| 45d151ec |
main: Fix memory leaks
Error: RESOURCE_LEAK (CWE-772): [#def51] [important]
src/main.c:451:2: alloc_arg: "parse_config_string" allocates memory that is stored into "str".
src/main.c:454:2: identity_transfer: Passing "str" as argument 1 to function "strtol", which sets "endptr" to that argument.
src/main.c:456:3: noescape: Assuming resource "str" is not freed or pointed-to as ellipsis argument to "btd_error".
src/main.c:457:3: leaked_storage: Variable "endptr" going out of scope leaks the storage it points to.
src/main.c:457:3: leaked_storage: Variable "str" going out of scope leaks the storage it points to.
455| if (!endptr || *endptr != '\0') {
456| error("%s.%s = %s is not integer", group, key, str);
457|-> return false;
458| }
459|
Error: RESOURCE_LEAK (CWE-772): [#def52] [important]
src/main.c:451:2: alloc_arg: "parse_config_string" allocates memory that is stored into "str".
src/main.c:454:2: identity_transfer: Passing "str" as argument 1 to function "strtol", which sets "endptr" to that argument.
src/main.c:463:3: leaked_storage: Variable "endptr" going out of scope leaks the storage it points to.
src/main.c:463:3: leaked_storage: Variable "str" going out of scope leaks the storage it points to.
461| warn("%s.%s = %zu is out of range (< %zu)", group, key, tmp,
462| min);
463|-> return false;
464| }
465|
Error: RESOURCE_LEAK (CWE-772): [#def53] [important]
src/main.c:451:2: alloc_arg: "parse_config_string" allocates memory that is stored into "str".
src/main.c:454:2: identity_transfer: Passing "str" as argument 1 to function "strtol", which sets "endptr" to that argument.
src/main.c:475:2: leaked_storage: Variable "endptr" going out of scope leaks the storage it points to.
src/main.c:475:2: leaked_storage: Variable "str" going out of scope leaks the storage it points to.
473| *val = tmp;
474|
475|-> return true;
476| }
477| |
Bastien Nocera |
1 year ago |
1 file, +4, -0 |
| 3652e98d |
media: Fix memory leak
Error: RESOURCE_LEAK (CWE-772): [#def47] [important]
profiles/audio/media.c:1278:2: alloc_arg: "asprintf" allocates memory that is stored into "name". [Note: The source code implementation of the function has been overridden by a builtin model.]
profiles/audio/media.c:1291:2: noescape: Resource "name" is not freed or pointed-to in "bt_bap_add_vendor_pac".
profiles/audio/media.c:1297:3: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
1295| error("Unable to create PAC");
1296| free(metadata);
1297|-> return false;
1298| }
1299| |
Bastien Nocera |
1 year ago |
1 file, +1, -0 |
| d1360727 |
bap: Fix memory leaks
Error: RESOURCE_LEAK (CWE-772): [#def37] [important]
profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc".
profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})".
profiles/audio/bap.c:1066:4: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to.
1064| l2_caps = new0(struct iovec, 1);
1065| if (!util_iov_pull_u8(&iov, (void *)&l2_caps->iov_len))
1066|-> goto fail;
1067|
1068| util_iov_memcpy(l2_caps, util_iov_pull_mem(&iov,
Error: RESOURCE_LEAK (CWE-772): [#def38] [important]
profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc".
profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})".
profiles/audio/bap.c:1068:3: noescape: Resource "l2_caps" is not freed or pointed-to in "util_iov_memcpy".
profiles/audio/bap.c:1080:4: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to.
1078| meta = new0(struct iovec, 1);
1079| if (!util_iov_pull_u8(&iov, (void *)&meta->iov_len))
1080|-> goto fail;
1081|
1082| util_iov_memcpy(meta,
Error: RESOURCE_LEAK (CWE-772): [#def39] [important]
profiles/audio/bap.c:1078:10: alloc_fn: Storage is returned from allocation function "util_malloc".
profiles/audio/bap.c:1078:10: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
profiles/audio/bap.c:1078:10: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
profiles/audio/bap.c:1078:10: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
profiles/audio/bap.c:1078:3: var_assign: Assigning: "meta" = "({...; __p;})".
profiles/audio/bap.c:1080:4: leaked_storage: Variable "meta" going out of scope leaks the storage it points to.
1078| meta = new0(struct iovec, 1);
1079| if (!util_iov_pull_u8(&iov, (void *)&meta->iov_len))
1080|-> goto fail;
1081|
1082| util_iov_memcpy(meta,
Error: RESOURCE_LEAK (CWE-772): [#def40] [important]
profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc".
profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})".
profiles/audio/bap.c:1068:3: noescape: Resource "l2_caps" is not freed or pointed-to in "util_iov_memcpy".
profiles/audio/bap.c:1119:4: noescape: Resource "l2_caps" is not freed or pointed-to in "bt_bap_add_bis".
profiles/audio/bap.c:1119:4: noescape: Resource "l2_caps" is not freed or pointed-to in "bt_bap_add_bis".
profiles/audio/bap.c:1097:5: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to.
