| 4c9d4ed0 |
client/player: Set number of channels based on locations
This sets the number of channels based on the locations set rather than
always hardcoding it to 3 which in certain case is incorrect and can
lead for the same location to be configured multiple times. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +12, -7 |
| a3f9970f |
client: Add assistant submenu
This adds the initial implementation for the assistant menu in
bluetoothctl, to detect and print MediaAssistant objects.
The current BAP Broadcast Assistant implementation can be tested
by running bluetoothctl, connecting to a BASS Server, scanning
a Broadcast Source that is streaming a number of BISes with
audio capabilities matching the capabilities of the peer device,
and noticing the MediaAssistant objects being created:
client/bluetoothctl
[bluetooth]# [CHG] Controller 00:60:37:31:7E:3F Pairable: yes
[bluetooth]# AdvertisementMonitor path registered
[bluetooth]# scan on
[bluetooth]# [NEW] Device 00:60:37:94:A6:A3 00-60-37-94-A6-A3
[bluetooth]# connect 00:60:37:94:A6:A3
Attempting to connect to 00:60:37:94:A6:A3
[CHG] Device 00:60:37:94:A6:A3 Connected: yes
[00-60-37-94-A6-A3]# Connection successful
[00-60-37-94-A6-A3]# [NEW] Device 15:65:78:B6:52:F6 15-65-78-B6-52-F6
[00-60-37-94-A6-A3]# [NEW] Assistant
/org/bluez/hci0/src_15_65_78_B6_52_F6/dev_00_60_37_94_A6_A3/bis1
[00-60-37-94-A6-A3]# [NEW] Assistant
/org/bluez/hci0/src_15_65_78_B6_52_F6/dev_00_60_37_94_A6_A3/bis2
[00-60-37-94-A6-A3]# scan off
[00-60-37-94-A6-A3]# Diovery stopped
[00-60-37-94-A6-A3]# disconnect
Attempting to disconnect from 00:60:37:94:A6:A3
[00-60-37-94-A6-A3]# Successful disconnected
[CHG] Device 00:60:37:94:A6:A3 Connected: no
[bluetooth]# [DEL] Assistant
/org/bluez/hci0/src_15_65_78_B6_52_F6/dev_00_60_37_94_A6_A3/bis1
[bluetooth]# [DEL] Assistant
/org/bluez/hci0/src_15_65_78_B6_52_F6/dev_00_60_37_94_A6_A3/bis2 |
Iulia Tanasescu |
1 year ago |
4 files, +183, -2 |
| 22779f0b |
bap: Notify scanned BISes to BASS
This updates the BAP implementation to also notify the BASS plugin about
scanned broadcast streams, or when a scanned broadcaster is removed. This
is needed for the BAP Broadcast Assistant role - the BASS plugin registers
MediaAssistant objects for each detected stream that matches the audio
capabilities of peer Scan Delegator devices. |
Iulia Tanasescu |
1 year ago |
1 file, +6, -0 |
| 77e4c097 |
bass: Register MediaAssistant objects
This adds an initial implementation of the BAP Broadcast Assistant role
in the BASS plugin, by introducing the MediaAssistant DBus object.
The BAP plugin implements the callback to probe Broadcast Sources and
parse the BASE. This commit adds 2 BASS APIs, that will be called by the
BAP plugin to notify BISes discovered in the BASE of a broadcaster to
BASS, or to inform the BASS plugin that a broadcaster has been removed.
For each BASS client session, the BASS plugin checks BIS caps against
the peer caps, and registers a MediaAssistant object for each match. |
Iulia Tanasescu |
1 year ago |
3 files, +271, -1 |
| 88bf423e |
shared/bass: Add API to get GATT client reference
Some use cases require the BASS plugin to differentiate between client and
server BASS sessions - for example, the BAP Broadcast Assistant role only
considers client BASS sessions.
This adds a BASS API to obtain a reference to the bt_gatt_client structure
attached to the bt_bass session. |
Iulia Tanasescu |
1 year ago |
2 files, +9, -0 |
| f1639134 |
bap: Add API to get bt_bap matching device
This adds a public BAP API to obtain a reference to the bt_bap session
with a peer device. |
Iulia Tanasescu |
1 year ago |
3 files, +32, -1 |
| 2c98c478 |
shared/bap: Append bcast sink pacs to Sink PAC char
It is mandatory for a BAP Broadcast Sink to support the PACS Server role.
