| b4e74f7b |
adapter: Fix the reusing gerror without re-initialization
When the GError variable is freeed with g_error_free(), it is not set to
NULL and reusing the same variable again can cause the seg_fault because
it is still pointing the old memory address which is freed.
This patch relaces the g_error_free() to g_clear_error() which frees the
variable and set it to NULL if the variable is used in the function
again.
Fixes: 2287c517ca1bd ("adapter: Fix unchecked return value")
Fixes: https://github.com/bluez/bluez/issues/276 |
Tedd Ho-Jeong An |
3 years ago |
1 file, +17, -17 |
| 24d986e7 |
device: Fix crash when removing device
Calling btd_adapter_remove_device from device_remove_connection can
cause a crash, so instead of removing it immediatelly this set a the
temporary timeout to 0.
Fixes: https://github.com/bluez/bluez/issues/290 |
Luiz Augusto von Dentz |
3 years ago |
1 file, +23, -23 |
| 053a1d4b |
monitor/sdp: Fixes out-of-bounds array access
This patch fixes the out-of-bounds array access caught by the ASAN.
monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type
'cont_data [8]'
=================================================================
==4180==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978
WRITE of size 9 at 0x7fe2d271a542 thread T0
#0 0x7fe2d174a57c (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
#1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692
#2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771
#3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247
#4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312
#5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638
#6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967
#7 0x7fe2d230b285 in data_callback monitor/control.c:973
#8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106
#9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
#10 0x7fe2d230324a in main monitor/main.c:290
#11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d)
0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list'
defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384
0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list'
defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow
(/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
...
==4180==ABORTING |
Tedd Ho-Jeong An |
3 years ago |
1 file, +1, -1 |
| f3ddc744 |
uuid: Fix crashing if a NULL string is passed to bt_string_to_uuid
bt_string_to_uuid shall chack if the string is valid before attempting
to access its contents. |
Luiz Augusto von Dentz |
3 years ago |
1 file, +3, -0 |
| c70b23d3 |
adapter: Fix crash when storing link key
The following trace can be observed sometimes when pairing 2 emulator
instances:
src/adapter.c:store_link_key() Unable to load key file from
/var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No
such file or directory)
GLib: g_file_set_contents: assertion 'error == NULL ||
*error == NULL' failed
++++++++ backtrace ++++++++
#1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a]
#2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6)
[0x7f65ba3f955c]
#3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6)
[0x7f65ba3f9743]
#4 g_file_set_contents+0x68
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68]
#5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a]
#6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904]
#7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34]
#8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f]
#9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2]
#10 g_main_context_dispatch+0x14e
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e] |
Luiz Augusto von Dentz |
3 years ago |
1 file, +4, -2 |
| ec5209af |
rfcomm-tester: Add test to write big chunks of data
This attempts to test traffic similar to OBEX using big chunk of data. |
Luiz Augusto von Dentz |
3 years ago |
1 file, +40, -7 |
| bfc6cf43 |
bthost: Increase number of credits
This increase the number of credits so bigger packets can be sent by
the likes of rfcomm-tester. |
Luiz Augusto von Dentz |
3 years ago |
1 file, +1, -1 |
| 9f081972 |
bthost: Fix length calculation for RFCOMM header
This fixes the length calculation for large packets that requires more
than 1 byte. |
Luiz Augusto von Dentz |
3 years ago |
1 file, +10, -3 |
| e700d552 |
bthost: Fix not handling ACL fragmentation
Large packets requires the support of ACL fragmentation in order to be
properly processed. |
Luiz Augusto von Dentz |
3 years ago |
2 files, +102, -21 |
| d84b9950 |
bootstrap-configure: Don't enable admin plugin by default
Admin plugin doesn't work properly when there are multiple adapters in
the system. |
Luiz Augusto von Dentz |
3 years ago |
1 file, +0, -1 |
| 264177eb |
adv_monitor: Fix spamming errors
If advertising manager is not enabled don't log any error on
btd_adapter_update_found_device, also change
btd_adv_monitor_offload_supported to btd_adv_monitor_offload_enabled
since that is checking if the features has been enabled rather than it
is just supported.
Fixes: https://github.com/bluez/bluez/issues/286 |
Luiz Augusto von Dentz |
3 years ago |
3 files, +4, -6 |
| 19448b9c |
gdbus: Emit InterfacesAdded of parents objects first
This makes InterfacesAdded respect the object hierarchy in case its
parent has pending interfaces to be added.