1095|
1096| if (!util_iov_pull_u8(&iov, &bis_index))
1097|-> goto fail;
1098|
1099| util_debug(func, NULL, "BIS #%d", bis_index);
Error: RESOURCE_LEAK (CWE-772): [#def41] [important]
profiles/audio/bap.c:1078:10: alloc_fn: Storage is returned from allocation function "util_malloc".
profiles/audio/bap.c:1078:10: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
profiles/audio/bap.c:1078:10: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
profiles/audio/bap.c:1078:10: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
profiles/audio/bap.c:1078:3: var_assign: Assigning: "meta" = "({...; __p;})".
profiles/audio/bap.c:1082:3: noescape: Resource "meta" is not freed or pointed-to in "util_iov_memcpy".
profiles/audio/bap.c:1119:4: noescape: Resource "meta" is not freed or pointed-to in "bt_bap_add_bis".
profiles/audio/bap.c:1119:4: noescape: Resource "meta" is not freed or pointed-to in "bt_bap_add_bis".
profiles/audio/bap.c:1097:5: leaked_storage: Variable "meta" going out of scope leaks the storage it points to.
1095|
1096| if (!util_iov_pull_u8(&iov, &bis_index))
1097|-> goto fail;
1098|
1099| util_debug(func, NULL, "BIS #%d", bis_index);
Error: RESOURCE_LEAK (CWE-772): [#def42] [important]
profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc".
profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})".
profiles/audio/bap.c:1068:3: noescape: Resource "l2_caps" is not freed or pointed-to in "util_iov_memcpy".
profiles/audio/bap.c:1104:5: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to.
1102| l3_caps = new0(struct iovec, 1);
1103| if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len))
1104|-> goto fail;
1105|
1106| util_iov_memcpy(l3_caps,
Error: RESOURCE_LEAK (CWE-772): [#def43] [important]
profiles/audio/bap.c:1102:14: alloc_fn: Storage is returned from allocation function "util_malloc".
profiles/audio/bap.c:1102:14: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
profiles/audio/bap.c:1102:14: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
profiles/audio/bap.c:1102:14: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
profiles/audio/bap.c:1102:4: var_assign: Assigning: "l3_caps" = "({...; __p;})".
profiles/audio/bap.c:1104:5: leaked_storage: Variable "l3_caps" going out of scope leaks the storage it points to.
1102| l3_caps = new0(struct iovec, 1);
1103| if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len))
1104|-> goto fail;
1105|
1106| util_iov_memcpy(l3_caps,
Error: RESOURCE_LEAK (CWE-772): [#def44] [important]
profiles/audio/bap.c:1078:10: alloc_fn: Storage is returned from allocation function "util_malloc".
profiles/audio/bap.c:1078:10: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
profiles/audio/bap.c:1078:10: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
profiles/audio/bap.c:1078:10: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
profiles/audio/bap.c:1078:3: var_assign: Assigning: "meta" = "({...; __p;})".
profiles/audio/bap.c:1082:3: noescape: Resource "meta" is not freed or pointed-to in "util_iov_memcpy".
profiles/audio/bap.c:1104:5: leaked_storage: Variable "meta" going out of scope leaks the storage it points to.
1102| l3_caps = new0(struct iovec, 1);
1103| if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len))
1104|-> goto fail;
1105|
1106| util_iov_memcpy(l3_caps,
Error: RESOURCE_LEAK (CWE-772): [#def45] [important]
profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc".
profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})".
profiles/audio/bap.c:1068:3: noescape: Resource "l2_caps" is not freed or pointed-to in "util_iov_memcpy".
profiles/audio/bap.c:1119:4: noescape: Resource "l2_caps" is not freed or pointed-to in "bt_bap_add_bis".
profiles/audio/bap.c:1119:4: noescape: Resource "l2_caps" is not freed or pointed-to in "bt_bap_add_bis".
profiles/audio/bap.c:1123:2: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to.
1121| }
1122|
1123|-> }
1124| return true;
1125|
Error: RESOURCE_LEAK (CWE-772): [#def46] [important]
profiles/audio/bap.c:1078:10: alloc_fn: Storage is returned from allocation function "util_malloc".
profiles/audio/bap.c:1078:10: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
profiles/audio/bap.c:1078:10: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
profiles/audio/bap.c:1078:10: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
profiles/audio/bap.c:1078:3: var_assign: Assigning: "meta" = "({...; __p;})".
profiles/audio/bap.c:1082:3: noescape: Resource "meta" is not freed or pointed-to in "util_iov_memcpy".
profiles/audio/bap.c:1119:4: noescape: Resource "meta" is not freed or pointed-to in "bt_bap_add_bis".
profiles/audio/bap.c:1119:4: noescape: Resource "meta" is not freed or pointed-to in "bt_bap_add_bis".
profiles/audio/bap.c:1123:2: leaked_storage: Variable "meta" going out of scope leaks the storage it points to.
