Fix function iov_append_ltv crashes because is not reallocating memory
Use util_ltv_push from util.c
[bluetooth]# [NEW] Endpoint /org/bluez/hci0/pac_bcast0
[bluetooth]# Endpoint /local/endpoint/ep0 registered
endpoint.config /org/bluez/hci0/pac_bcast0 /local/endpoint/ep0 48_4_1
[/local/endpoint/ep0] BIG (auto/value): 0
[/local/endpoint/ep0] Enter channel location (value/no): 3
=================================================================
==80806==ERROR: AddressSanitizer: heap-buffer-overflow on
address 0x60200000a8ba at pc 0x561971611e0e bp 0x7ffd45ab1f00
sp 0x7ffd45ab1ef0 WRITE of size 1 at 0x60200000a8ba thread T0
0x561971611e0d in put_u8 src/shared/util.h:254
0x561971611e0d in util_iov_push_u8 src/shared/util.c:534
0x5619715c28f0 in iov_append_ltv client/player.c:3565
0x5619715c28f0 in config_endpoint_channel_location client/player.c:3593
0x5619716226ce in bt_shell_release_prompt src/shared/shell.c:744
0x561971623087 in rl_handler src/shared/shell.c:769
util_iov_append has been recently created. This implementation
allocates new memory for the appended data, while the old
version of iov_append from client/player.c did not. This could
lead to crashes in some scenarios, such as Unicast.
Currently the minimum LC3 SDU size is set to 30B. Thus, if a source
uses the 8_1_1 config which has a SDU size of 26 the sink's capabilities
won't match and the appropriate endpoint won't be created.
Although their name matches unicast and broadcast are not actually the
same when it comes to RTN and Max Latency, so this splits their settings
into 2 presets tables and fix the values for broadcast.
This adds sample bluetoothctl scripts for the broadcast source/sink
scenarios.
The broadcast-source.bt script does the full setup: It registers a
broadcast source endpoint, with supported locations as FL/FR and
media context supported. It then configures the endpoint to create
a stereo media stream, for the BIG handle 1. The transport is also
acquired.
The broadcast-sink.bt script registers a broadacast sink endpoint,
supporting FL/FR locations and the media context. It also starts
scanning, and the user is responsible to detect sources and select
which endpoint to config.
In adv_monitor, adv_monitor_register_app is called when an advertising
monitor manager proxy has been added, when a new adapter is added.
This commit removes bt_shell_noninteractive_quit from this function,
since it causes the shell to exit without a user command having
executed.
This patch removes the Pygments dependency from btmon .rst file.
When the code-block type is specified, the rst2man throws a warning
asking for Pygments package.
Support parsing Opus (Google) A2DP vendor codec capabilities.
Transport /org/bluez/hci0/dev_B8_7B_D4_32_44_15/sep3/fd2
UUID: 0000110a-0000-1000-8000-00805f9b34fb
Codec: 0xff (255)
Media Codec: Vendor Specific A2DP Codec
Vendor ID 0x000000e0
Vendor Specific Codec ID 0x0001
Vendor Specific Data: 0x92
Vendor Specific Value (Opus [Google])
Frequencies: 48kHz
Channel modes: Stereo
Frame durations: 20 ms
Device: /org/bluez/hci0/dev_B8_7B_D4_32_44_15
State: idle
Delay: 0x0898 (2200)
Volume: 0x001e (30)
Endpoint: /org/bluez/hci0/dev_B8_7B_D4_32_44_15/sep3
This updates the input prompts for broadcast endpoint register and
config.
To register a broadcast endpoint, the user will be asked to enter
the supported stream locations and context types.
At broadcast source endpoint config, the user will provide stream
config options: The BIG that the new stream will be part of, the
stream Channel Allocation, and the metadata of the subgroup to
include the stream. These options will be used to configure the
BASE and the BIG.
The flow to create a Broadcast Source is the following:
[bluetooth]# endpoint.register 00001852-0000-1000-8000-
00805f9b34fb 0x06
[/local/endpoint/ep0] Auto Accept (yes/no): y
[/local/endpoint/ep0] Max Transports (auto/value): a
[/local/endpoint/ep0] Locations: 3
[/local/endpoint/ep0] Supported Context (value): 15
[NEW] Endpoint /org/bluez/hci0/pac_bcast0
Endpoint /local/endpoint/ep0 registered
[bluetooth]# endpoint.config /org/bluez/hci0/pac_bcast0
/local/endpoint/ep0 16_2_1
[/local/endpoint/ep0] BIG (auto/value): 1
[/local/endpoint/ep0] Enter channel location (value/no): 3
[/local/endpoint/ep0] Enter Metadata (value/no): 0x03 0x02
0x04 0x00
To create a Broadcast Sink, enter the following:
[bluetooth]# endpoint.register 00001851-0000-1000-8000-
00805f9b34fb 0x06
[/local/endpoint/ep0] Auto Accept (yes/no): y
[/local/endpoint/ep0] Max Transports (auto/value): a
[/local/endpoint/ep0] Locations: 3
[/local/endpoint/ep0] Supported Context (value): 15
[bluetooth]# scan on
[NEW] Endpoint /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX/
pac_bcast0
[bluetooth]# endpoint.config
/org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX/pac_bcast0
/local/endpoint/ep0 16_2_1
This adds .name field to struct capabilities which is then used to form
the endpoint object path so it is easier to identify the endpoint
capabilities:
[bluetooth]# endpoint.list local
/local/endpoint/pac_snk/lc3
/local/endpoint/pac_src/lc3
/local/endpoint/bcaa/lc3
endpoint.config where taking different arguments for broadcast which is
not recommended with shell as it doesn't support such a thing.