Fixes: https://github.com/bluez/bluez/issues/272
Fixes: https://github.com/bluez/bluez/issues/284
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1534857
Fixes: https://bugs.archlinux.org/task/57464 |
Luiz Augusto von Dentz |
3 years ago |
1 file, +6, -0 |
| 3f72b451 |
mesh: Skip unneeded logs |
Michał Lowas-Rzechonek |
3 years ago |
2 files, +2, -2 |
| 7083cad2 |
mesh: Make key_aid and net_key_id naming consistent
- key_aid refers to application key AID
- net_key_id refers to unique, internal id of the network key, used in
net-keys.h
Also, remove unused mesh_frnd_pkt struct. |
Michał Lowas-Rzechonek |
3 years ago |
4 files, +67, -91 |
| c2c0bff8 |
mesh: Fix sequence number of message in friend queue
As pointed out by https://github.com/bluez/bluez/issues/250, the last
segment of a multi-segmented message added to Friend Queue was getting
reset to the seqAuth value incorrectly. The correct sequence was set
within the preceding for loop. |
Brian Gix |
3 years ago |
1 file, +0, -1 |
| c1e12f4d |
btdev: Fix response to BT_HCI_CMD_LE_REMOVE_CIG
BT_HCI_CMD_LE_REMOVE_CIG should respond with the CIG ID from the
command instead of always responding with 0x00. |
Luiz Augusto von Dentz |
3 years ago |
1 file, +2, -1 |
| 8c6ff341 |
btdev: Fix command status of BT_HCI_CMD_LE_TERM_BIG
The status was reporting BT_HCI_CMD_DISCONNECT instead of
BT_HCI_CMD_LE_TERM_BIG. |
Luiz Augusto von Dentz |
3 years ago |
1 file, +1, -1 |
| 0cf3bbbf |
monitor: Fix misaligment errors when parsing BIG/CIG events
This fixes erros such as:
monitor/packet.c:8129:2: runtime error: load of misaligned address
0x55956a438f2d for type 'const uint16_t', which requires 2 byte
alignment |
Luiz Augusto von Dentz |
3 years ago |
1 file, +4, -4 |
| 340a7b97 |
systemd: More lockdown
bluetoothd does not need to execute mapped memory, or real-time
access, so block those. |
Bastien Nocera |
3 years ago |
1 file, +6, -0 |
| 442d211b |
systemd: Add more filesystem lockdown
We can only access the configuration file as read-only and read-write
to the Bluetooth cache directory and sub-directories. |
Bastien Nocera |
3 years ago |
2 files, +7, -0 |
| 8d2db81e |
systemd: Add PrivateTmp and NoNewPrivileges options
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
namespace. This is useful to secure access to temporary files of the
process.
NoNewPrivileges ensures that service process and all its children
can never gain new privileges through execve(), lowering the risk of
possible privilege escalations. |
Craig Andrews |
3 years ago |
1 file, +6, -0 |
| caeabc41 |
build: Always define confdir and statedir
As we will need those paths to lock down on them. |
Bastien Nocera |
3 years ago |
1 file, +3, -3 |
| 5f378404 |
adapter: Remove custom MGMT send/reply timeout
This removes the custom MGMT send/reply timeout since bt_mgmt itself
can handle them itself and it actually start the timer only when the
command is actually sent to the kernel rather then when it is queued.
Fixes: https://github.com/bluez/bluez/issues/275 |
Luiz Augusto von Dentz |
3 years ago |
1 file, +19, -148 |
| faad125c |
shared/mgmt: Add request timeout handling
This adds request timeout handling when using mgmt_send_timeout and
mgmt_reply_timeout, the timeout is applied to the request only when it
is actually transmitted and not while queued. |
Luiz Augusto von Dentz |
3 years ago |
2 files, +83, -12 |
| 57d33535 |
btdev: Add implementation for BT_HCI_CMD_LE_TERM_BIG
This adds handler for BT_HCI_CMD_LE_TERM_BIG and generate
BT_HCI_EVT_LE_BIG_TERMINATE to indicate to the host stack that the
BIG has been terminated. |
Luiz Augusto von Dentz |
3 years ago |
1 file, +19, -3 |
| 80e8c846 |
gatt: Make use of gatt_db_attribute_notify
This makes use of gatt_db_attribute_notify to send indications of
Service Changed. |
Luiz Augusto von Dentz |
3 years ago |
1 file, +59, -14 |
| b86412b6 |
shared/gatt-db: Introduce gatt_db_attribute_notify
This introduces gatt_db_attribute_notify which can be used to trigger a
notification using the callback set by gatt_db_ccc_register. |
Luiz Augusto von Dentz |
3 years ago |
3 files, +92, -6 |
| 88e062f1 |
gatt: Make use of gatt_db_service_add_ccc
This uses gatt_db_service_add_ccc and gatt_db_ccc_register so any ccc
registered with the use of the former gets proper state tracking. |
Luiz Augusto von Dentz |
3 years ago |
1 file, +28, -34 |
| c71fa73d |
shared/gatt-db: Introduce gatt_db_service_add_ccc
This adds gatt_db_service_add_ccc so the likes of plugins can use it
with the defaults callbacks which is useful for tracking their states. |
Luiz Augusto von Dentz |
3 years ago |
2 files, +60, -0 |
| 0516d252 |
hog-lib: Make use of UHID_CREATE2
This convert the use of UHID_CREATE to UHID_CREATE2 which gives back
the information of reports being numbered or not thus avoiding the need
to parse the report map in order to check if there are a report number
on them since UHID_START gives that information:
UHID_START:
This is sent when the HID device is started. Consider this as an
answer to UHID_CREATE2. This is always the first event that is sent.