1121| }
1122|
1123|-> }
1124| return true;
1125| |
Bastien Nocera |
1 year ago |
1 file, +34, -14 |
| 0b842fe9 |
monitor/att: Fix memory leak
name2utf8() returns newly allocated memory which needs to be freed.
Error: RESOURCE_LEAK (CWE-772): [#def27] [important]
monitor/att.c:2291:2: alloc_fn: Storage is returned from allocation function "name2utf8".
monitor/att.c:2291:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
monitor/att.c:2293:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
monitor/att.c:2294:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2292|
2293| print_field(" Media Player Name: %s", name);
2294|-> }
2295|
2296| static void mp_name_read(const struct l2cap_frame *frame)
Error: RESOURCE_LEAK (CWE-772): [#def28] [important]
monitor/att.c:2320:2: alloc_fn: Storage is returned from allocation function "name2utf8".
monitor/att.c:2320:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
monitor/att.c:2322:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
monitor/att.c:2323:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2321|
2322| print_field(" Track Title: %s", name);
2323|-> }
2324|
2325| static void track_title_read(const struct l2cap_frame *frame)
Error: RESOURCE_LEAK (CWE-772): [#def29] [important]
monitor/att.c:2453:2: alloc_fn: Storage is returned from allocation function "name2utf8".
monitor/att.c:2453:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
monitor/att.c:2455:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
monitor/att.c:2456:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2454|
2455| print_field(" Bearer Name: %s", name);
2456|-> }
2457|
2458| static void bearer_name_read(const struct l2cap_frame *frame)
Error: RESOURCE_LEAK (CWE-772): [#def30] [important]
monitor/att.c:2472:2: alloc_fn: Storage is returned from allocation function "name2utf8".
monitor/att.c:2472:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
monitor/att.c:2474:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
monitor/att.c:2475:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2473|
2474| print_field(" Bearer Uci Name: %s", name);
2475|-> }
2476|
2477| static void print_technology_name(const struct l2cap_frame *frame)
Error: RESOURCE_LEAK (CWE-772): [#def31] [important]
monitor/att.c:2541:2: alloc_fn: Storage is returned from allocation function "name2utf8".
monitor/att.c:2541:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
monitor/att.c:2543:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
monitor/att.c:2544:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2542|
2543| print_field(" Uri scheme Name: %s", name);
2544|-> }
2545|
2546| static void bearer_uri_schemes_list_read(const struct l2cap_frame *frame)
Error: RESOURCE_LEAK (CWE-772): [#def32] [important]
monitor/att.c:2653:2: alloc_fn: Storage is returned from allocation function "name2utf8".
monitor/att.c:2653:2: var_assign: Assigning: "call_uri" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
monitor/att.c:2655:2: noescape: Resource "call_uri" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
monitor/att.c:2660:1: leaked_storage: Variable "call_uri" going out of scope leaks the storage it points to.
2658| if (frame->size)
2659| print_hex_field(" call_list Data", frame->data, frame->size);
2660|-> }
2661|
2662| static void bearer_current_call_list_read(const struct l2cap_frame *frame)
Error: RESOURCE_LEAK (CWE-772): [#def33] [important]
monitor/att.c:2741:2: alloc_fn: Storage is returned from allocation function "name2utf8".
monitor/att.c:2741:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
monitor/att.c:2743:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
monitor/att.c:2748:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2746| if (frame->size)
2747| print_hex_field(" Data", frame->data, frame->size);
2748|-> }
2749|
2750| static void incom_target_bearer_uri_read(const struct l2cap_frame *frame)
Error: RESOURCE_LEAK (CWE-772): [#def34] [important]
monitor/att.c:2851:3: alloc_fn: Storage is returned from allocation function "name2utf8".
monitor/att.c:2851:3: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
monitor/att.c:2852:3: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
monitor/att.c:2871:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2869| if (frame->size)
2870| print_hex_field("call_cp Data", frame->data, frame->size);
2871|-> }
2872|
2873| static void print_call_cp_notification(const struct l2cap_frame *frame)
Error: RESOURCE_LEAK (CWE-772): [#def35] [important]
monitor/att.c:3046:2: alloc_fn: Storage is returned from allocation function "name2utf8".
monitor/att.c:3046:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
monitor/att.c:3048:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
monitor/att.c:3053:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
3051| if (frame->size)
3052| print_hex_field(" Data", frame->data, frame->size);
3053|-> }
3054|
3055| static void incoming_call_read(const struct l2cap_frame *frame)
Error: RESOURCE_LEAK (CWE-772): [#def36] [important]
monitor/att.c:3077:2: alloc_fn: Storage is returned from allocation function "name2utf8".
monitor/att.c:3077:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
monitor/att.c:3079:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
monitor/att.c:3084:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
3082| if (frame->size)
3083| print_hex_field(" Data", frame->data, frame->size);
3084|-> }
3085|
3086| static void call_friendly_name_read(const struct l2cap_frame *frame) |
Bastien Nocera |
1 year ago |
1 file, +19, -0 |
| ab325450 |
client/main: Fix mismatched free
Error: ALLOC_FREE_MISMATCH (CWE-762): [#def37]
client/main.c:2108:2: alloc: Allocation of memory which must be freed using "g_free".
client/main.c:2108:2: assign: Assigning: "desc" = "g_strdup_printf("\x1b[0;94m[%s]\x1b[0m# ", attr)".
client/main.c:2111:2: free: Calling "free" frees "desc" using "free" but it should have been freed using "g_free".