The Sink PAC characteristic should contain PAC records that expose
supported audio capabilities for receiving both unicast and broadcast
streams.
A BAP Broadcast Assistant acting as a GATT Client needs to discover the
Sink PAC characteristic on the BAP Scan Delegator peer (BAP Broadcast
Sink), in order to discover supported capabilities for receiving streams.
This commit updates the callback for handling read requests for the Sink
PAC characteristic, to also append Broadcast Sink pac structures to the
read response. |
Iulia Tanasescu |
1 year ago |
1 file, +1, -0 |
| 662aee43 |
shared/bap: Allow checking bis caps against peer caps
A BAP Broadcast Assistant needs to match stream capabilities with
capabilities discovered in the Sink PAC characteristic on the peer.
This updates bt_bap_verify_bis to check the provided stream capabilities
against local or remote capabilities, depending on the bap structure
provided:
If the device is acting as a BAP Broadcast Sink and the bap session was
created after scanning a Broadcast Source, the stream caps will be matched
with the local broadcast sink PAC.
If the device is acting as a Broadcast Assistant and the bap session is a
client session with a BAP Scan Delegator, the stream caps will be matched
with the PAC records populated in the rdb at service discovery. |
Iulia Tanasescu |
1 year ago |
1 file, +20, -6 |
| bbcf4891 |
shared/bap: Remove unused param from bt_bap_verify_bis
This removes the codec parameter from bt_bap_verify_bis,
since it is not used. |
Iulia Tanasescu |
1 year ago |
4 files, +2, -10 |
| 679349fb |
shared/bap: Update bt_bap_verify_bis to receive caps
This updates bt_bap_verify_bis to receive the already merged L2 and L3
capabilities, instead of computing it internally. |
Iulia Tanasescu |
1 year ago |
4 files, +18, -21 |
| caa4202a |
shared/bap: Add separate API to merge caps
This moves the logic to merge L2 and L3 capabilities discovered
inside a BASE structure in a public API. |
Iulia Tanasescu |
1 year ago |
2 files, +26, -16 |
| 0bad3d5c |
bap: Fix crash in bap_bcast_remove
This adds a check for the PA request dequeued in bap_bcast_remove,
to avoid accessing a member within a NULL pointer. |
Iulia Tanasescu |
1 year ago |
1 file, +1, -1 |
| 957c9561 |
client/player: Fix printing errors when transport->filename is not set
If transport->filename is not set don't attempt to write to the
transport->fd. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +2, -2 |
| 025f07ec |
client/player: Add support for name custom presets
This adds support for naming custom presets instead of always having
just one "custom" codec preset which needs to be overwriten everytime
a new set of settings needs to be entered. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +87, -43 |
| 73266377 |
shared/bap: Fix ASE notification order
When processing a CP operation the CP shall be notified ahead of
the ASE itself:
'If the server successfully completes a client-initiated ASE Control
operation for an ASE, the server shall send a notification of the ASE
Control Point characteristic value formatted as defined in Table 4.7.
The server shall then perform the behavior defined in Section 5.1
through Section 5.8 for that ASE Control operation and send
notifications of any ASE characteristic values written during that
ASE Control operation.'
