| 176cf2e1 |
shared/vcp: add NULL checks to foreach_vocs_service()
Make foreach_vocs_service() safe for passing NULL pointers.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +3, -0 |
| ee46e92b |
shared/shell: add return value check of io_get_fd() to input_read()
It is necessary to add a return value check.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +5, -0 |
| 5f0002cc |
shared/csip: add NULL check to foreach_csis_service()
It is necessary to prevent dereferencing of a NULL pointer.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +3, -0 |
| 8a22c17b |
shared/bap: prevent dereferencing of NULL pointers in ascs_ase_read()
If the user_data argument is NULL, a NULL pointer will
be dereferenced. It is necessary to prevent this case.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +9, -4 |
| 1b961b9e |
shared/bap: move checks for NULL before dereferencing
It is necessary to prevent dereferencing of NULL pointers.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +7, -5 |
| d36983e0 |
gatt: add return value check of io_get_fd() to sock_io_read()
It is necessary to add a return value check.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +5, -0 |
| 605e0785 |
core/gatt: add return value check of io_get_fd() to sock_read()
It is necessary to add a return value check.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +5, -0 |
| 537f96a2 |
client/player: add return value check of io_get_fd() to transport_timer_read()
It is necessary to add a return value check.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +5, -0 |
| 922a8a8b |
audio/a2dp: add NULL checks to find_remote_sep()
Make find_remote_sep() safe for passing NULL pointers.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +3, -0 |
| 1707a836 |
sdp: Check memory allocation in sdp_copy_seq()
Fix a potential null-dereference if sdp_data_alloc_with_length() fails,
as is done in other similar functions. |
Bastien Nocera |
1 year ago |
1 file, +5, -0 |
| 5dcc52a4 |
sdp: Fix memory leak in sdp_data_alloc*()
Make sure to free already allocated memory if we run out of memory
before the end of the loop.
Error: RESOURCE_LEAK (CWE-772): [#def8] [important]
lib/sdp.c:542:4: alloc_fn: Storage is returned from allocation function "sdp_data_alloc".
lib/sdp.c:542:4: var_assign: Assigning: "data" = storage returned from "sdp_data_alloc(dtd, values[i])".
lib/sdp.c:550:4: var_assign: Assigning: "seq" = "data".
lib/sdp.c:552:3: var_assign: Assigning: "curr" = "data".
lib/sdp.c:553:2: out_of_scope: Variable "data" goes out of scope.
lib/sdp.c:552:3: overwrite_var: Overwriting "curr" in "curr = data".
lib/sdp.c:545:4: leaked_storage: Variable "seq" going out of scope leaks the storage it points to.
543|
544| if (!data)
545|-> return NULL;
546|
547| if (curr) |
Bastien Nocera |
1 year ago |
1 file, +6, -2 |
| d79e429a |
health/mcap: Fix memory leak in mcl struct
Error: RESOURCE_LEAK (CWE-772): [#def40] [important]
profiles/health/mcap.c:2052:3: alloc_arg: "set_default_cb" allocates memory that is stored into "mcl->cb".
profiles/health/mcap.c:2055:4: leaked_storage: Freeing "mcl" without freeing its pointer field "cb" leaks the storage that "cb" points to.
2053| if (util_getrandom(&val, sizeof(val), 0) < 0) {
2054| mcap_instance_unref(mcl->mi);
2055|-> g_free(mcl);
2056| goto drop;
2057| } |
Bastien Nocera |
1 year ago |
1 file, +1, -0 |
| 5475aba8 |
obexd: Fix leak in backup_object struct
Error: RESOURCE_LEAK (CWE-772): [#def37] [important]
obexd/plugins/pcsuite.c:370:2: alloc_fn: Storage is returned from allocation function "g_path_get_basename".
obexd/plugins/pcsuite.c:370:2: var_assign: Assigning: "obj->cmd" = storage returned from "g_path_get_basename(name)".
obexd/plugins/pcsuite.c:379:3: leaked_storage: Freeing "obj" without freeing its pointer field "cmd" leaks the storage that "cmd" points to.
377|
378| if (send_backup_dbus_message("open", obj, size) == FALSE) {
379|-> g_free(obj);
380| obj = NULL;
381| } |
Bastien Nocera |
1 year ago |
1 file, +1, -0 |
| 4b3fe69d |
obexd: Fix memory leak in entry struct
recipient_addressing was never freed.