2109|
2110| bt_shell_set_prompt(desc);
2111|-> free(desc);
2112| }
2113| |
Bastien Nocera |
1 year ago |
1 file, +1, -1 |
| f3f762b7 |
client/main: Fix array access
Error: CPPCHECK_WARNING (CWE-788): [#def36]
client/main.c:833: error[ctuArrayIndex]: Array index out of bounds; 'argv' buffer size is 0 and it is accessed at offset 1.
831| const char **opt;
832|
833|-> if (!strcmp(argv[1], "help")) {
834| for (opt = arg_table; opt && *opt; opt++)
835| bt_shell_printf("%s\n", *opt); |
Bastien Nocera |
1 year ago |
1 file, +5, -0 |
| 4262170a |
client/gatt: Check write_value() retval
Error: CHECKED_RETURN (CWE-252): [#def35]
client/gatt.c:3191:3: check_return: Calling "write_value" without checking return value (as is done elsewhere 5 out of 6 times).
client/gatt.c:2371:2: example_checked: Example 1: "write_value(&chrc->value_len, &chrc->value, value, value_len, aad->offset, chrc->max_val_len)" has its value checked in "write_value(&chrc->value_len, &chrc->value, value, value_len, aad->offset, chrc->max_val_len)".
client/gatt.c:2502:2: example_checked: Example 2: "write_value(&chrc->value_len, &chrc->value, value, value_len, offset, chrc->max_val_len)" has its value checked in "write_value(&chrc->value_len, &chrc->value, value, value_len, offset, chrc->max_val_len)".
client/gatt.c:2919:2: example_checked: Example 3: "write_value(&desc->value_len, &desc->value, value, value_len, offset, desc->max_val_len)" has its value checked in "write_value(&desc->value_len, &desc->value, value, value_len, offset, desc->max_val_len)".
client/gatt.c:759:3: example_checked: Example 4: "write_value(&c->value_len, &c->value, value, value_len, offset, c->max_val_len)" has its value checked in "write_value(&c->value_len, &c->value, value, value_len, offset, c->max_val_len)".
client/gatt.c:775:3: example_checked: Example 5: "write_value(&d->value_len, &d->value, value, value_len, offset, d->max_val_len)" has its value checked in "write_value(&d->value_len, &d->value, value, value_len, offset, d->max_val_len)".
3189| }
3190|
3191|-> write_value(&chrc->value_len, &chrc->value, value, len,
3192| 0, chrc->max_val_len); |
Bastien Nocera |
1 year ago |
1 file, +7, -3 |
| 1ba9e5f2 |
client/gatt: Don't pass negative fd on error
Error: NEGATIVE_RETURNS (CWE-394): [#def33]
client/gatt.c:973:2: negative_return_fn: Function "io_get_fd(io)" returns a negative number.
client/gatt.c:973:2: negative_returns: "io_get_fd(io)" is passed to a parameter that cannot be negative.
971| msg.msg_iovlen = iovlen;
972|
973|-> ret = sendmsg(io_get_fd(io), &msg, MSG_NOSIGNAL);
974| if (ret < 0) {
975| ret = -errno;
Error: NEGATIVE_RETURNS (CWE-394): [#def34]
client/gatt.c:1049:2: negative_return_fn: Function "io_get_fd(io)" returns a negative number.
client/gatt.c:1049:2: assign: Assigning: "fd" = "io_get_fd(io)".
client/gatt.c:1062:2: negative_returns: "fd" is passed to a parameter that cannot be negative.
1060| msg.msg_iovlen = 1;
1061|
1062|-> bytes_read = recvmsg(fd, &msg, MSG_DONTWAIT);
1063| if (bytes_read < 0) {
1064| bt_shell_printf("recvmsg: %s", strerror(errno)); |
Bastien Nocera |
1 year ago |
1 file, +10, -1 |
| 1e22fd9a |
attrib/gatt: Guard against possible integer overflow
Error: INTEGER_OVERFLOW (CWE-190): [#def30]
attrib/gatt.c:1016:2: known_value_assign: "last" = "65535", its value is now 65535.
attrib/gatt.c:1087:2: overflow_const: Expression "dd->start", which is equal to 65536, where "last + 1" is known to be equal to 65536, overflows the type that receives it, an unsigned integer 16 bits wide.
