| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
This patch fixes the unchecked return value.
|
|
|
|
|
| |
This patch replaces various instances of malloc and subsequent
memset(..,0,..) with bt_malloc0 (i.e., calloc) for efficiency.
|
|
|
|
|
|
| |
The calls to gen_[searchseq|attridseq]_seq functions return negative
value on failure. The return value should be checked to gracefully
exit with a proper exit code.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds SPDX License Identifier and removes the license text.
-------------------------------------
License COUNT
-------------------------------------
GPL-2.0-or-later : 18
GPL-2.0-only : 1
License: GPL-2.0-or-later
lib/sco.h
lib/sdp.c
lib/a2mp.h
lib/uuid.h
lib/bluetooth.h
lib/hidp.h
lib/rfcomm.h
lib/hci.c
lib/sdp.h
lib/sdp_lib.h
lib/bluetooth.c
lib/mgmt.h
lib/hci.h
lib/uuid.c
lib/l2cap.h
lib/bnep.h
lib/hci_lib.h
lib/cmtp.h
License: GPL-2.0-only
lib/amp.h
|
|
|
|
|
|
|
|
|
| |
sdp_append_buf shall check if there is enough space to store the data
before copying it.
An independent security researcher, Julian Rauchberger, has reported
this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure
program.
|
| |
|
|
|
|
|
|
| |
In case dtd is unknow it would jump to fail without freeing what has
been allocated in subseq which is not appended to tseq so it could not
be freed.
|
|
|
|
|
| |
This split the handling of invalid PDU length and not matching
transaction id adding proper debug logs.
|
| |
|
|
|
|
|
| |
If there are multiple fields to print, sdp_record_print() was missing a
newline between entries.
|
|
|
|
| |
Also reorder last ID so the list remains ordered.
|
|
|
|
|
|
| |
This will allow to workaround Dualshock4 not respecting L2CAP MTU
size while sending SDP response. Use same L2CAP MTU value base on
RFCOMM.
|
|
|
|
| |
length is a pointer to int table not int* table.
|
|
|
|
|
|
|
| |
VCP apparently was never adopted so 0x110f was latter reused by AVRCP 1.3
controller as per current assigned numbers page:
https://www.bluetooth.org/en-us/specification/assigned-numbers/service-discovery
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Error path on default case was not breaking loop. To keep error
handling similar all error path were converted to use goto.
This fix following:
target C: libbluetooth <= external/bluetooth/bluez/android/../lib/sdp.c
lib/sdp.c: In function 'sdp_set_profile_descs':
lib/sdp.c:487:10: warning: 'values[0]' may be used uninitialized in
this function [-Wmaybe-uninitialized]
lib/sdp.c:2562:19: note: 'values[0]' was declared here
lib/sdp.c:545:11: warning: 'dtds[0]' may be used uninitialized in this
function [-Wmaybe-uninitialized]
lib/sdp.c:2562:9: note: 'dtds[0]' was declared here
|
|
|
|
|
|
|
|
|
|
| |
This is an improved version of recently reverted commit 1796f00e8465.
Response size is verified against minimal allowed value only if it is
complete response. If response is partial it is allowed by spec that
it will be split in arbitrary manner.
Verified against Nokia BH217 on which original commit caused
regression.
|
|
|
|
|
|
|
| |
This reverts commit 1796f00e846561af80679efba4d7c36c78710fb6.
This patch causes a regression with the Nokia BH217 headset. A correct
patch must take into account fragmented responses.
|
|
|
|
| |
SDPERR and SDPDBG already add new line to prints.
|
|
|
|
|
|
|
|
|
| |
The sequence itself is not an index of dtds, values, lengths, thats why
SDP_SEQ8 is used directly as dtd, so accessing length[i] is always off
by one.
Furthermore the length is not really used by sdp_data_alloc_with_length
when the dtd is SDP_SEQ8 which is probably why it doesn't crash.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Browsing services using sdptool can lead to writing to invalid heap
locations.
valgrind's output of exemplary call: sdptool browse local
==2203== HEAP SUMMARY:
==2203== in use at exit: 0 bytes in 0 blocks
==2203== total heap usage: 251 allocs, 251 frees, 140,156 bytes allocated
==2203==
==2203== All heap blocks were freed -- no leaks are possible
==2203==
==2203== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
==2203==
==2203== 1 errors in context 1 of 2:
==2203== Invalid write of size 2
==2203== at 0x805B882: bt_put_be16 (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8062BD0: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== Address 0x4391359 is 7 bytes before a block of size 2,048 alloc'd
==2203== at 0x402B6A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x8062B4B: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==
==2203==
==2203== 5 errors in context 2 of 2:
==2203== Invalid write of size 1
==2203== at 0x402D363: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x80613E7: gen_dataseq_pdu (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8061472: gen_attridseq_pdu (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8062C00: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== Address 0x439135b is 5 bytes before a block of size 2,048 alloc'd
==2203== at 0x402B6A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x8062B4B: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==
==2203== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
|
| |
|
|
|
|
|
| |
Commits 0f5a5a9580084a3c4e0644ef5cd75689aeb5ff40 and
46b3a3d2d00bf70bc57ef0c9ad5542a2271e3350 introduced this workaround.
|
|
|
|
|
|
| |
The "seq->val.dataseq != NULL" check is also removed from the for()
statement because it should be done after verifying that the data
element is a sequence (inside the "if (SDP_IS_SEQ(...))" block.)