So this delays the processing of notifications of ASE states so the CP
responses always appears first in the notification e.g:
> ACL Data RX: Handle 42 flags 0x02 dlen 59
ATT: Handle Multiple Value Notification (0x23) len 54
Length: 0x0008
Handle: 0x0036 Type: ASE Control Point (0x2bc6)
Data[8]: 0202030000010000
Opcode: QoS Configuration (0x02)
Number of ASE(s): 2
ASE: #0
ASE ID: 0x03
ASE Response Code: Success (0x00)
ASE Response Reason: None (0x00)
ASE: #1
ASE ID: 0x01
ASE Response Code: Success (0x00)
ASE Response Reason: None (0x00)
Length: 0x0011
Handle: 0x0030 Type: Source ASE (0x2bc5)
Data[17]: 0302000010270000022800020a00409c00
ASE ID: 3
State: QoS Configured (0x02)
CIG ID: 0x00
CIS ID: 0x00
SDU Interval: 10000 usec
Framing: Unframed (0x00)
PHY: 0x02
LE 2M PHY (0x02)
Max SDU: 40
RTN: 2
Max Transport Latency: 10
Presentation Delay: 40000 us
Length: 0x0011
Handle: 0x002a Type: Sink ASE (0x2bc4)
Data[17]: 0102000010270000025000020a00409c00
ASE ID: 1
State: QoS Configured (0x02)
CIG ID: 0x00
CIS ID: 0x00
SDU Interval: 10000 usec
Framing: Unframed (0x00)
PHY: 0x02
LE 2M PHY (0x02)
Max SDU: 80
RTN: 2
Max Transport Latency: 10
Presentation Delay: 40000 us |
Luiz Augusto von Dentz |
1 year ago |
1 file, +43, -10 |
| 9cc58794 |
device: Fix overwritting current_flags
MGMT Set Device Flags overwrites the current_flags so only the last
flags set this way would remain active which can be seem in the
following sequence when LL Privacy is enabled:
@ MGMT Command: Set Device Flags (0x0050) plen 11
LE Address: CF:AC:A6:79:3D:B9 (Static)
Current Flags: 0x00000001
Remote Wakeup
@ MGMT Event: Command Complete (0x0001) plen 10
Set Device Flags (0x0050) plen 7
Status: Success (0x00)
LE Address: CF:AC:A6:79:3D:B9 (Static)
@ MGMT Command: Set Device Flags (0x0050) plen 11
LE Address: CF:AC:A6:79:3D:B9 (Static)
Current Flags: 0x00000002
Device Privacy Mode
@ MGMT Event: Command Complete (0x0001) plen 10
Set Device Flags (0x0050) plen 7
Status: Success (0x00)
LE Address: CF:AC:A6:79:3D:B9 (Static)
In order to do this properly the code needs to track the pending_flags
being set and also call btd_device_flags_changed whenever a change is
complete since that event is not generated when MGMT_OP_SET_DEVICE_FLAGS
is sent by bluetoothd itself. |
Luiz Augusto von Dentz |
1 year ago |
3 files, +38, -4 |
| 7a45038d |
shared/gatt-client: add NULL check to discover_secondary_cb()
It is necessary to prevent dereferencing of a NULL pointer.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +3, -1 |
| cf3d80a0 |
client/player: fix the order of args in cmd_register_endpoint()
Based on the function prototype, ep->cid and ep->vid should be swapped.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +1, -1 |
| 7ffc08dd |
shared/vcp: prevent dereferencing of NULL pointers
util_memdup() will terminate the program if memory
allocation fails.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +4, -16 |
| 12525371 |
client/player: add error code handling to transport_recv()
It is necessary to add return value check as in sock_send().
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +7, -1 |
| ba70a116 |
shared/vcp: add NULL checks to foreach_aics_service()
Make foreach_aics_service() safe for passing NULL pointers.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +3, -0 |
| e56fc72f |
gatt: add return value check of io_get_fd() to sock_io_send()
It is necessary to add a return value check.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +8, -1 |
| 4ca662fc |
settings: limit string size in gatt_db_load()
It is necessary to prevent buffer overflow by limiting
the maximum string length.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +2, -2 |
| 75509158 |
settings: limit string size in load_service()
It is necessary to prevent buffer overflow by limiting
the maximum string length.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +1, -1 |
| 11dcc9bf |
shared: prevent dereferencing of NULL pointers
It is necessary to add checks for NULL before dereferencing pointers.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
2 files, +16, -0 |
| aa6063aa |
health: mcap: add checks for NULL mcap_notify_error()
It is necessary to prevent dereferencing of NULL pointers.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +9, -0 |
| 2748c60a |
bap: Wait for BIG Info report event before creating streams
This makes it so that stream for each BIS is created after BIG
Info report is received. This ensures that when the stream is
created the encryption field is correctly set. |
Vlad Pruteanu |
1 year ago |
1 file, +24, -3 |
| 34aca9a4 |
bdaddr: Add cypress manufacturer support |
Antonio Vázquez Blanco |
1 year ago |
1 file, +1, -0 |
| 66a76c26 |
doc: Add initial MediaAssistant rst
This adds initial documentation for the MediaAssistant D-Bus API, to
be used by a Broadcast Assistant application to interract with the
BlueZ implementation (BASS Client). |
Iulia Tanasescu |
1 year ago |
2 files, +77, -3 |
| f00d5546 |
tools/btmgmt: Fix --index option for non-interactive mode
In non-interactive mode the --index option does not work because the
call to mgmt_set_index() is made after bt_shell_attach().