1085| }
1086|
1087|-> dd->start = last + 1;
1088|
1089| if (last < dd->end && !uuid_found) { |
Bastien Nocera |
1 year ago |
1 file, +5, -3 |
| d3fcc77f |
adapter: Use false instead of 0 for bool |
Bastien Nocera |
1 year ago |
1 file, +1, -1 |
| f4795bf6 |
configure.ac: fix sixaxis build without tools
Fix the following build failure with --enable-sixaxis --enable-udev
--disable-tools raised since version 5.73 and
9f71892b63f6b65dab874a633d88ae2dcad93a16:
sixaxis.c:(.text.sixaxis_init+0x23): undefined reference to `udev_new'
Fixes: http://autobuild.buildroot.org/results/c337d0f473c5fbb3e6cda1317ba06f5e2b16a43e |
Fabrice Fontaine |
1 year ago |
1 file, +1, -1 |
| 449cf350 |
shared/util: Fix build error on malloc0
This fixes the parameter order of calloc which causes the following
error on recent gcc:
CC client/mgmt.o
In file included from client/mgmt.c:43:
client/mgmt.c: In function ‘cmd_add_ext_adv_params’:
client/mgmt.c:5057:28: error: ‘calloc’ sizes specified with ‘sizeof’ in
the earlier argument and not in the later argument
[-Werror=calloc-transposed-args]
5057 | cp = malloc0(sizeof(*cp));
| |
Luiz Augusto von Dentz |
1 year ago |
1 file, +1, -1 |
| 78af547e |
clinet: Fix unregister-includes command
unregister-includes command takes two parameters service uuid and
included service uuid, since the space between them is missing,
the menu option is not working.
When two uuids separated with space is given, it is throwing error. |
Naga Bhavani Akella |
1 year ago |
1 file, +1, -1 |
| f34cc1da |
gatt-database: Fix error registering characteristic with Handle 0x0000
Registering a characteristic with handle 0x0000 means that the
application wants a handles to be auto allocated but requires to be
informed of what values they end up in the database.
Fixes: https://github.com/bluez/bluez/issues/821 |
Luiz Augusto von Dentz |
1 year ago |
1 file, +6, -3 |
| 14057f2c |
client/gatt: gatt_register_app: fix parsing of UUIDs
- argv[0] (shell command) must not be used as UUID argument
- fixed linked list iteration |
Christian Eggers |
1 year ago |
1 file, +2, -2 |
| f40c5857 |
src/shared: Make default length handle EA
By default bt_ad was setting just BT_AD_MAX_DATA_LEN (31) which is not
enough to handle devices advertising using EA, so this switches the
default to be BT_EA_MAX_DATA_LEN (251) since EA is much more common
nowadays and for those case where the it is not supported (e.g. for
advertisers without EA support) then shall be using bt_ad_set_max_len
to adjust the maximum length.
Fixes: https://github.com/bluez/bluez/issues/832 |
Luiz Augusto von Dentz |
1 year ago |
2 files, +2, -1 |
| 6fc599e3 |
gatt-database: Fix not calling pending_op_free
acquire_write_reply needs to call pending_op_free once done with the op
since it not called automatically as it is not passed as destroy
function to g_dbus_proxy_method_call. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +1, -0 |
| 7e607921 |
gatt-database: Fix matching ImproperlyConfigured error
Condition for ImproperlyConfigured error was not checking it correctly. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +1, -1 |
| d2a2aabe |
Fix null pointer deference in bap_get_ascs()
Ensure that bap and rdb pointers are valid before accessing or
allocating memory for ascs. Added null check to prevent potential
crash |
Sarveshwar Bajaj |
1 year ago |
1 file, +1, -1 |
| 9b297847 |
gatt-database: Implement support to org.bluez.Error.ImproperlyConfigured
This implements support for handling when applications reply with
org.bluez.Error.ImproperlyConfigured the code will translate it to
BT_ERROR_CCC_IMPROPERLY_CONFIGURED.
Fixes: https://github.com/bluez/bluez/issues/827 |
Luiz Augusto von Dentz |
1 year ago |
1 file, +3, -0 |
| 129b1916 |
org.bluez.Gatt: Add org.bluez.Error.ImproperlyConfigured error to
WriteValue
Some attributes may require to generate
BT_ERROR_CCC_IMPROPERLY_CONFIGURED when its CCC is not properly
configured so this adds the possibility to generate it by replying with
org.bluez.Error.ImproperlyConfigured error to WriteValue. |
Luiz Augusto von Dentz |
1 year ago |
2 files, +2, -0 |
| c42702cf |
bap: Fix use of unintialized variable
This fixes the following trace found with valgrind:
Syscall param socketcall.setsockopt(optval) points to uninitialised byte(s)
at 0x5318B0E: setsockopt (in /usr/lib64/libc.so.6)
by 0x39C454: iso_set_qos (btio.c:899)
by 0x39C622: bt_io_set (btio.c:1900)
by 0x37F3B3: iso_do_big_sync (bap.c:2874)
by 0x3991EC: server_cb (btio.c:265)
by 0x3991EC: server_cb (btio.c:242)
by 0x496C4FB: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7600.6)
by 0x49CA6B7: ??? (in /usr/lib64/libglib-2.0.so.0.7600.6)
by 0x496BAFE: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.7600.6)
by 0x4F9694: mainloop_run (mainloop-glib.c:66)
by 0x4F9B27: mainloop_run_with_signal (mainloop-notify.c:188)
by 0x2BE8F2: main (main.c:1464)
Address 0x1fff0004c1 is on thread 1's stack
in frame #2, created by bt_io_set (btio.c:1870) |
Luiz Augusto von Dentz |
1 year ago |
1 file, +1, -0 |
| f141b27b |
bap: Reword bap_adapter/adapter and pa_req/req
Struct name already refers to the actual operation so don't repeat it
again on the variable name which just makes the lines long for no
reason. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +59, -63 |
| c7071911 |
bap: Remove deleted devices from pa_req queue
The bap_bcast_remove function has been updated to remove from the
pa_req queue entries of devices that were freed. pa_req that are already
in progress are treated by the bap_data_free function.