Note that this event might not be available immediately after
write(UHID_CREATE2) returns.
Device drivers might require delayed setups.
This event contains a payload of type uhid_start_req. The "dev_flags"
field describes special behaviors of a device. The following flags
are defined:
- UHID_DEV_NUMBERED_FEATURE_REPORTS
- UHID_DEV_NUMBERED_OUTPUT_REPORTS
- UHID_DEV_NUMBERED_INPUT_REPORTS
Each of these flags defines whether a given report-type uses numbered
reports. If numbered reports are used for a type, all messages from
the kernel already have the report-number as prefix. Otherwise, no
prefix is added by the kernel. For messages sent by user-space to the
kernel, you must adjust the prefixes according to these flags |
Luiz Augusto von Dentz |
3 years ago |
1 file, +92, -119 |
| eb5c7518 |
avrcp: Fix unaligned access
This fixes the access to struct media_attribute_header which needs to
be packed and it also replaces the use of ntohs/ntohl to byteorder
conversion helpers which are a lot more clear on what byteorder shall
be used. |
Luiz Augusto von Dentz |
4 years ago |
1 file, +111, -118 |
| 9822898f |
monitor/avctp: Fix parsing of GetElementAttribute
AVRCP byte order is always big endian:
Audio/Video Remote Control / Profile Specification - Page 20:
'Transfer Octet Order; Packets shall transfer multiple-octet fields in
standard network octet order (Big Endian), with more significant
(high-order) octets being transferred before less-significant (low-order)
octets.' |
Luiz Augusto von Dentz |
4 years ago |
1 file, +1, -1 |
| 7a8d1be9 |
device: Fix device can't be scanned for 5 mins after reboot
After the patches which limit the attempts of doing remote name
resolving, there's an issue which prevents BlueZ to RNR new devices
for 5 minutes after reboot. It's caused by failed_time is init to 0,
and is then treated as the timestamp when the device failed RNR.
However, actually there is no failure yet.
This patch fixes it by always allowing RNR when failed_time = 0. |
Archie Pusaka |
4 years ago |
1 file, +17, -5 |
| 33d13bbc |
hog: Add input queue while uhid device has not been created
Since report map is only read after all reports it is possible to start
receiving notifications before uhid has been created, so this adds a
queue to store the events while the report map is pending and once uhid
has been created dequeue the events. |
Luiz Augusto von Dentz |
4 years ago |
1 file, +29, -3 |
| 7fe38a17 |
hog: Fix read order of attributes
The Report Map must be read after all other attributes otherwise the
Kernel driver may start using UHID_SET_REPORT which requires the
report->id to be known in order to resolve the attribute to send to.
Fixes: https://github.com/bluez/bluez/issues/220 |
Luiz Augusto von Dentz |
4 years ago |
1 file, +119, -72 |
| 8edd9ff4 |
media: Fix crash when endpoint replies with an error to SetConfiguration
If endpoint responds to SetConfiguration the transport is being
destroyed without removing it from the list leading a crash.
