| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Always free BAP stream in bt_bap_stream_release if it is not attached to
a client session, simplifying the cleanup.
Fixes the following ASAN crash is observed when media endpoint is
unregistered (stopping sound server) while streaming from remote BAP
client:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8
READ of size 8 at 0x60b0000474d8 thread T0
#0 0x7a27c6 in stream_set_state src/shared/bap.c:1227
#1 0x7aff61 in remove_streams src/shared/bap.c:2483
#2 0x71d2d0 in queue_foreach src/shared/queue.c:207
#3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501
#4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179
...
0x60b0000474d8 is located 8 bytes inside of 112-byte region
freed by thread T0 here:
#0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7a0504 in bap_stream_free src/shared/bap.c:972
#2 0x7a0800 in bap_stream_detach src/shared/bap.c:989
#3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208
#4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252
#5 0x7ab18a in stream_release src/shared/bap.c:1985
#6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572
#7 0x7aff50 in remove_streams src/shared/bap.c:2482
...
previously allocated by thread T0 here:
#0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af)
#1 0x71e9ae in util_malloc src/shared/util.c:43
#2 0x79c2f5 in bap_stream_new src/shared/bap.c:766
#3 0x7a4863 in ep_config src/shared/bap.c:1446
#4 0x7a4f22 in ascs_config src/shared/bap.c:1481
...
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On device ATT attach, do not immediately call accept() for profiles, if
there is no cached data in GATT database. Instead, wait for service
resolution to complete, as likely accept() cannot succeed before that.
Several profiles (bap, vcp, midi, deviceinfo) assume that GATT
attributes are available when their accept() is called, returning
success even if not. In this case, the services never find the remote
attributes and are not operable. Other profiles (hog, batt, ...) fail
their accept which prompts core to retry after discovery, and work
correctly also in this case.
Fix the failing services by waiting for service resolution as necessary,
so profiles can assume the GATT DB has some content.
|
| |
|
|
| |
Add function for checking adapter current settings.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ASCS v1.0 Sec. 4.1: "For each ASE characteristic (distinguished by their
attribute handles), the server shall expose separate ASE characteristic
values for each client." In shared/bap.c, the ASE chrc value is
contained in bt_bap_endpoint struct.
As implemented currently, the same local ASE chrc value is shared
between all clients, in contradiction with the above. Namely, the
bt_bap_endpoint is looked up based on the gatt_db_attribute handles, in
bap_get_endpoint and bap_get_endpoint_id, but the handles correspond to
the ASCS registrations, and do not depend on which client is in
question.
Fix this by moving the endpoint states to the bt_bap BAP session struct,
so that the ASE state is associated with the sessions, and each session
has separate state.
|
| |
|
|
|
| |
This avoids having to check for !src or !len before calling util_memcpy
since otherwise it can cause runtime errors.
|
| |
|
|
|
|
|
|
|
|
| |
musl systems don't have MAX_INPUT. Just define it to _POSIX_MAX_INPUT
which musl does have if it's not already defined.
Note that on glibc, the values match anyway (as of glibc-2.36), and
indeed POSIX_MAX_INPUT has the same value on musl too.
Bug: https://bugs.gentoo.org/888467
|
| |
|
|
|
| |
Add UUIDs for: Common Audio service, Hearing Aid service,
TMAS service and Public Broadcast Announcement service.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When grouping requests with the same opcode the code was queueing them
without attempt to check that that would fit in the ATT MTU causing the
following trace:
stack-buffer-overflow on address 0x7fffdba951f0 at pc 0x7fc15fc49d21 bp
0x7fffdba95020 sp 0x7fffdba947d0
WRITE of size 9 at 0x7fffdba951f0 thread T0
#0 0x7fc15fc49d20 in __interceptor_memcpy
(/lib64/libasan.so.8+0x49d20)
#1 0x71f698 in util_iov_push_mem src/shared/util.c:266
#2 0x7b9312 in append_group src/shared/bap.c:3424
#3 0x71ba01 in queue_foreach src/shared/queue.c:207
#4 0x7b9b66 in bap_send src/shared/bap.c:3459
#5 0x7ba594 in bap_process_queue src/shared/bap.c:351
Fixes: https://github.com/bluez/bluez/issues/457#issuecomment-1403924708
|
| |
|
|
|
|
|
|
| |
When local PAC is removed we attempt to release the streams but we left
it still attached to the endpoint, so this makes sure the stream is
properly detached by setting its state to idle.