The lookup in bap_bcast_remove was necessary. The entry corresponding to
the calling service must be removed from the pa_req queue. There is no
other way to get a refference to this entry other than to search in the
queue.
This patch fixes a crash that occurs when a device is freed before the
pa_idle_timer handles it's entry in the pa_req queue. The following log
was obtained while running an Unicast setup:
==105052==ERROR: AddressSanitizer: heap-use-after-free on address
0x60400001c418 at pc 0x55775caf1846 bp 0x7ffc83d9fb90 sp 0x7ffc83d9fb80
READ of size 8 at 0x60400001c418 thread T0
0 0x55775caf1845 in btd_service_get_device src/service.c:325
1 0x55775ca03da2 in short_lived_pa_sync profiles/audio/bap.c:2693
2 0x55775ca03da2 in pa_idle_timer profiles/audio/bap.c:1996 |
Vlad Pruteanu |
1 year ago |
1 file, +18, -0 |
| 48a69222 |
bap: Improve handling of pa_req timer
The patch handles timers on a per adapter basis.
The timer is now also started on setup_accept_io_broadcast, so
BAP_PA_BIG_SYNC_REQ can be treated if the timer is stopped in the meantime.
The timer is stopped if the bap_adapter's pa_req queue is empty.
A pa_timer_id equal to 0 means that the timer is stopped. |
Vlad Pruteanu |
1 year ago |
1 file, +18, -2 |
| aa7f3574 |
bap: Replace adapter in bap_data with bap_adapter
This patch introduces the bap_adapter structure. In addition to btd_adapter
it also holds the pa_timer_id and the bcast_pa_requests queue associated
with that adapter. This enables convenient access to these variables since
the functions that need them already utilize bap_data.
For each adapter a new instance of bap_adapter is created and inserted into
the global queue, bap_adapters.
For each scanned source bap_bcast_probe searches the bap_adapters queue
based on the adapter and stores the result in the bap_data associated
with the source. Operations made on the old global queue are now made
on bap_data->bap_adapter->bcast_pa_requests queue.
While this commit sought to utilize the already existing bap_data in order
to avoid searching in queues, a lookup was still necessary in
bap_bcast_probe. Here, the bap_data for the scanned devices is created and
the bap_adapter field must be set to the appropriate value. There is no way
of getting the correct bap_adapter refference without searching the
bap_adapters queue. |
Vlad Pruteanu |
1 year ago |
1 file, +66, -34 |
| 638774f6 |
bap: Initialize bap_data for scanned device in bap_bcast_probe
By moving the bap_data initialization for a scanned device to
bap_adapter_probe() the adapter field of bap_data will already be set when
short_lived_pa_sync is called. When adapter will be changed for
bap_adapter, this will help eliminate an additional queue search (in
short_lived_pa_sync). |
Vlad Pruteanu |
1 year ago |
1 file, +31, -31 |
| 02ade13c |
ccp: Mark plugin for testing
This makes ccp plugin for testing only rather than experimental since
it is only meant for test validation as platforms shall integrate CCP
directly into their telephony stack. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +6, -8 |
| e7578f9d |
main.conf: Add support for testing interfaces
This adds support for D-Bus testing interfaces and testing profile
drivers. |
Luiz Augusto von Dentz |
1 year ago |
6 files, +31, -2 |
| d8f3a3fa |
gdbus: Add testing flags
This adds testing flags which are similar to experimental but are only
available for testing. |
Luiz Augusto von Dentz |
1 year ago |
2 files, +59, -0 |
| 30b741ba |
shared/bap: Get broadcast channel location from stream capabilities
Get the channel location from the stream's configured capabilities,
rather than from the local PACS database capabilities. |
Andrei Istodorescu |
1 year ago |
1 file, +22, -16 |
| 5b4d9abf |
shared/bap: Allow NULL bap endpoint in streams |
Andrei Istodorescu |
1 year ago |
1 file, +40, -14 |
| 8e5f3433 |
bap: call select_cb on bt_bap_cancel_select() to clean up
Have bt_bap_cancel_select() to trigger the callback function with error
code, simplifying the cleanup when ep is freed while SelectProperties is
ongoing.
