)]}'
{"id":"LineageOS%2Fandroid_packages_modules_Bluetooth~430778","triplet_id":"LineageOS%2Fandroid_packages_modules_Bluetooth~lineage-20.0~If7fee75ff454ab925b9661c78980b7c093c29f0b","project":"LineageOS/android_packages_modules_Bluetooth","branch":"lineage-20.0","topic":"T_asb_2025-05","hashtags":[],"change_id":"If7fee75ff454ab925b9661c78980b7c093c29f0b","subject":"Fix OOB read in bta_av_setconfig_rej","status":"MERGED","created":"2025-05-11 22:07:43.000000000","updated":"2025-06-07 13:46:48.000000000","submitted":"2025-06-07 13:46:48.000000000","submitter":{"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"430777-T_asb_2025-05","meta_rev_id":"e6499e7458eeae45fac611a1f16a4d05a765c585","_number":430778,"virtual_id_number":430778,"owner":{"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"actions":{},"labels":{"Verified":{"all":[{"value":0,"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]}],"values":{"-1":"Fails"," 0":"No score","+1":"Verified"},"description":"","default_value":0},"Code-Review":{"all":[{"value":0,"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]}],"values":{"-2":"Do not submit","-1":"I would prefer that you didn\u0027t submit this"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"description":"","default_value":0},"CI":{"all":[{"value":0,"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]}],"values":{"-1":"Fail"," 0":"No score","+1":"Pass"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{},"pending_reviewers":{},"reviewer_updates":[],"messages":[{"id":"39ccc092154333effa624b2c8d3aec85e0da1d78","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2025-05-11 22:07:43.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"e6499e7458eeae45fac611a1f16a4d05a765c585","tag":"autogenerated:gerrit:merged","author":{"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2025-06-07 13:46:48.000000000","message":"Change has been successfully pushed.","accounts_in_message":[],"_revision_number":2}],"current_revision_number":2,"current_revision":"772b7519c7520966bcd28f971f77db964c6f7593","revisions":{"65e4fa68fce602a273a2c49fd1e5136e5c92de58":{"kind":"REWORK","_number":1,"created":"2025-05-11 22:07:43.000000000","uploader":{"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/78/430778/1","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_packages_modules_Bluetooth","ref":"refs/changes/78/430778/1","commands":{"Branch":"git fetch https://github.com/LineageOS/android_packages_modules_Bluetooth refs/changes/78/430778/1 \u0026\u0026 git checkout -b change-430778 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_packages_modules_Bluetooth refs/changes/78/430778/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_packages_modules_Bluetooth refs/changes/78/430778/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_packages_modules_Bluetooth refs/changes/78/430778/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_packages_modules_Bluetooth refs/changes/78/430778/1","Reset To":"git fetch https://github.com/LineageOS/android_packages_modules_Bluetooth refs/changes/78/430778/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"b221698fb3fc1278d486973f0e9e4fa2c16d5d8d","subject":"Fix authentication bypass bug in SMP","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_packages_modules_Bluetooth/commit/b221698fb3fc1278d486973f0e9e4fa2c16d5d8d"}]}],"author":{"name":"Brian Delwiche","email":"delwiche@google.com","date":"2024-04-05 00:41:49.000000000","tz":0},"committer":{"name":"Kevin F. Haggerty","email":"haggertk@lineageos.org","date":"2025-05-11 16:07:38.000000000","tz":-360},"subject":"Fix OOB read in bta_av_setconfig_rej","message":"Fix OOB read in bta_av_setconfig_rej\n\nThe bta_av_config_ind function in bta_av_aact.cc makes a call in some\nuser journeys to bta_av_setconfig_rej, constructing its p_data argument\n(a union datatype) as a tBTA_AV_CI_SETCONFIG.  This is a valid member of\nthe union, but bta_av_setconfig_rej makes the assumption that the\nvariable being passed has been set up as a tBTA_AV_STR_MSG, which is not\ntrue in this case.  This causes OOB access.\n\nDraw the required data instead from the stream control block, which\nshould not be subject to this confusion.\n\nBug: 260230151\nTest: m libbluetooth\nTest: manual\nIgnore-AOSP-First: security\nTag: #security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1816d40959e366f5feaa50a8db673141022634e9)\nMerged-In: If7fee75ff454ab925b9661c78980b7c093c29f0b\nChange-Id: If7fee75ff454ab925b9661c78980b7c093c29f0b\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_packages_modules_Bluetooth/commit/65e4fa68fce602a273a2c49fd1e5136e5c92de58"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_packages_modules_Bluetooth/commit/65e4fa68fce602a273a2c49fd1e5136e5c92de58"}]},"branch":"refs/heads/lineage-20.0"},"772b7519c7520966bcd28f971f77db964c6f7593":{"kind":"TRIVIAL_REBASE","_number":2,"created":"2025-06-07 13:46:48.000000000","uploader":{"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/78/430778/2","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_packages_modules_Bluetooth","ref":"refs/changes/78/430778/2","commands":{"Branch":"git fetch https://github.com/LineageOS/android_packages_modules_Bluetooth refs/changes/78/430778/2 \u0026\u0026 git checkout -b change-430778 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_packages_modules_Bluetooth refs/changes/78/430778/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_packages_modules_Bluetooth refs/changes/78/430778/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_packages_modules_Bluetooth refs/changes/78/430778/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_packages_modules_Bluetooth refs/changes/78/430778/2","Reset To":"git fetch https://github.com/LineageOS/android_packages_modules_Bluetooth refs/changes/78/430778/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"d8b4c44fb3a1a0bf2258f80ff8c7e410dc1639c5","subject":"Fix authentication bypass bug in SMP","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_packages_modules_Bluetooth/commit/d8b4c44fb3a1a0bf2258f80ff8c7e410dc1639c5"}]}],"author":{"name":"Brian Delwiche","email":"delwiche@google.com","date":"2024-04-05 00:41:49.000000000","tz":0},"committer":{"name":"Android Build Coastguard Worker","email":"android-build-coastguard-worker@google.com","date":"2025-03-12 23:51:25.000000000","tz":-420},"subject":"Fix OOB read in bta_av_setconfig_rej","message":"Fix OOB read in bta_av_setconfig_rej\n\nThe bta_av_config_ind function in bta_av_aact.cc makes a call in some\nuser journeys to bta_av_setconfig_rej, constructing its p_data argument\n(a union datatype) as a tBTA_AV_CI_SETCONFIG.  This is a valid member of\nthe union, but bta_av_setconfig_rej makes the assumption that the\nvariable being passed has been set up as a tBTA_AV_STR_MSG, which is not\ntrue in this case.  This causes OOB access.\n\nDraw the required data instead from the stream control block, which\nshould not be subject to this confusion.\n\nBug: 260230151\nTest: m libbluetooth\nTest: manual\nIgnore-AOSP-First: security\nTag: #security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1816d40959e366f5feaa50a8db673141022634e9)\nMerged-In: If7fee75ff454ab925b9661c78980b7c093c29f0b\nChange-Id: If7fee75ff454ab925b9661c78980b7c093c29f0b\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_packages_modules_Bluetooth/commit/772b7519c7520966bcd28f971f77db964c6f7593"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_packages_modules_Bluetooth/commit/772b7519c7520966bcd28f971f77db964c6f7593"}]},"branch":"refs/heads/lineage-20.0"}},"requirements":[],"submit_records":[],"submit_requirements":[]}