Error: RESOURCE_LEAK (CWE-772): [#def36] [important]
obexd/plugins/messages-dummy.c:379:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline".
obexd/plugins/messages-dummy.c:379:4: var_assign: Assigning: "entry->recipient_addressing" = storage returned from "g_strdup_inline(values[i])".
obexd/plugins/messages-dummy.c:404:2: leaked_storage: Freeing "entry" without freeing its pointer field "recipient_addressing" leaks the storage that "recipient_addressing" points to.
402| g_free(entry->attachment_size);
403| g_free(entry->handle);
404|-> g_free(entry);
405| }
406| |
Bastien Nocera |
1 year ago |
1 file, +1, -0 |
| 99750d2a |
obexd: Fix possible memleak
Fix possible resource leak if a attribute is repeated, overriding the
original value.
Error: RESOURCE_LEAK (CWE-772): [#def28] [important]
obexd/plugins/messages-dummy.c:362:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline".
obexd/plugins/messages-dummy.c:362:4: var_assign: Assigning: "entry->handle" = storage returned from "g_strdup_inline(values[i])".
obexd/plugins/messages-dummy.c:362:4: overwrite_var: Overwriting "entry->handle" in "entry->handle = g_strdup_inline(values[i])" leaks the storage that "entry->handle" points to.
360| for (i = 0 ; names[i]; ++i) {
361| if (g_strcmp0(names[i], "handle") == 0) {
362|-> entry->handle = g_strdup(values[i]);
363| mld->size++;
364| continue;
Error: RESOURCE_LEAK (CWE-772): [#def29] [important]
obexd/plugins/messages-dummy.c:367:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline".
obexd/plugins/messages-dummy.c:367:4: var_assign: Assigning: "entry->attachment_size" = storage returned from "g_strdup_inline(values[i])".
obexd/plugins/messages-dummy.c:367:4: overwrite_var: Overwriting "entry->attachment_size" in "entry->attachment_size = g_strdup_inline(values[i])" leaks the storage that "entry->attachment_size" points to.
365| }
366| if (g_strcmp0(names[i], "attachment_size") == 0) {
367|-> entry->attachment_size = g_strdup(values[i]);
368| continue;
369| }
Error: RESOURCE_LEAK (CWE-772): [#def30] [important]
obexd/plugins/messages-dummy.c:371:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline".
obexd/plugins/messages-dummy.c:371:4: var_assign: Assigning: "entry->datetime" = storage returned from "g_strdup_inline(values[i])".
obexd/plugins/messages-dummy.c:371:4: overwrite_var: Overwriting "entry->datetime" in "entry->datetime = g_strdup_inline(values[i])" leaks the storage that "entry->datetime" points to.
369| }
370| if (g_strcmp0(names[i], "datetime") == 0) {
371|-> entry->datetime = g_strdup(values[i]);
372| continue;
373| }
Error: RESOURCE_LEAK (CWE-772): [#def31] [important]
obexd/plugins/messages-dummy.c:375:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline".
obexd/plugins/messages-dummy.c:375:4: var_assign: Assigning: "entry->subject" = storage returned from "g_strdup_inline(values[i])".
obexd/plugins/messages-dummy.c:375:4: overwrite_var: Overwriting "entry->subject" in "entry->subject = g_strdup_inline(values[i])" leaks the storage that "entry->subject" points to.
373| }
374| if (g_strcmp0(names[i], "subject") == 0) {
375|-> entry->subject = g_strdup(values[i]);
376| continue;
377| }
Error: RESOURCE_LEAK (CWE-772): [#def32] [important]
obexd/plugins/messages-dummy.c:379:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline".
obexd/plugins/messages-dummy.c:379:4: var_assign: Assigning: "entry->recipient_addressing" = storage returned from "g_strdup_inline(values[i])".
obexd/plugins/messages-dummy.c:379:4: overwrite_var: Overwriting "entry->recipient_addressing" in "entry->recipient_addressing = g_strdup_inline(values[i])" leaks the storage that "entry->recipient_addressing" points to.
