf175bfbf254.
- b/264921486, fix in Ifed6a81c2a980394efbd5666305d10227d5ec186,

Bug: 255304665
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: Ic9c43064db88a36aecb2a88f024db85f6cfc05f1