| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
|
| |
|
|
|
|
| |
Fixing what looks like a bad merge in the opcode order.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This change adds the corresponding user space definition for wide band
speech.
|
|
|
|
|
| |
This enables EATT in the Client Features if the EATT characteristic is
present in the database.
|
|
|
|
|
| |
This adds the definition to BT_PHY socket options along with the
possible bitfields for the return value.
|
| |
|
|
|
|
| |
Adding the missing string conversion for MGMG_OP_SET_BLOCKED_KEYS.
|
|
|
|
| |
Adding the required definitions for the MGMT_OP_SET_BLOCKED_KEYS Api.
|
|
|
|
|
|
|
| |
When the kernel prints the bluetooth address (via %pMR), it prints the
address in lower case. ba2strlc should be used in cases where we should
match the kernel casing (i.e. addresses assigned to /dev/uhid and
/dev/uinput)
|
|
|
|
|
| |
This introduces UUIDs for Client Features and Database Hash
characteristics.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This basically adds BREDR packet types also in the PHY confiuration
commands & events and makes the PHYs 32 bit so that it can be
extended in future. This also add configurable PHYs in the GetPhy
command wherein only those can be selected or deselected in SetPhy.
This also adds LE prefix for LE phys to make it more
descriptive
|
|
|
|
|
|
|
|
|
| |
sdp_append_buf shall check if there is enough space to store the data
before copying it.
An independent security researcher, Julian Rauchberger, has reported
this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure
program.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This adds bt_appear_to_str which can decode the appearance code to a
human readable string.
|
|
|
|
|
| |
Add the Battery Level UUID as per:
https://www.bluetooth.com/specifications/gatt/viewer?attributeXmlFile=org.bluetooth.characteristic.battery_level.xml
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 75e0c32af6bf ("lib/sdp: Replace VIDEO_CONF_SVCLASS_ID with
AV_REMOTE_CONTROLLER_SVCLASS_ID") removed the deprecated
VIDEO_CONF_SVCLASS_ID definition, but left the corresponding profile
definition..
According to the specification linked below A/V_RemoteControlController
UUID can only be used as a service class so its profile definition
should be removed.
https://www.bluetooth.org/en-us/specification/assigned-numbers/service-discovery
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The strings passed to bt_uuid_strcmp may not be valid UUIDs so the return
of bt_string_to_uuid needs to be checked otherwise bt_uuid_cmp may attempt
to access unitialized values:
Conditional jump or move depends on uninitialised value(s)
at 0x4C1D4D: bt_uuid_to_uuid128 (uuid.c:78)
by 0x4C1F22: bt_uuid_cmp (uuid.c:131)
by 0x4C24A8: bt_uuid_strcmp (uuid.c:286)
by 0x40F8A8: reconnect_match (policy.c:514)
by 0x40F8A8: service_cb (policy.c:655)
by 0x499331: change_state (service.c:109)
by 0x499BBB: btd_service_connecting_complete (service.c:361)
by 0x4178C1: stream_state_changed (source.c:163)
by 0x422C78: avdtp_sep_set_state (avdtp.c:1013)
by 0x42372A: handle_transport_connect (avdtp.c:844)
by 0x423D8B: avdtp_connect_cb (avdtp.c:2326)
by 0x465BBB: connect_cb (btio.c:232)
by 0x50CA702: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4800.1)
Uninitialised value was created by a stack allocation
at 0x4C2460: bt_uuid_strcmp (uuid.c:280)
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This add secure-{read,write} which shall be used by servers that want
to restrict attribute access to secure connection only (BT_SECURITY_FIPS)
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
scanf requires that '[' convertion specifiers have enough room for all
characters in the string, _plus a terminating null byte_. We were
previously not providing room for the terminating null byte.
This was detected by AddressSanitizer:
==15036==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe4e774401 at pc 0x7fd33f572c98 bp 0x7ffe4e774270 sp 0x7ffe4e7739f8
WRITE of size 2 at 0x7ffe4e774401 thread T0
#0 0x7fd33f572c97 in scanf_common /build/gcc-multilib/src/gcc-5-20160209/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:340
#1 0x7fd33f5739ea in __interceptor_vsscanf /build/gcc-multilib/src/gcc-5-20160209/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:769
#2 0x7fd33f573b49 in __interceptor_sscanf /build/gcc-multilib/src/gcc-5-20160209/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:793
#3 0x650db5 in is_base_uuid128 lib/uuid.c:191
#4 0x65196e in bt_string_to_uuid lib/uuid.c:267
#5 0x56f28e in parse_uuid src/gatt-database.c:1473
#6 0x5729e0 in database_add_service src/gatt-database.c:2053
#7 0x57329f in database_add_app src/gatt-database.c:2106
#8 0x573adc in client_ready_cb src/gatt-database.c:2211
#9 0x6695fd in get_managed_objects_reply gdbus/client.c:1097
#10 0x7fd33efd5391 (/usr/lib/libdbus-1.so.3+0x13391)
#11 0x7fd33efd8db0 in dbus_connection_dispatch (/usr/lib/libdbus-1.so.3+0x16db0)
#12 0x651ecd in message_dispatch gdbus/mainloop.c:72
#13 0x7fd33f25cc39 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x49c39)
#14 0x7fd33f25cfdf (/usr/lib/libglib-2.0.so.0+0x49fdf)
#15 0x7fd33f25d301 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x4a301)
#16 0x54b7d1 in main src/main.c:687
#17 0x7fd33d90870f in __libc_start_main (/usr/lib/libc.so.6+0x2070f)
#18 0x40bba8 in _start (/home/cody/g/bluez/src/bluetoothd+0x40bba8)
Address 0x7ffe4e774401 is located in stack of thread T0 at offset 33 in frame
#0 0x650ccd in is_base_uuid128 lib/uuid.c:184
This frame has 2 object(s):
[32, 33) 'dummy' <== Memory access at offset 33 overflows this variable
[96, 98) 'uuid'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /build/gcc-multilib/src/gcc-5-20160209/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:340 scanf_common
Shadow bytes around the buggy address:
0x100049ce6830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100049ce6840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100049ce6850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100049ce6860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100049ce6870: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x100049ce6880:[01]f4 f4 f4 f2 f2 f2 f2 02 f4 f4 f4 f3 f3 f3 f3
0x100049ce6890: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100049ce68a0: 00 f4 f4 f4 f2 f2 f2 f2 00 00 04 f4 f2 f2 f2 f2
0x100049ce68b0: 00 00 00 00 00 00 00 00 00 f4 f4 f4 f3 f3 f3 f3
0x100049ce68c0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100049ce68d0: 01 f4 f4 f4 f2 f2 f2 f2 00 00 04 f4 f3 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==15036==ABORTING
|
| |
|
| |
|
|
|
|
|
| |
The convention has been to use 128 Bits UUID strings so other types must
be converted first.
|
| |
|