377| }
378| if (g_strcmp0(names[i], "recipient_addressing") == 0) {
379|-> entry->recipient_addressing = g_strdup(values[i]);
380| continue;
381| }
Error: RESOURCE_LEAK (CWE-772): [#def33] [important]
obexd/plugins/messages-dummy.c:383:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline".
obexd/plugins/messages-dummy.c:383:4: var_assign: Assigning: "entry->sender_addressing" = storage returned from "g_strdup_inline(values[i])".
obexd/plugins/messages-dummy.c:383:4: overwrite_var: Overwriting "entry->sender_addressing" in "entry->sender_addressing = g_strdup_inline(values[i])" leaks the storage that "entry->sender_addressing" points to.
381| }
382| if (g_strcmp0(names[i], "sender_addressing") == 0) {
383|-> entry->sender_addressing = g_strdup(values[i]);
384| continue;
385| }
Error: RESOURCE_LEAK (CWE-772): [#def34] [important]
obexd/plugins/messages-dummy.c:387:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline".
obexd/plugins/messages-dummy.c:387:4: var_assign: Assigning: "entry->type" = storage returned from "g_strdup_inline(values[i])".
obexd/plugins/messages-dummy.c:387:4: overwrite_var: Overwriting "entry->type" in "entry->type = g_strdup_inline(values[i])" leaks the storage that "entry->type" points to.
385| }
386| if (g_strcmp0(names[i], "type") == 0) {
387|-> entry->type = g_strdup(values[i]);
388| continue;
389| }
Error: RESOURCE_LEAK (CWE-772): [#def35] [important]
obexd/plugins/messages-dummy.c:391:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline".
obexd/plugins/messages-dummy.c:391:4: var_assign: Assigning: "entry->reception_status" = storage returned from "g_strdup_inline(values[i])".
obexd/plugins/messages-dummy.c:391:4: overwrite_var: Overwriting "entry->reception_status" in "entry->reception_status = g_strdup_inline(values[i])" leaks the storage that "entry->reception_status" points to.
389| }
390| if (g_strcmp0(names[i], "reception_status") == 0)
391|-> entry->reception_status = g_strdup(values[i]);
392| }
393| |
Bastien Nocera |
1 year ago |
1 file, +10, -1 |
| 3f1b3c62 |
mesh: Avoid accessing array out-of-bounds
We would boundary check the expected_pdu_size array based on the value
of type, but would still access it out-of-bounds for the debug message.
Split off the invalid type check into its own message to avoid this.
Error: OVERRUN (CWE-119): [#def23] [important]
mesh/prov-initiator.c:676:2: cond_at_least: Checking "type >= 10UL" implies that "type" is at least 10 on the true branch.
mesh/prov-initiator.c:678:3: overrun-local: Overrunning array "expected_pdu_size" of 10 2-byte elements at element index 10 (byte offset 21) using index "type" (which evaluates to 10).
676| if (type >= L_ARRAY_SIZE(expected_pdu_size) ||
677| len != expected_pdu_size[type]) {
678|-> l_error("Expected PDU size %d, Got %d (type: %2.2x)",
679| expected_pdu_size[type], len, type);
680| fail_code[1] = PROV_ERR_INVALID_FORMAT; |
Bastien Nocera |
1 year ago |
1 file, +7, -2 |
| 7c896d7b |
avdtp: Fix manipulating struct as an array
Don't manipulate the "req" structs as if they were flat arrays, static
analysis and humans are both equally confused by this kind of usage.
Error: ARRAY_VS_SINGLETON (CWE-119): [#def26] [important]
profiles/audio/avdtp.c:1675:2: address_of: Taking address with "&start->first_seid" yields a singleton pointer.
profiles/audio/avdtp.c:1675:2: assign: Assigning: "seid" = "&start->first_seid".
profiles/audio/avdtp.c:1679:25: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations.
1677| int i;
1678|
1679|-> for (i = 0; i < count; i++, seid++) {
1680| if (seid->seid == id) {
1681| req->collided = TRUE;
Error: ARRAY_VS_SINGLETON (CWE-119): [#def27] [important]
profiles/audio/avdtp.c:1690:2: address_of: Taking address with "&suspend->first_seid" yields a singleton pointer.
profiles/audio/avdtp.c:1690:2: assign: Assigning: "seid" = "&suspend->first_seid".
profiles/audio/avdtp.c:1694:25: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations.