Fixes: https://github.com/bluez/bluez/issues/457
|
| |
|
|
|
| |
This fixes Company ID and Vendor Codec ID which are supposed to be
little endian.
|
| |
|
|
|
|
|
|
|
| |
This fixes the following warning:
src/shared/bap.c:2268:26: warning: Access to field 'iov_len' results in
a dereference of a null pointer (loaded from variable 'cont')
return iov_append(data, cont->iov_len, cont->iov_base);
^~~~~~~~~~~~~
|
| |
|
|
|
|
|
|
|
| |
This fixes the following warnings:
shared/gatt-client.c:2764:33: warning: Variable length array is used.
shared/gatt-client.c:2994:23: warning: Variable length array is used.
shared/gatt-client.c:3075:23: warning: Variable length array is used.
shared/gatt-client.c:3514:23: warning: Variable length array is used.
|
| |
|
|
|
|
|
|
|
| |
This is a temporary fix for not handling BT_ATT_OP_HANDLE_NFY_MULT in
GAttr so the code will use g_attrib_attach_client to attach the
bt_gatt_client instance which is then used to register notifications
including those sent with BT_ATT_OP_HANDLE_NFY_MULT.
Fixes: https://github.com/bluez/bluez/issues/71
|
| |
|
|
|
|
| |
This makes bt_gatt_client_register_notify allow registering with NULL
callback which is interpreted as the CCC write has already been
performed therefore it won't be written again.
|
| |
|
|
|
|
| |
If clone don't have a dedicated callback set use its parent so users of
bt_gatt_client_clone don't have to keep setting the same callback for
all clone instances.
|
| |
|
|
|
|
| |
This adds fixes for handing for Company ID and Vendor Codec ID
while adding PAC record to database and responding to Attribute
Read Request for Sink/Source PAC Characteristics.
|
| |
|
|
|
|
|
|
|
| |
This adds bt_crypto_sef is is used to create a hash as stated on CSIS
spec:
'4.5. SIRK encryption function sef'
https://www.bluetooth.com/specifications/csis-1-0-1/
|
| |
|
|
|
|
|
|
|
| |
This adds bt_crypto_sih is is used to create a hash as stated on
CSIS[1] spec:
'4.7. Resolvable Set Identifier hash function sih'
https://www.bluetooth.com/specifications/csis-1-0-1/
|
| |
|
|
|
| |
This updates UUID database with the values from assigned numbers for
co-ordinated set identification services.
|
| |
|
|
|
|
|
|
|
| |
If there are no characteristics to discover, or for some reason
bt_gatt_discover_descriptors is skiped, or the last attribute is
actually a included service the service should be removed from
pending list as there will be no more attributes to be discovered.
Fixes: https://github.com/bluez/bluez/issues/438
|
| |
|
|
|
| |
This adds gatt_db_attribute_get_service which can be used to get the
service which the given attribute belongs to.
|
| |
|
|
| |
This uses bt_shell_echo to print transfer progress.
|
| |
|
|
|
| |
This adds bt_shell_echo which can be used to print messages on the echo
area.
|
| |
|
|
|
| |
This makes bt_bap_pac_register to be per session rather than global so
the callback don't have to match the session by itself.
|
| |
|
|
|
| |
This makes gatt_db_attribute_write to accept NULL as a func when
storing directly on the db itself.
|
| |
|
|
|
|
| |
If PAC Sink/Source has been found but not record has been recovered it
means an error must have occurred so this attempt to read the records
once again.
|
| |
|
|
|
| |
This makes sure a error message is logged if a request cannot be sent
for some reason.
|
| |
|
|
|
| |
If request needs to be resend due to change in the security use the
chan->queue otherwise it may end up using a different channel.
|
| |
|
|
| |
Fix llvm sanitizer support by not hiding sanitizer related symbols.
|
| |
|
|
|
|
|
| |
This attempts to merge PAC records which contain the same type and
codec to simplify the matching with client endpoints so all
capabilities and metadata are match at once instead of for each PAC
record.
|
| |
|
|
|
| |
According to Table 3.2: ASE state machine transition these procedures
can only be initated by clients.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both PAC Sink and Source are allowed to have multiple instances:
- The server wanted to support a smaller maximum transmission unit
(ATT_MTU, as defined in Volume 3, Part F, Section 3.2.8 in [2]) size.