Fixes: https://github.com/bluez/bluez/issues/893 |
Arjan Opmeer |
1 year ago |
1 file, +1, -1 |
| 68864d1a |
Release 5.77 |
Marcel Holtmann |
1 year ago |
2 files, +8, -1 |
| 89514374 |
build: Add l2cap.7 and rfcomm.7 to ignore list |
Marcel Holtmann |
1 year ago |
1 file, +1, -0 |
| 337cca13 |
configure.ac: Fix --disable-cups
or else we get:
configure: error: conditional "CUPS_SERVERBIN" was never defined.
Usually this means the macro was only invoked conditionally.
Fixes: https://github.com/bluez/bluez/issues/773
Credits go to Lars Wendler |
Guðni Már Gilbert |
1 year ago |
1 file, +4, -4 |
| 0041f5e2 |
client/player: fix incompatible pointer type
In function 'cmd_send_transport':
error: passing argument 2 of 'getpeername' from incompatible pointer
type [-Wincompatible-pointer-types]
err = getpeername(transport->sk, &addr, &optlen);
| | ^~~~~
| | |
| | struct sockaddr_iso *
note: expected 'struct sockaddr * restrict' but argument is of
type 'struct sockaddr_iso *'
To resolve the compiler warnings, cast the pointer with
(struct sockaddr *). |
Guðni Már Gilbert |
1 year ago |
1 file, +2, -1 |
| 110a8b47 |
shared/gatt-server: Fix not using correct MTU for responses
Responses shall use the bt_att_channel MTU not the bt_att MTU since the
response shall be send over the same channel as the request. |
Luiz Augusto von Dentz |
1 year ago |
5 files, +53, -55 |
| 42d43b28 |
Set BREDR not supported bit in AD Flag when discoverable is off
Fix for GAP/DISC/NONM/BV-02-C
As per GAP.TS.p44 test spec
IUT does not contain General Discoverable mode and Limited Discoverable
mode in the AD Type Flag. IUT shall send AD Type Flag to PASS the test
case, thus set BR/EDR not supported bit in the AD Type Flag when
discoverable is off.
Test steps:
From DUT, bluetoothctl go to menu advertise
set discoverable to off and then advertise on.
In AD Flags BR/EDR not supported BIT shall be set. |
Prathibha Madugonde |
1 year ago |
1 file, +1, -2 |
| b2371f9f |
Fix discoverable property not emitted on updating value to false
client/advertising.c:
Allowing discoverable property to list in the parsing
function when discoverable is off.
Test steps:
From DUT, bluetoothctl go to menu advertise
set discoverable to off and then advertise on. |
Prathibha Madugonde |
1 year ago |
1 file, +1, -7 |
| 804696de |
settings: add NULL checks to gatt_db_load()
It is necessary to prevent dereferencing of null pointers.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +2, -2 |
| 8e495f00 |
tools/rctest: limit the maximum possible data_size
It is necessary to prevent the possibility of allocating
a large amount of memory.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +4, -1 |
| c389209c |
tools/isotest: limit the maximum possible data_size
It is necessary to prevent the possibility of allocating
a large amount of memory.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +3, -1 |
| 85d98aec |
shared/shell: prevent integer overflow in bt_shell_init()
An integer overflow will occur if index < offest. It is necessary
to prevent this case.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +1, -1 |
| 0fda2dd5 |
obexd: add NULL checks to file_stat_line()
gmtime() may return NULL. It is necessary to prevent
dereferencing of a NULL pointer.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +11, -3 |
| c44a2a23 |
unit/ringbuf: Fix ineffective guard due to signedness
"len - end > 0" can never be false because "end" is unsigned, so the
whole left handside of the expression is unsigned, so always positive.