So instead of taking different arguments for broadcast both remote and
local endpoints shall be passed but in case of broadcast source both the
remote and the local endpoint actually refer to the same endpoint
registered by bluetoothctl:
endpoint.config /org/bluez/hci0/pac_bcast0 /local/endpoint/ep2 16_2_1
If there are multiple locations, aka. multiplexing, being selected then
that should be accounted properly on the SDU size since the presets only
account for just 1 channel.
Fixes: https://github.com/bluez/bluez/issues/662
After pair command, if the user doesn't provide any input on bluetoothctl
CLI interface after receiving the prompt(yes/no) below crash is observed:
dbus[782]: arguments to dbus_message_get_no_reply() were incorrect,
assertion "message != NULL" failed in file
/usr/src/debug/dbus/1.14.10-r0/dbus/dbus-message.c line 3250.
This is normally a bug in some application using the D-Bus library.
/usr/lib/libc.so.6(+0x27534) [0xffffa1b67534]
/usr/lib/libc.so.6(__libc_start_main+0x9c) [0xffffa1b6760c]
bluetoothctl(+0x188f0) [0xaaaac9c088f0]
Aborted (core dumped)
This makes use of ChannelAllocation when present on SelectProperties
dictionary which is then passed on to bluetoothd and send over as part
of Codec Configuration:
< ACL Data TX: Handle 2048 flags 0x00 dlen 109
ATT: Write Command (0x52) len 104
Handle: 0x0098 Type: ASE Control Point (0x2bc6)
Data: 0104050202060000000010020103020201030428000503010000000
6020206000000001002010302020103042800050302000000010202060000
0000100201030202010304280005030100000002020206000000001002010
302020103042800050302000000
Opcode: Codec Configuration (0x01)
Number of ASE(s): 4
ASE: #0
ASE ID: 0x05
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration: #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration: #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
Codec Specific Configuration: #3: len 0x05 type 0x03
Location: 0x00000001
Front Left (0x00000001)
ASE: #1
ASE ID: 0x06
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration: #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration: #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
Codec Specific Configuration: #3: len 0x05 type 0x03
Location: 0x00000002
Front Right (0x00000002)
ASE: #2
ASE ID: 0x01
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration: #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration: #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
Codec Specific Configuration: #3: len 0x05 type 0x03
Location: 0x00000001
Front Left (0x00000001)
ASE: #3
ASE ID: 0x02
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration: #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration: #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
Codec Specific Configuration: #3: len 0x05 type 0x03
Location: 0x00000002
Front Right (0x00000002)
The "scan bredr" and "scan le" commands are broken right now because the
transport filter gets set, but not actually invalidated.
Invalidate the filter with `filter.set = false` so that it actually gets
updated when set_discovery_filter() is called afterwards.
This adds "auto" capability which behaves like "on" but instead of
asking user to confirm/autorize it automatically accepts, which is
not secure to be used thus a warning is printed when user selects it.
Usage:
[bluetoothctl]# agent auto
Warning: setting auto response is not secure, it bypass user
confirmation/authorization, it shall only be used for test automation.
or
client/bluetoothctl -a auto
Added support for broadcast sink registration using the 0x1851 UUID.
Added support for remote endpoint creation when a broadcast source
is discovered.
Added support for creating a local endpoint when the broadcast sink
endpoint was registered from an external application (Pipewire).
To test this feature use the following commands:
[bluetooth]# endpoint.register 00001851-0000-1000-8000-00805f9b34fb 0x06
[bluetooth]# scan on
[NEW] Endpoint /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX/pac_bcast0
[bluetooth]# endpoint.config
/org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX/pac_bcast0
/local/endpoint/ep0 16_2_1
The code was supporting a maximum of 25 bytes (31 - 6) to be entered as
advertising data, but in case of EA is used that allows up to 245 bytes
(251 - 6) to be entered.
Linked (bi-directional) transports can be acquired on single D-Bus
method call which was not being handled properly by the current code
causing unexpected errors.
This adds bluetoothctl support for broadcast source.