Fixes: https://github.com/bluez/bluez/issues/269 |
Luiz Augusto von Dentz |
4 years ago |
1 file, +13, -8 |
| 9761d7b1 |
tools/mesh-cfgclient: Fix config menu help message
An info message suggesting to request a remote node composition
should reference the correct menu command: "composition-get". |
Inga Stotland |
4 years ago |
1 file, +3, -3 |
| f688edd8 |
tools/mesh-cfgclient: Fix typos in config storage
Fix keyword typos and comments. |
Inga Stotland |
4 years ago |
1 file, +2, -2 |
| 050cead3 |
avdtp: Fix runtime errors passing NULL to memcpy
Passing NULL to memcpy is considered undefined behavior which leads to
the following runtime errors:
profiles/audio/avdtp.c:2709:2: runtime error: null pointer passed as
argument 1, which is declared to never be null
profiles/audio/avdtp.c:2709:2: runtime error: null pointer passed as
argument 2, which is declared to never be null
profiles/audio/avdtp.c:3326:2: runtime error: null pointer passed as
argument 2, which is declared to never be null
profiles/audio/avdtp.c:500:3: runtime error: null pointer passed as
argument 2, which is declared to never be null |
Luiz Augusto von Dentz |
4 years ago |
1 file, +9, -6 |
| cfab5694 |
build: Replace use of g_memdup with util_memdup
This replaces the uses of g_memdup with util_memdup since the former has
been deprecated:
warning: ‘g_memdup’ is deprecated: Use 'g_memdup2' instead
[-Wdeprecated-declarations]
g_memdup2 requires bumping glib version which would likely have its
own problems thus why util_memdup was introduced. |
Luiz Augusto von Dentz |
4 years ago |
34 files, +172, -146 |
| 9f09e69e |
shared/util: Add util_memdup
This adds util_memdup which is intended to replace g_memdup since
replacing that with g_memdup2 requires bumping the glib version. |
Luiz Augusto von Dentz |
4 years ago |
2 files, +17, -0 |
| 3a53b27e |
attrib: Remove gatt-service.{c,h} and attrib-server.{c,h}
These files are not longer needed since this functionality has been
moved to gatt-db.{c,h}. |
Luiz Augusto von Dentz |
4 years ago |
7 files, +1, -2100 |
| 710220f8 |
shared/util: Rename btd_malloc to util_malloc
util functions are not limited to daemon only which is normally the case
when using btd prefix. |
Luiz Augusto von Dentz |
4 years ago |
3 files, +4, -4 |
| 4a00535f |
emulator: Add support for vendor commands
This adds support for vendor commands reserving a single opcode (0xfc10)
so it can be extended using subcommands, similar to how MSFT works.
The first subcommand (0x00) enables the emulator to generate arbitrary
events using the commands parameters:
> tools/hcitool cmd 3f 10 00 22 24 d0 d0 d0 d0 d0 d0 ff ff
< HCI Command: Vendor (0x3f|0x0010) plen 11
00 22 24 d0 d0 d0 d0 d0 d0 ff ff
."$........
Bluetooth: hci0: Malformed HCI Event: 0x22
> HCI Event: Inquiry Result with R.. (0x22) plen 9
Num responses: 36
Page scan repetition mode: Reserved (0xff)
Page period mode: Reserved (0xff)
Class: 0xffffd0
Major class: Uncategorized, specific device code not specified
Minor class: 0x34
Limited Discoverable Mode
invalid service class
Clock offset: 0x6368
RSSI: 105 dBm (0x69)
> HCI Event: Command Complete (0x0e) plen 4
Vendor (0x3f|0x0010) ncmd 1
Status: Success (0x00) |
Luiz Augusto von Dentz |
4 years ago |
7 files, +87, -9 |
| ac33d95d |
configure: Fix use of obsolete macros
This fixes the following warnings when using autoconf >= 2.70:
configure.ac:19: warning: The macro `AC_LANG_C' is obsolete.
configure.ac:45: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:440: warning: AC_OUTPUT should be used without arguments.
The macros are replacing following the autoconf documentation:
https://www.gnu.org/software/autoconf/manual/autoconf-2.70/html_node/Obsolete-Macros.html
Fixes: https://github.com/bluez/bluez/issues/246 |
Luiz Augusto von Dentz |
4 years ago |
2 files, +50, -49 |
| da072396 |
Release 5.63 |
Marcel Holtmann |
4 years ago |
2 files, +6, -1 |
| 401643e5 |
gattrib: Fix passing NULL to memcpy
This fixes the following runtime error:
attrib/gattrib.c:198:2: runtime error: null pointer passed as
argument 2, which is declared to never be null |
Luiz Augusto von Dentz |
4 years ago |
1 file, +3, -1 |
| 2be0c6aa |
bootstrap-configure: Enable sanitizer options
This makes bootstrap-configure enables all sanitizers. |
Luiz Augusto von Dentz |
4 years ago |
1 file, +3, -0 |
| 2be2b945 |
build: Fix build when sanitizer are enabled
This fixes various issues found when sanitizers are enabled. |
Luiz Augusto von Dentz |
4 years ago |
8 files, +19, -12 |
| 4839b113 |
build: Add sanitizer options
Build using Address Sanitizer (asan), Leak Sanitizer (lsan), or
Undefined Behavior Sanitizer (ubsan) by using one of these options for
the configure script:
--enable-asan
--enable-lsan
--enable-ubsan
For each of these to work, the compiler must support the requested
sanitizer and the requisite libraries must be installed (libasan,
liblsan, libubsan). |
Luiz Augusto von Dentz |
4 years ago |
3 files, +90, -2 |