Exposing all supported PAC records in a single Sink PAC characteristic
would require the server to increase its supported Maximum
Transmission Unit (MTU) size to a value the server considered
excessive.
- The server wanted to expose support for proprietary audio
capabilities (such as vendor-specific audio codecs, as denoted by the
Codec_ID parameter value) separately from support for
non-vendor-specific audio capabilities and used separate Sink PAC
characteristics to expose such support.
- The server wanted to minimize the amount of data to be transferred,
when sending notifications to a client that the Sink PAC
characteristic value changed, by exposing the audio capabilities
likely to change quicker than others in separate Sink PAC
characteristics.
|
| |
|
|
|
| |
When attempting to update discovery ranges the code shall verify if the
range is still valid (handles != 0x0000 and start < end).
|
| |
|
|
|
|
|
|
|
|
| |
This introduces SecureConnections option to main.conf that can be used to
configure this on adapter initialization.
This is useful for:
- disable for adapters that have a problems with SecureConnections enabled
- if you want to disable CTKD (cross transport key derivation)
- add option to enable only SecureConnections
|
| |
|
|
|
|
|
|
|
|
|
| |
If bt_bap_unref/bap_free is called while there is an ongoing pending
request it may endup calling into bap_notify_ready which will try to
notify ready callbacks while holding a reference, but in case the
reference is already 0 that means it would switch to 1 and back 0
causing a double free.
To prevent that bap_notify_ready now checks that the reference is not 0
with use of bt_bap_ref_safe.
|
| |
|
|
|
| |
This adds tester_io_set_complete_func which can be used to set a
callback when all iovec has been sent/received.
|
| |
|
|
| |
This make use of util_iov helpers instead of reimplementing them.
|
| |
|
|
| |
This adds iovec helpers functions.
|
| |
|
|
|
| |
Most of the debug traces are longer than 78 characters, increase the buffer
to not lost trace's end
|
| |
|
|
|
|
|
|
|
| |
This fixes the following warning:
src/settings.c:281:7: warning: Branch condition evaluates to a garbage
value [core.uninitialized.Branch]
if (ret) {
^~~
|
| |
|
|
| |
This adds initial code for Media Control Profile for Client Role.
|
| |
|
|
|
|
|
|
| |
This fixes memory overwrite during ASE Enable operation handling.
It avoids crashing of bluetoothd if metadata of more than sizeo of
size_t is received.
This also fixes storing metadata to stream structure.
|
| |
|
|
|
|
|
|
|
|
| |
The passed iterator can be NULL as in
gdbus/client.c::properties_changed():
...
proxy->prop_func(..., ..., iter=NULL, ...)
+--src/battery.c::provided_battery_property_changed_cb(, , iter, );
+--dbus_message_iter_get_arg_type(iter);
...
|
| |
|
|
|
|
|
|
|
|
| |
The passed iterator can be NULL as in
src/gatt-database.c::properties_changed():
...
proxy->prop_func(..., ..., iter=NULL, ...)
+--client/gatt.c::property_changed_cb(..., ..., iter, ...);
+--dbus_message_iter_get_arg_type(iter);
...
|
| |
|
|
|
| |
Set property to its default value (as done in all other methods listed
in parsers[]).
|
| |
|
|
|
| |
Set property to its default value (as done in all other methods listed
in parsers[]).
|
| |
|
|
|
| |
Set property to its default value (as done in all other methods listed
in parsers[]).
|
| |
|
|
|
|
|
|
|
|
| |
The passed iterator can be NULL as in
gdbus/client.c::properties_changed():
...
proxy->prop_func(..., ..., iter=NULL, ...)
+--src/advertising.c::properties_changed(..., ..., iter, ...);
+--parse_secondary(iter, ...);
...
|
| |
|
|
|
|
|
| |
It looks like a wrong mask value is used here as only the bits mentioned
in adv_secondary::flag can be set again within the loop.
Replace magic number by preprocessor macro.
|
| |
|
|
|
| |
"secondary" isn't an array of pointers, so the iterator can never be
NULL.
|