1692| int i;
1693|
1694|-> for (i = 0; i < count; i++, seid++) {
1695| if (seid->seid == id) {
1696| req->collided = TRUE;
Error: ARRAY_VS_SINGLETON (CWE-119): [#def28] [important]
profiles/audio/avdtp.c:1799:2: address_of: Taking address with "&req->first_seid" yields a singleton pointer.
profiles/audio/avdtp.c:1799:2: assign: Assigning: "seid" = "&req->first_seid".
profiles/audio/avdtp.c:1801:30: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations.
1799| seid = &req->first_seid;
1800|
1801|-> for (i = 0; i < seid_count; i++, seid++) {
1802| failed_seid = seid->seid;
1803|
Error: ARRAY_VS_SINGLETON (CWE-119): [#def29] [important]
profiles/audio/avdtp.c:1912:2: address_of: Taking address with "&req->first_seid" yields a singleton pointer.
profiles/audio/avdtp.c:1912:2: assign: Assigning: "seid" = "&req->first_seid".
profiles/audio/avdtp.c:1914:30: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations.
1912| seid = &req->first_seid;
1913|
1914|-> for (i = 0; i < seid_count; i++, seid++) {
1915| failed_seid = seid->seid;
1916| |
Bastien Nocera |
1 year ago |
1 file, +23, -22 |
| be0b0877 |
avdtp: add NULL checks to avdtp_has_stream()
Make avdtp_has_stream() safe for passing NULL pointers.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +3, -0 |
| 55f561a9 |
shared/shell: add a check for NULL in bt_shell_init()
The opt variable is checked for NULL at the beginning of
the function. It is necessary to add a check to prevent null
pointer dereferencing.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +8, -6 |
| 6f40e88d |
policy: Fix AutoEnable default when main.conf doesn't exist
180cf09933b2d8eb03972c8638063429fe5fece5 changed the default to true
if the config file did not set it, but it still remained false if
the config file did not exist at all. This change fixes that.
Fixes: https://github.com/bluez/bluez/issues/886 |
Arnav Singh |
1 year ago |
1 file, +3, -1 |
| 7e028287 |
advertising: Promote experimental properties to stable
This promotes experimental properties to stable since they have been in
use for quite a while without any changes. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +3, -18 |
| 1a51250a |
org.bluez.LEAdvertisement: Promote experimental properties to stable
This promotes experimental properties to stable since they have been in
use for quite a while without any changes. |
Luiz Augusto von Dentz |
1 year ago |
2 files, +20, -20 |
| 0ddcfaea |
gatt-server: fix memory leak in bt_gatt_server_send_notification()
data-pdu is allocated but not released when an error occurs.
Add data-pdu release before exiting the function in case of an error.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +3, -1 |
| 559e40a8 |
rctest: replace sprintf() with snprintf() in recv_mode()
Use snprintf() instead of sprintf() to avoid buffer overflow.
Found with the SVACE static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +1, -1 |
| 9886a755 |
mcp: replace sprintf() with snprintf() in cb_track_duration()
Use snprintf() instead of sprintf() to avoid buffer overflow.
Found with the SVACE static analysis tool |
Roman Smirnov |
1 year ago |
1 file, +1, -1 |
| 0bd3d150 |
l2test: replace sprintf() with snprintf() in recv_mode()
Use snprintf() instead of sprintf() to avoid buffer overflow.
Found with the SVACE static analysis tool |
Roman Smirnov |
1 year ago |
1 file, +1, -1 |
| ee12a631 |
core: add NULL check to adapter_service_remove()
Make adapter_service_remove() safe for passing NULL pointers. |
Roman Smirnov |
1 year ago |
1 file, +4, -0 |
| 920c4576 |
bass: add NULL check to bass_bcast_src_free()
Make bass_bcast_src_free() safe for passing NULL pointers. |
Roman Smirnov |
1 year ago |
1 file, +3, -0 |
| e3616b77 |
plugins/sixaxis: add NULL check in setup_device()
btd_adapter_get_device() may return NULL on the next call stack:
btd_adapter_get_device()
adapter_create_device()
device_create()
device_new()
g_try_malloc0()
It is necessary to prevent this to avoid dereferencing a null
pointer further. |
Roman Smirnov |
1 year ago |
1 file, +5, -0 |
| bf4ec513 |
media: fix memory leak in endpoint_init_pac()
asprintf() allocates memory in the name variable but does not
free it before exiting the function, which causes a memory leak.