|
|
|
|
| |
Also check if the required number of entries is present.
|
| |
|
|
|
|
|
|
|
| |
It is necessary to validate the sdp_data_t "dtd" field before accessing
the "val" union members, specially when handling SDP_SEQ*, SDP_ALT* and
SDP_STR* elements, otherwise remote devices can trigger memory
corruption by passing invalid data elements where others are expected.
|
| |
|
|
|
|
|
|
| |
sdp_get_access_protos() and sdp_get_add_access_protos() do almost
exactly the same thing, except for an additional statement for the
latter.
|
|
|
|
|
| |
Before manipulating data from previous partial responses, make sure the
buffer has enough data.
|
|
|
|
|
| |
According to SDP spec, the byte count fields for these PDUs have a valid
range of 0x0002-0xFFFF.
|
|
|
|
|
|
|
|
| |
rsp_count is either read or calculated from untrusted input, and
therefore needs to be checked before being used as offset. The "plen"
variable is appropriate because it is calculated as the sum of fixed and
variable length fields, excluding the continuation state field, which
has at least 1 byte for its own length field.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sdp_extract_attr() uses the "size" parameter to return the number of
bytes consumed when parsing SDP Data Elements. This size is used to
advance a buffer pointer to parse next element.
This size was being incorrectly calculated for SDP_{TEXT,URL}_STR16 in
extract_str(), where the string length was added twice. The string
length is already added later in the function for {TEXT,URL}_STR{8,16}
by this statement:
*len += n;
|
| |
|
|
|
|
|
| |
Calling programs might fork().. execve() and we will end
up leaking fds.
|
|
|
|
|
| |
Unlike strerror, %m is thread safe and we do not know
to what kind of program libbluetooth is being linked too.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fix following compilation errors on ARM.
CC lib/sdp.lo
lib/sdp.c: In function 'sdp_device_record_unregister_binary':
lib/sdp.c:2984:11: error: cast increases required alignment of
target type [-Werror=cast-align]
lib/sdp.c:2984:11: error: cast increases required alignment of
target type [-Werror=cast-align]
lib/sdp.c: In function 'sdp_device_record_update':
lib/sdp.c:3089:11: error: cast increases required alignment of
target type [-Werror=cast-align]
lib/sdp.c:3089:11: error: cast increases required alignment of
target type [-Werror=cast-align]
lib/sdp.c: In function 'sdp_process':
lib/sdp.c:4139:22: error: cast increases required alignment of
target type [-Werror=cast-align]
lib/sdp.c:4146:14: error: cast increases required alignment of
target type [-Werror=cast-align]
lib/sdp.c:4146:14: error: cast increases required alignment of
target type [-Werror=cast-align]
cc1: all warnings being treated as errors
make[1]: *** [lib/sdp.lo] Error 1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 8a03376544b046a84301847d1594f6c3674983ff.
The patch needs to be split up and the gdbus/ changes were bogus
compared to the original commit message.
Conflicts:
Makefile.am
Makefile.obexd
profiles/cyclingspeed/cyclingspeed.c
profiles/heartrate/heartrate.c
src/error.c
|
|
|
|
|
|
|
|
|
|
| |
Instead of trying to include config.h in each file over the tree and
possibly forgetting to include it, give a "-include config.h" argument
to the compiler so it's guaranteed that a) it will be included for all
source files and b) it will be the first header included.
gdbus/ directory is left out, since it would break other projects using
it.
|
| |
|
|
|
|
|
| |
Fixes a bug where the complete sequence data is written, but the size
is truncated to one byte.
|
|
|
|
|
|
|
| |
Remove modification of buf->buf_size in 'get' functions. Data is
still indirectly modified due to recursive nature of code.
Renamed sdp_get_data_type to sdp_get_data_type_size.
|
|
|
|
|
| |
Inlining single use of sdp_set_data_type to improve code readability,
since the function was doing more than just setting the data type.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fix number of compilation errors on ARM similar to one below.
lib/sdp.c: In function 'sdp_uuid_extract':
lib/sdp.c:1019:27: error: cast increases required alignment
of target type [-Werror=cast-align]
lib/sdp.c:1019:27: error: cast increases required alignment
of target type [-Werror=cast-align]
lib/sdp.c:1026:27: error: cast increases required alignment
of target type [-Werror=cast-align]
lib/sdp.c:1026:27: error: cast increases required alignment
of target type [-Werror=cast-align]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fix number of build errors on ARM similar to one below.
lib/sdp.c: In function 'sdp_set_seq_len':
lib/sdp.c:625:3: error: cast increases required alignment of target
type [-Werror=cast-align]
lib/sdp.c:625:3: error: cast increases required alignment of target
type [-Werror=cast-align]
lib/sdp.c:631:3: error: cast increases required alignment of target
type [-Werror=cast-align]
lib/sdp.c:631:3: error: cast increases required alignment of target
type [-Werror=cast-align]
|
|
|
|
| |
This function reports error code via errno not return value.
|
|
|
|
|
| |
Avoid using C++ style pointer declarations like "char* ptr", as most
BlueZ code uses "char *ptr".
|
|
|
|
|
| |
In case of sdp_seq_alloc() failures in loop, unitialised seqDTDs would
be passed to final sdp_seq_alloc.
|
| |
|
|
|
|
| |
Enabling SDP_DEBUG prevents build to be done.
|
|
|
|
|
| |
The memory referenced by "u" pointer is initialized right after the
memset() call.
|