Error: INTEGER_OVERFLOW (CWE-190): [#def22] [important]
src/shared/ringbuf.c:240:2: ineffective_check: The check "len - end > 0UL", which appears to be a guard against integer overflow, is not a useful guard because it is either always true, or never true. This taints "len".
src/shared/ringbuf.c:242:3: overflow: The expression "len - end" might be negative, but is used in a context that treats it as unsigned.
src/shared/ringbuf.c:242:3: overflow_sink: "len - end", which might be negative, is passed to "memcpy(ringbuf->buffer, str + end, len - end)". [Note: The source code implementation of the function has been overridden by a builtin model.]
240| if (len - end > 0) {
241| /* Put the remainder of string at the beginning */
242|-> memcpy(ringbuf->buffer, str + end, len - end);
243|
244| if (ringbuf->in_tracing) |
Bastien Nocera |
1 year ago |
1 file, +1, -1 |
| 9b346513 |
tools/mesh: Fix integer overflow due to cast operation
Error: INTEGER_OVERFLOW (CWE-190): [#def29] [important]
tools/mesh/mesh-db.c:551:3: cast_overflow: Truncation due to cast operation on "ele_cnt" from 32 to 8 bits.
tools/mesh/mesh-db.c:551:3: overflow_sink: "ele_cnt", which might have overflowed, is passed to "remote_add_node((uint8_t const *)uuid, unicast, ele_cnt, key_idx)".
549| continue;
550|
551|-> remote_add_node((const uint8_t *)uuid, unicast, ele_cnt,
552| key_idx);
553| for (j = 1; j < key_cnt; j++) { |
Bastien Nocera |
1 year ago |
1 file, +5, -5 |
| 249d2120 |
mesh: Fix integer overflow due to cast operation
Error: INTEGER_OVERFLOW (CWE-190): [#def15] [important]
mesh/pb-adv.c:174:4: cast_overflow: Truncation due to cast operation on "size - consumed" from 32 to 8 bits.
mesh/pb-adv.c:174:4: overflow_assign: "seg_size" is assigned from "size - consumed".
mesh/pb-adv.c:177:3: overflow_sink: "seg_size", which might have overflowed, is passed to "memcpy(buf + 7, data + consumed, seg_size)". [Note: The source code implementation of the function has been overridden by a builtin model.]
175|
176| buf[6] = (i << 2) | 0x02;
177|-> memcpy(buf + 7, data + consumed, seg_size);
178|
179| pb_adv_send(session, MESH_IO_TX_COUNT_UNLIMITED, 500,
Error: INTEGER_OVERFLOW (CWE-190): [#def16] [important]
mesh/pb-adv.c:179:3: cast_overflow: Truncation due to cast operation on "seg_size + 7" from 32 to 16 bits.
mesh/pb-adv.c:179:3: overflow_sink: "seg_size + 7", which might have overflowed, is passed to "pb_adv_send(session, 0, 500, buf, seg_size + 7)".
177| memcpy(buf + 7, data + consumed, seg_size);
178|
179|-> pb_adv_send(session, MESH_IO_TX_COUNT_UNLIMITED, 500,
180| buf, seg_size + 7); |
Bastien Nocera |
1 year ago |
1 file, +1, -1 |
| 1d73dc6a |
emulator: Fix integer truncation warnings
Error: INTEGER_OVERFLOW (CWE-190): [#def1] [important]
emulator/amp.c:693:2: cast_overflow: Truncation due to cast operation on "(remain_assoc_len > 248) ? 248 : remain_assoc_len" from 32 to 16 bits.
emulator/amp.c:693:2: overflow_assign: "fragment_len" is assigned from "(remain_assoc_len > 248) ? 248 : remain_assoc_len".
emulator/amp.c:698:2: overflow_sink: "fragment_len", which might have overflowed, is passed to "memcpy(rsp.assoc_fragment, amp->local_assoc + len_so_far, fragment_len)". [Note: The source code implementation of the function has been overridden by a builtin model.]