To test the current implementation use bluetoothctl with the commands:
endpoint.register 00001852-0000-1000-8000-00805f9b34fb 0x06
endpoint.config <created endpoint> <local endpoint> 16_2_1
transport.acquire <created transport>
transport.send <created transport> <file.wav>
[bluetooth]# endpoint.register 00002bc9-0000-1000-8000-00805f9b34fb 0x06
[/local/endpoint/ep0] Auto Accept (yes/no): y
[/local/endpoint/ep0] Max Transports (auto/value): 1
[/local/endpoint/ep0] CIG (auto/value): a
[/local/endpoint/ep0] CIS (auto/value): a
This adds support for Metadata in BAP profile.
In order to register zero Metadata, 0 shall be
entered when prompted.
[bluetooth]# endpoint.register 00002bc9-0000-1000-8000-00805f9b34fb 0x06
[/local/endpoint/ep0] Enter Metadata (value/no): n
[/local/endpoint/ep0] Auto Accept (yes/no): y
[/local/endpoint/ep0] CIG (auto/value): a
[/local/endpoint/ep0] CIS (auto/value): a
Capabilities:
03 01 ff 00 02 02 03 02 03 03 05 04 1e 00 f0 00 ................
Endpoint /local/endpoint/ep0 registered
This adds support for advertise.rsi command which can be used to request
the generation of RSI and include it as part of advertising data:
[bluetooth]# advertise.rsi --help
Show/Enable/Disable RSI to be advertised
Usage:
rsi [on/off]
[bluetooth]# advertise.rsi
RSI: on
[bluetooth]# advertise on
...
Advertising object registered
Tx Power: off
Name: off
Appearance: off
Discoverable: on
RSI: on
[bluetooth]#
This adds support for Company ID and Vendor Codec ID in BAP profile.
This also adds handling of Vendor Specific Coding format for BAP
Profile.
Now it allows to enter zero codec capabilities for vendor codec.
In order to register zero codec capabilities, 0 shall be
entered when prompted.
Commands transport.send/receive were not settings any completion
callback so this makes sure it uses transport_generator to generate the
list of transport that could be used to send.
This allows gatt.select-attribute local to select from the registered
attributes:
[bluetooth]# gatt.select-attribute local /org/bluez/app/service0/chrc0
[/org/bluez/app/service0/chrc0]# gatt.write 0x01
[CHG] Attribute /org/bluez/app/service0/chrc0 (%UUID) written
[/org/bluez/app/service0/chrc0]# gatt.read
01 .
[/org/bluez/app/service0/chrc0]# gatt.select-attribute local
/org/bluez/app/service0/chrc1
[/org/bluez/app/service0/chrc1]# gatt.write 0x01
[CHG] Attribute /org/bluez/app/service0/chrc1 (%UUID) written
[/org/bluez/app/service0/chrc1]# gatt.read
01 .
[/org/bluez/app/service0/chrc1]#
This adds support for a custom preset which asks the user to enter its
configuration:
[bluetooth]# endpoint.presets 00002bc9-0000-1000-8000-00805f9b34fb custom
[Codec] Enter frequency (Khz): 48
[Codec] Enter frame duration (ms): 10
[Codec] Enter channel allocation: 0x000000003
[Codec] Enter frame length: 100
[QoS] Enter Target Latency (Low, Balance, High): Low
[QoS] Enter SDU Interval (us): 10000
[QoS] Enter Framing (Unframed, Framed): Unframed
[QoS] Enter PHY (1M, 2M): 2M
[QoS] Enter Max SDU: 200
[QoS] Enter RTN: 3
[QoS] Enter Max Transport Latency (ms): 20
[QoS] Enter Presentation Delay (us): 10000
This fixes the following warning:
client/player.c:1775:25: warning: Dereference of null pointer
[core.NullDereference]
iov_append(&cfg->caps, preset->data.iov_base, preset->data.iov_len);
^~~~~~~~~~~~~~~~~~~~~
advertise.data when no parameter is given shall print what is set on
ad.data not the ad.manufacturer which is a different field set by
advertise.manufacturer.
The passed iterator can be NULL as in
gdbus/client.c::properties_changed():
...
proxy->prop_func(..., ..., iter=NULL, ...)
+--client/gatt.c::proxy_property_changed(..., ..., iter, ...);
+--dbus_message_iter_get_arg_type(iter);
...
This fixes the following checkpatch warning:
WARNING:LINE_SPACING: Missing a blank line after declarations
216: FILE: client/player.c:625:
+ GDBusProxy *proxy = l->data;
+ print_player(proxy, NULL);
This fixes the following errors:
client/advertising.c:129:4: warning: Value stored to 'n' is never read
[deadcode.DeadStores]
n = sizeof(str) - 1;
^ ~~~~~~~~~~~~~~~
client/advertising.c:1012:25: warning: Dereference of null pointer
(loaded from variable 'min') [core.NullDereference]
if (ad.min_interval != *min) {
^~~~
This fixes the following errors:
client/player.c:1406:44: warning: Dereference of null pointer
[core.NullDereference]
reply = endpoint_select_config_reply(msg, p->data.iov_base,
^~~~~~~~~~~~~~~~
client/player.c:1866:2: warning: 3rd function call argument is an
uninitialized value [core.CallAndMessage]
iov_append(&cfg->caps, data, len);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