Add freeing of the name variable before exiting.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +1, -0 |
| 2ebb415b |
health/mcap: fix memory leak in mcap_create_mcl()
set_default_cb() can allocate memory for mcl->cb but it does
not free mcl->cb before exiting the function.
Add freeing mcl->cb before exiting the function.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool. |
Roman Smirnov |
1 year ago |
1 file, +1, -0 |
| 72c3f5bf |
l2cap-tester: Add tests for multiple data packets over LE
This adds the following tests which cover the TX/RX of multiple
packets (up to 32K) over LE credit based flow control:
L2CAP LE Client - Read 32k Success
L2CAP LE Client - Write 32k Success |
Luiz Augusto von Dentz |
1 year ago |
1 file, +61, -5 |
| b6f8c002 |
bthost: Introduce bthost_add_l2cap_server_custom
This introduces bthost_add_l2cap_server_custom which can be used to
define custom values for MTU, MPS and credits. |
Luiz Augusto von Dentz |
1 year ago |
2 files, +27, -7 |
| a1e3ac87 |
l2cap-tester: Add tests for multiple data packets
This adds the following tests which cover the TX/RX of multiple
packets (up to 32K):
L2CAP BR/EDR Client - Read 32k Success
L2CAP BR/EDR Client - Write 32k Success
L2CAP BR/EDR Server - Read 32k Success
L2CAP BR/EDR Server - Write 32k Success |
Luiz Augusto von Dentz |
1 year ago |
1 file, +180, -114 |
| 944909f2 |
test-bap: Add Broadcast Source STR MBIS tests
4.14.3 Broadcast Audio Stream with Multiple BISes - Source
Test Purpose:
Verify that a Broadcast Source IUT can stream multiple
BISes to a Broadcast Sink.
Test Case Configuration:
BAP/BSRC/STR/BV-18-C [BSRC, Multiple BISes, LC3 8_1]
BAP/BSRC/STR/BV-19-C [BSRC, Multiple BISes, LC3 8_2]
BAP/BSRC/STR/BV-20-C [BSRC, Multiple BISes, LC3 16_1]
BAP/BSRC/STR/BV-21-C [BSRC, Multiple BISes, LC3 16_2]
BAP/BSRC/STR/BV-22-C [BSRC, Multiple BISes, LC3 24_1]
BAP/BSRC/STR/BV-23-C [BSRC, Multiple BISes, LC3 24_2]
BAP/BSRC/STR/BV-24-C [BSRC, Multiple BISes, LC3 32_1]
BAP/BSRC/STR/BV-25-C [BSRC, Multiple BISes, LC3 32_2]
BAP/BSRC/STR/BV-26-C [BSRC, Multiple BISes, LC3 44.1_1]
BAP/BSRC/STR/BV-27-C [BSRC, Multiple BISes, LC3 44.1_2]
BAP/BSRC/STR/BV-28-C [BSRC, Multiple BISes, LC3 48_1]
BAP/BSRC/STR/BV-29-C [BSRC, Multiple BISes, LC3 48_2]
BAP/BSRC/STR/BV-30-C [BSRC, Multiple BISes, LC3 48_3]
BAP/BSRC/STR/BV-31-C [BSRC, Multiple BISes, LC3 48_4]
BAP/BSRC/STR/BV-32-C [BSRC, Multiple BISes, LC3 48_5]
BAP/BSRC/STR/BV-33-C [BSRC, Multiple BISes, LC3 48_6]
BAP/BSRC/STR/BV-34-C [BSRC, Multiple BISes, VS]
Pass verdict:
If the Codec ID is LC3, the IUT sends encoded LC3 audio
data in BIS Data PDUs on each synchronized BIS.
If the Codec ID is a vendor-specific Codec ID, the IUT
sends BIS Data PDUs on each synchronized BIS. The parameters
included in the Codec_Specific_Configuration data are as
defined in TSPX_VS_Codec_Specific_Configuration.
If the Codec ID is LC3, each parameter included in
Codec_Specific_Configuration data is formatted in an LTV
structure with the length, type, and value specified in
Table 4.83.