696| rsp.phy_handle = cmd->phy_handle;
697| rsp.remain_assoc_len = cpu_to_le16(remain_assoc_len);
698|-> memcpy(rsp.assoc_fragment, amp->local_assoc + len_so_far,
699| fragment_len);
700|
Error: INTEGER_OVERFLOW (CWE-190): [#def2] [important]
emulator/amp.c:701:2: cast_overflow: Truncation due to cast operation on "4 + fragment_len" from 32 to 8 bits.
emulator/amp.c:701:2: overflow_sink: "4 + fragment_len", which might have overflowed, is passed to "cmd_complete(amp, 5130, &rsp, 4 + fragment_len)".
699| fragment_len);
700|
701|-> cmd_complete(amp, BT_HCI_CMD_READ_LOCAL_AMP_ASSOC,
702| &rsp, 4 + fragment_len);
703| }
Error: INTEGER_OVERFLOW (CWE-190): [#def4] [important]
emulator/bthost.c:3309:3: cast_overflow: Truncation due to cast operation on "len - offset" from 32 to 8 bits.
emulator/bthost.c:3309:3: overflow_assign: "cp->data_len" is assigned from "len - offset".
emulator/bthost.c:3317:2: overflow_sink: "cp->data_len", which might have overflowed, is passed to "memcpy(cp->data, data + offset, cp->data_len)". [Note: The source code implementation of the function has been overridden by a builtin model.]
3315| }
3316|
3317|-> memcpy(cp->data, data + offset, cp->data_len);
3318|
3319| send_command(bthost, BT_HCI_CMD_LE_SET_PA_DATA, buf, |
Bastien Nocera |
1 year ago |
2 files, +7, -4 |
| 0b52ecca |
sdp: Fix mismatched int casting |
Bastien Nocera |
1 year ago |
1 file, +1, -1 |
| 0de4b9f7 |
sdp: Fix possible null dereference
From the BlueZ scanbot:
lib/sdp.c:586:12: warning: Access to field 'attrId' results in a dereference of a null pointer (loaded from variable 'd')
d->attrId = attr;
~ ^
lib/sdp.c:967:10: warning: Access to field 'dtd' results in a dereference of a null pointer (loaded from variable 'd')
switch (d->dtd) {
^~~~~~ |
Bastien Nocera |
1 year ago |
1 file, +4, -0 |
| 8de21f74 |
btsnoop: Fix possible negative memcpy length
Error: INTEGER_OVERFLOW (CWE-190): [#def41] [important]
tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero.
tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)".
tools/btsnoop.c:473:4: overflow: The cast of "len - 9L", which is potentially negative, to an unsigned type could result in an overflow.
471| /* next 4 bytes are data len and cid */
472| current_cid = buf[8] << 8 | buf[7];
473|-> memcpy(pdu_buf, buf + 9, len - 9);
474| pdu_len = len - 9;
475| } else if (acl_flags & 0x01) {
Error: INTEGER_OVERFLOW (CWE-190): [#def42] [important]
tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero.
tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)".
tools/btsnoop.c:476:4: overflow: The cast of "len - 5L", which is potentially negative, to an unsigned type could result in an overflow.
474| pdu_len = len - 9;
475| } else if (acl_flags & 0x01) {
476|-> memcpy(pdu_buf + pdu_len, buf + 5, len - 5);
477| pdu_len += len - 5;
478| } |
Bastien Nocera |
1 year ago |
1 file, +2, -2 |
| 2433842e |
shared/shell: Fix fd leak if -s is passed multiple times
Error: RESOURCE_LEAK (CWE-772): [#def37] [important]
src/shared/shell.c:1305:5: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
src/shared/shell.c:1305:5: var_assign: Assigning: "data.init_fd" = handle returned from "open(optarg, 0)".
src/shared/shell.c:1305:5: overwrite_var: Overwriting handle "data.init_fd" in "data.init_fd = open(optarg, 0)" leaks the handle.
1303| case 's':
1304| if (optarg)
1305|-> data.init_fd = open(optarg, O_RDONLY);
1306| if (data.init_fd < 0)
1307| printf("Unable to open %s: %s (%d)\n", optarg, |
Bastien Nocera |
1 year ago |
1 file, +5, -4 |