Fixes bap_data->selecting not being decremented when ep setup is
canceled, which results to transports not being created thereafter.
Fixes: 41d6c4e1c92f ("bap: cancel ongoing SelectProperties() before freeing the ep") |
Pauli Virtanen |
1 year ago |
1 file, +0, -1 |
| 04153538 |
client/player: Fix using unicast QoS for broadcast
The code needs to identify first if the parameters refers to a broadcast
stream or unicast. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +22, -12 |
| 92c1c1c3 |
client/player: Fix calculation of number of packet
The calculation shall attempt to round to number of packets to the
closest integer otherwise it can result in 0 packets to be sent at each
latency. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +4, -2 |
| a08ec1a4 |
gatt-database: Fix sending notification to all devices
If notifications where setup with GATT application that implements
AcquireNotify the code will attempt to setup a dedicate fd/io for each
device so when receiving a notification over the fd/io it is only meant
to be send to the device only.
Fixes: https://github.com/bluez/bluez/issues/820 |
Luiz Augusto von Dentz |
1 year ago |
1 file, +7, -8 |
| 4dea3fb9 |
client/advertising: Add flag to mark if data is valid
This allows the use of type 0x00 which otherwise could not be selected
since the property would not be exposed even though the data could be
set. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +5, -3 |
| 89cb88b0 |
monitor: fix spelling typo |
Preston Hunt |
1 year ago |
1 file, +1, -1 |
| b411b98b |
set: don't modify input sirk key in btd_set_add_device()
Currently, btd_set_add_device decrypts the sirk in-place, modifying the
key passed to it.
This causes store_sirk() later on to save the wrong (decrypted) key
value, resulting to invalid duplicate device set.
It also allows devices->sirk list to contain same set multiple times,
which crashes later on as sirks-set are assumed to be 1-to-1 in
btd_set_add/remove_device().
Fixes:
=======================================================================
ERROR: AddressSanitizer: heap-use-after-free on address 0x60600001c068
READ of size 8 at 0x60600001c068 thread T0
#0 0x762721 in btd_set_remove_device src/set.c:347
#1 0x7341e7 in remove_sirk_info src/device.c:7145
#2 0x7f2cee in queue_foreach src/shared/queue.c:207
#3 0x734499 in btd_device_unref src/device.c:7159
#4 0x719f65 in device_remove src/device.c:4788
#5 0x682382 in adapter_remove src/adapter.c:6959
...
0x60600001c068 is located 40 bytes inside of 56-byte region [0x60600001c040,0x60600001c078)
freed by thread T0 here:
#1 0x7605a6 in set_free src/set.c:170
#2 0x7d4eff in remove_interface gdbus/object.c:660
#3 0x7dcbb3 in g_dbus_unregister_interface gdbus/object.c:1394
#4 0x762990 in btd_set_remove_device src/set.c:362
#5 0x7341e7 in remove_sirk_info src/device.c:7145
#6 0x7f2cee in queue_foreach src/shared/queue.c:207
#7 0x734499 in btd_device_unref src/device.c:7159
#8 0x719f65 in device_remove src/device.c:4788
#9 0x682382 in adapter_remove src/adapter.c:6959
...
previously allocated by thread T0 here:
#1 0x7f5429 in util_malloc src/shared/util.c:46
#2 0x7605f1 in set_new src/set.c:178
#3 0x7625b9 in btd_set_add_device src/set.c:324
#4 0x6f8fc8 in add_set src/device.c:1916
#5 0x7f2cee in queue_foreach src/shared/queue.c:207
#6 0x6f982c in device_set_ltk src/device.c:1940
#7 0x667b97 in load_ltks src/adapter.c:4478
...
======================================================================= |
Pauli Virtanen |
1 year ago |
2 files, +9, -4 |
| d3a6a645 |
bap: cancel stream operation before freeing setup
Before freeing setup, cancel any ongoing stream operations, and indicate
failure for pending DBus replies.
Fixes:
=======================================================================
ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000004758
WRITE of size 4 at 0x60d000004758 thread T0
#0 0x557159 in qos_cb profiles/audio/bap.c:753
#1 0x89c38f in bap_req_complete src/shared/bap.c:1191
#2 0x8cb7fc in bap_req_detach src/shared/bap.c:4789
#3 0x8cb9bb in bt_bap_detach src/shared/bap.c:4801
#4 0x571e25 in bap_disconnect profiles/audio/bap.c:3011
...
freed by thread T0 here:
#1 0x558f2b in setup_free profiles/audio/bap.c:890
#2 0x7f34e8 in queue_remove_all src/shared/queue.c:341
#3 0x7f0105 in queue_destroy src/shared/queue.c:60
#4 0x55cdc8 in ep_free profiles/audio/bap.c:1167
======================================================================= |
Pauli Virtanen |
1 year ago |
1 file, +13, -0 |
| f78e639f |
shared/bap: clean up requests for a stream before freeing it
Cancel stream's queued requests before freeing the stream.
As the callbacks may do some cleanup on error, be sure to call them
before removing the requests.