Test Summary
------------
BAP/BSRC/STR/BV-18-C [BSRC, Multiple BISes, LC3 8_1] Passed
BAP/BSRC/STR/BV-19-C [BSRC, Multiple BISes, LC3 8_2] Passed
BAP/BSRC/STR/BV-20-C [BSRC, Multiple BISes, LC3 16_1] Passed
BAP/BSRC/STR/BV-21-C [BSRC, Multiple BISes, LC3 16_2] Passed
BAP/BSRC/STR/BV-22-C [BSRC, Multiple BISes, LC3 24_1] Passed
BAP/BSRC/STR/BV-23-C [BSRC, Multiple BISes, LC3 24_2] Passed
BAP/BSRC/STR/BV-24-C [BSRC, Multiple BISes, LC3 32_1] Passed
BAP/BSRC/STR/BV-25-C [BSRC, Multiple BISes, LC3 32_2] Passed
BAP/BSRC/STR/BV-26-C [BSRC, Multiple BISes, LC3 44.1_1] Passed
BAP/BSRC/STR/BV-27-C [BSRC, Multiple BISes, LC3 44.1_2] Passed
BAP/BSRC/STR/BV-28-C [BSRC, Multiple BISes, LC3 48_1] Passed
BAP/BSRC/STR/BV-29-C [BSRC, Multiple BISes, LC3 48_2] Passed
BAP/BSRC/STR/BV-30-C [BSRC, Multiple BISes, LC3 48_3] Passed
BAP/BSRC/STR/BV-31-C [BSRC, Multiple BISes, LC3 48_4] Passed
BAP/BSRC/STR/BV-32-C [BSRC, Multiple BISes, LC3 48_5] Passed
BAP/BSRC/STR/BV-33-C [BSRC, Multiple BISes, LC3 48_6] Passed
BAP/BSRC/STR/BV-34-C [BSRC, Multiple BISes, VS] Passed |
Iulia Tanasescu |
1 year ago |
1 file, +294, -8 |
| 4571cdba |
shared/lc3: Add defines for BASE with multiple BISes
This adds defines for BASE configurations with multiple BISes. |
Iulia Tanasescu |
1 year ago |
1 file, +53, -0 |
| 409251a9 |
test-bap: Add support to config multiple bsrc streams
This adds support to configure multiple bsrc streams. |
Iulia Tanasescu |
1 year ago |
1 file, +45, -7 |
| 98013b74 |
test-bap: Move BASE defines to lc3.h
This moves the BASE related defines introduced in
test-bap to lc3.h. |
Iulia Tanasescu |
1 year ago |
2 files, +152, -149 |
| 13da9252 |
shared/lc3: Rename LC3_BASE
This renames LC3_BASE to LC3_TYPE_BASE, so the meaning
of the define is more clear. |
Iulia Tanasescu |
1 year ago |
1 file, +6, -6 |
| e4536272 |
shared/util: Fix null pointer dereference in util_ltv_foreach()
In the existing code, iov.iov_base is initialized with (void *) data,
assuming data is always valid. However, if "data" happens to be NULL,
dereferencing iov.iov_base in util_iov_pull_u8(&iov, &l) leading to
segmentation fault.
To address this issue added explicit checks for data at the beginning of
the function to ensure its not NULL before proceeding with any operations
The following log was captured while running Broadcast Sink setup:
==79178==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x5631fc6550b1 bp 0x7ffedd247450 sp 0x7ffedd2473a0 T0)
==79178==The signal is caused by a READ memory access.
==79178==Hint: address points to the zero page.
#0 0x5631fc6550b1 in get_u8 src/shared/util.h:206
#1 0x5631fc6550b1 in util_iov_pull_u8 src/shared/util.c:680
#2 0x5631fc6552f7 in util_ltv_foreach src/shared/util.c:194
#3 0x5631fc4b57eb in parse_base profiles/audio/bap.c:1189
#4 0x5631fc4b57eb in iso_pa_sync_confirm_cb profiles/audio/bap.c:1253
#5 0x5631fc4d5990 in server_cb btio/btio.c:265
#6 0x5631fc4d5990 in server_cb btio/btio.c:242
#7 0x71d33511bc43 in g_main_context_dispatch
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
#8 0x71d3351712b7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xab2b7)
#9 0x71d33511b2b2 in g_main_loop_run
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
#10 0x5631fc738ea8 in mainloop_run src/shared/mainloop-glib.c:66
#11 0x5631fc7397b6 in mainloop_run_with_signal
src/shared/mainloop-notify.c:189
#12 0x5631fc355c3a in main src/main.c:1467
#13 0x71d334429d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#14 0x71d334429e3f in __libc_start_main_impl ../csu/libc-start.c:392 |
Sarveshwar Bajaj |
1 year ago |
1 file, +1, -1 |
| 5ebaeab4 |
hog-lib: Fix passing wrong parameters to bt_uhid_get_report_reply
The parameters of bt_uhid_get_report_reply are number followed by
status, not status followed by number, so the order needs to be
swapped.
Fixes: https://github.com/bluez/bluez/issues/880 |
Luiz Augusto von Dentz |
1 year ago |
1 file, +1, -1 |
| 2bd25c06 |
shared/mcp: Add instance checks
This adds checks for NULL pointer being passed as mcp instance. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +57, -5 |
| 811e48d3 |
mcp: Implement Next Track and Previous Track commands
Add implementation of Next/Previous Track commands to the audio/mcp profile.
It is used by the Bluetooth media control widget in KDE, for example. |
Yauhen Kharuzhy |
1 year ago |
1 file, +16, -2 |
| a9147140 |
shared/mcp: Implement next/previous track commands
Add bt_mcp_{next,previous}_track functions to shared MCP client
profile code. This allows user to have basic control of the media player
in addition to simple play/pause/stop actions. |
Yauhen Kharuzhy |
1 year ago |
2 files, +22, -0 |
| 5ec05848 |
bap: Use util_iov_new when setting bcode
Currently the broadcast code is set without memory being allocated
for it resulting in segmentation fault. This fixes the issue by using
the newly created util_iov_new that allocates the memory before
setting it. |
Vlad Pruteanu |
1 year ago |
1 file, +2, -3 |
| 503ecbc6 |
shared/util: Add util_iov_new function
This adds the util_iov_new function that allows the user both allocated
and set an iovec to the desired value, using only one function call. |
Vlad Pruteanu |
1 year ago |
2 files, +11, -0 |
| 0dc5bb2e |
gas: Fix reading attributes on every connection
Attributes only need to be read once after that they will be persisted
by the core so there is no need to keep reading them on every
reconnection. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +4, -4 |
| 52bda9d4 |
shared/bap: make BT_BAP_* direction defines valid bitmasks
The directions appear to be intended as bitmasks, as
bt_bap_stream_io_dir() will bitwise or linked stream directions.
Fix the defines to be separate bits.
Fixes confusion due to BT_BAP_BCAST_SOURCE == BT_BAP_SINK|BT_BAP_SOURCE,
which causes e.g. unicast transports to be in PENDING state after QoS
although this does not make sense for BAP unicast Client. |
Pauli Virtanen |
1 year ago |
1 file, +4, -4 |
| 87ad4c66 |
transport: fix crash when freeing transport
Fix UAF by freeing transport->remote_endpoint in media_transport_free,
which also frees the struct (not in destroy after the struct is freed).
ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x508000022ab8 thread T0
#0 0x493624 in media_transport_destroy profiles/audio/transport.c:223
...
freed by thread T0 here:
#1 0x7fb057d10294 in g_free (/lib64/libglib-2.0.so.0+0x5d294)
#2 0x49dd2d in media_transport_free profiles/audio/transport.c:1276
#3 0x7e0e99 in remove_interface gdbus/object.c:682
#4 0x7e8f40 in g_dbus_unregister_interface gdbus/object.c:1430
#5 0x4935a2 in media_transport_destroy profiles/audio/transport.c:220 |
Pauli Virtanen |
1 year ago |
1 file, +1, -3 |
| 7ff745c2 |
src/adapter: Check if device is connected before clean up
Broadcast sources are currently deleted on the clean up triggered
by turning scan off. Thix fix prevents the removal of sources to
which we are synced by also checking if the device that will be
removed is connected (sources to which we are synced are already
marked as connected). |
Vlad Pruteanu |
1 year ago |
1 file, +2, -1 |