Fixes:
=======================================================================
ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000013430
READ of size 8 at 0x60d000013430 thread T0
#0 0x89cb9f in stream_stop_complete src/shared/bap.c:1211
#1 0x89c997 in bap_req_complete src/shared/bap.c:1192
#2 0x8a105f in bap_process_queue src/shared/bap.c:1474
#3 0x93c93f in timeout_callback src/shared/timeout-glib.c:25
...
freed by thread T0 here:
#1 0x89b744 in bap_stream_free src/shared/bap.c:1105
#2 0x89bac8 in bap_stream_detach src/shared/bap.c:1122
#3 0x89dbfc in bap_stream_state_changed src/shared/bap.c:1261
#4 0x8a2169 in bap_ucast_set_state src/shared/bap.c:1554
#5 0x89e0d5 in stream_set_state src/shared/bap.c:1291
#6 0x8a78b6 in bap_ucast_release src/shared/bap.c:1927
#7 0x8d45bb in bt_bap_stream_release src/shared/bap.c:5516
#8 0x8ba63f in remove_streams src/shared/bap.c:3538
#9 0x7f23d0 in queue_foreach src/shared/queue.c:207
#10 0x8bb875 in bt_bap_remove_pac src/shared/bap.c:3593
#11 0x47416c in media_endpoint_destroy profiles/audio/media.c:185
======================================================================= |
Pauli Virtanen |
1 year ago |
1 file, +65, -41 |
| b94f1be6 |
shared/uhid: Fix crash if bt_uhid_destroy free replay structure
Id replay structured has been allocated it shall be set back to NULL
after calling uhid_replay_free otherwise it may cause the following
crash:
Invalid read of size 1
at 0x1D8FC4: bt_uhid_record (uhid.c:116)
by 0x1D912C: uhid_read_handler (uhid.c:158)
by 0x201A64: watch_callback (io-glib.c:157)
by 0x48D4198: g_main_dispatch.lto_priv.0 (gmain.c:3344)
by 0x49333BE: UnknownInlinedFun (gmain.c:4152)
by 0x49333BE: g_main_context_iterate_unlocked.isra.0 (gmain.c:4217)
by 0x48D4DC6: g_main_loop_run (gmain.c:4419)
by 0x2020F4: mainloop_run (mainloop-glib.c:66)
by 0x20254B: mainloop_run_with_signal (mainloop-notify.c:188)
by 0x12D6D4: main (main.c:1456)
Address 0x53ae9c0 is 0 bytes inside a block of size 40 free'd
at 0x48468CF: free (vg_replace_malloc.c:985)
by 0x1D8E19: uhid_replay_free (uhid.c:68)
by 0x1D8E19: uhid_replay_free (uhid.c:59)
by 0x1D8E19: bt_uhid_destroy (uhid.c:509)
by 0x1591F5: uhid_disconnect (device.c:183)
Fixes: https://github.com/bluez/bluez/issues/815 |
Luiz Augusto von Dentz |
1 year ago |
1 file, +1, -0 |
| 249216dc |
Release 5.75 |
Marcel Holtmann |
1 year ago |
2 files, +4, -1 |
| 1955b833 |
build: list new tools/tester.h header in sources
This fixes dist tarballs missing the header. |
Jan Palus |
1 year ago |
1 file, +3, -3 |
| f1a7ab0e |
Release 5.74 |
Marcel Holtmann |
1 year ago |
2 files, +9, -1 |
| 58b6c0b8 |
build: Update library version |
Marcel Holtmann |
1 year ago |
1 file, +1, -1 |
| 6b544758 |
advertising: Do not crash in case of adv update failure
The refresh_extended_adv() is used in case of direct advertising
request from the client or in case of advertising properties update
or configured advertising timeout. In the two latter cases it is not
possible to prepare reply D-Bus message, because there is no request
message to begin with.
bluetoothd: ../src/advertising.c:add_client_complete() Failed to add
advertisement: Busy (0x0a)
dbus: arguments to dbus_message_get_no_reply() were incorrect, assertion
"message != NULL" failed in file ../../../dbus/dbus-message.c line 3235.
This is normally a bug in some application using the D-Bus library. |
Arkadiusz Bokowy |
1 year ago |
1 file, +10, -1 |
| 9be5d801 |
bap: Update properties of endpoints
If a MediaEndpoint if found during registration stage attempt to check
and update properties since they may have been updated at later stage
when a session has been attached. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +41, -7 |
| 7db85520 |
shared/bap: Fix not resuming reading attributes
If there is an unexpected disconnect and some attributes values
where left uninitialized this attempts to resume reading them once a
new session is attached. |
Luiz Augusto von Dentz |
1 year ago |
1 file, +54, -0 |
| c7dcd064 |
shared/bap: Make bt_bap_select fallback in case of no channel allocation
If channel allocation could not be matched attempt to call .select
without a channel allocation as the device might require a different
matching algorithm.
Fixes: https://github.com/bluez/bluez/issues/793 |
Luiz Augusto von Dentz |
1 year ago |
1 file, +12, -2 |