When doing the Find Included Services GATT procedure, the status of the ATT
procedure was being ignored, and in the case of a timeout it is possible to
crash bluetooth with an invalid memory access.
Valgrind log:
==1755== Invalid read of size 8
==1755== at 0x46971A: find_included_cb (device.c:2964)
==1755== by 0x4465AE: isd_unref (gatt.c:92)
==1755== by 0x446885: find_included_cb (gatt.c:425)
==1755== by 0x448266: disconnect_timeout (gattrib.c:269)
==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x40A2EE: main (main.c:583)
==1755== Address 0x69530a8 is 8 bytes inside a block of size 64 free'd
==1755== at 0x4C2874F: free (vg_replace_malloc.c:446)
==1755== by 0x40BFA6: service_filter (watch.c:486)
==1755== by 0x40BC6A: message_filter (watch.c:554)
==1755== by 0x5160A1D: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.2)
==1755== by 0x40AAB7: message_dispatch (mainloop.c:76)
==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x40A2EE: main (main.c:583)
==1755==
==1755== Invalid read of size 8
==1755== at 0x4486D5: g_attrib_get_buffer (gattrib.c:657)
==1755== by 0x4467C5: find_included (gatt.c:363)
==1755== by 0x4465AE: isd_unref (gatt.c:92)
==1755== by 0x446885: find_included_cb (gatt.c:425)
==1755== by 0x448266: disconnect_timeout (gattrib.c:269)
==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x40A2EE: main (main.c:583)
==1755== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==1755==
==1755==
==1755== Process terminating with default action of signal 11 (SIGSEGV)
==1755== Access not within mapped region at address 0x18
==1755== at 0x4486D5: g_attrib_get_buffer (gattrib.c:657)
==1755== by 0x4467C5: find_included (gatt.c:363)
==1755== by 0x4465AE: isd_unref (gatt.c:92)
==1755== by 0x446885: find_included_cb (gatt.c:425)
==1755== by 0x448266: disconnect_timeout (gattrib.c:269)
==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x40A2EE: main (main.c:583)
Fix these build errors:
attrib/att.c: In function ‘dec_read_by_grp_req’:
attrib/att.c:165:10: error: comparison between signed and unsigned
integer expressions [-Werror=sign-compare]
attrib/att.c:170:10: error: comparison between signed and unsigned
integer expressions [-Werror=sign-compare]
attrib/att.c: In function ‘dec_read_by_type_req’:
attrib/att.c:393:10: error: comparison between signed and unsigned
integer expressions [-Werror=sign-compare]
attrib/att.c:402:10: error: comparison between signed and unsigned
integer expressions [-Werror=sign-compare]
This reverts commit 8a03376544.
The patch needs to be split up and the gdbus/ changes were bogus
compared to the original commit message.
Conflicts:
Makefile.am
Makefile.obexd
profiles/cyclingspeed/cyclingspeed.c
profiles/heartrate/heartrate.c
src/error.c
Instead of trying to include config.h in each file over the tree and
possibly forgetting to include it, give a "-include config.h" argument
to the compiler so it's guaranteed that a) it will be included for all
source files and b) it will be the first header included.
gdbus/ directory is left out, since it would break other projects using
it.
In the Discover Characteristics by UUID sub-procedure, if a fetched
characteristic doesn't matches with the target UUID, all others
characteristics in that response were discarded.
Because of this, the procedure will make a new request to possibly
rediscover the characteristics in the range beyond this last
characteristic.
At present, this procedure works because the gatt library will send a
Read by Type Request starting at the first attribute after the non
matching characteristic.
This commit makes the rest of the characteristics to be checked for a
matching type, which should reduce the number of requests sent during
the discovery of characteristics.
If the Discover Characteristics by UUID sub-procedure has been
executed and the first characteristic is not the target, a memory
leak occurs.
This commit fixes this leak by postponing the allocation to after
the UUID verification.
We want only the profile that implements a service to be notified of
changes on that service. Before this patch, all the registered event
notifiers are being called.
When encoding an att_data_list we need to make sure that each element
lenght of the data list will not exceed 255, because that information
will be encoded as a octet later.
Some services like HID over LE can reference another service using
included services.
See Vol 3, Part G, section 2.6.3 of Core specification for more
details.
This allow to remove number of local variables used only to get device
address and pass it as pointer later on.
bdaddr_type parameter is also removed as there is device_get_addr_type
already present which can be used to get it if needed.
Most uses of adapter_get_address were in form of:
bdaddr_t addr;
adapter_get_address(adapter, &addr);
foo(&addr);
Changing it to getter makes code simpler and avoid number of not
needed memcpy.
The Core spec allows to implement Read Long Characteristic Value as a
Read Request, followed by zero or more Read Blob Requests, therefore the
offset parameter is unnecessary and is always 0 for normal use.
This patch removes redundant references and function parameters for
DBusConnection object and uses btd_get_dbus_connection() call wherever
such object is needed instead.
Pointer returned by this call is guaranteed to be valid for entire
bluetoothd lifetime and thus do not need to be refcounted.
This patch fixes end condition for Characteristic Descriptor Discovery.
This sub-procedure is complete when the Error Response is received and
the Error Code is set to Attribute Not Found or the Find Information
Response has an Attribute Handle that is equal to the Ending Handle of
the request.
This patch removes the btd_device_driver concept and replaces it with
btd_profile. The new construct also contains the necessary parts for
adapter drivers, so btd_adapter_driver is only needed for non-profile
related functionality (most of which is in plugins/*).
The main purpose of this new construct is to facilitate a centralized
connection creation mechanism for profiles, ultimately enabling the
addition of a Device.Connect() method instead of requiring a UI to know
to call e.g. Input.Connect or Audio.Connect.
This feature will also be extended to externally implemented profiles
once the internal implementation gets more stable, such as OBEX (obexd)
and HFP (oFono). The new D-Bus interface will also partially restore
functionality which was previously available through the Serial
interface.
This patch avoids raising errors to the upper layer if at least one
characteristic declaration has been found. According to the Core SPEC
Characteristic declarations shall be read without authentication or
authorization.
This patch changes the behaviour of Discover All Characteristics and
Discover Characteristics by UUID returning <<Attribute Not Found>> when
Characteristic list that matches the defined criteria is empty. This
scenario can happen when the GATT client avoids extra iteraction with
the remote attribute server if the last received handle(or handle + 1)
is equal to the end handle of the primary service.
This patch adds constants declarations for Find Information Response
Format field. The format means that information data constains a list
of 1 or more handles with their 16-bit or 128-bit Bluetooth UUIDs
There's a single read/write requirement value so the variables should be
named in singular form. Also, until there's e.g. an enum typedef for
them a simple int shall do.
size_t/ssize_t/off_t/etc are more appropriate for variables denoting
some kind of size than simply using int.
This patch includes a couple of other related changes to avoid gcc
signedness errors resulting from it treating (for whatever reason) const
variables and integer literals as signed.
Extending the function gatt_write_char for support GATT Write Long
Characteristics. MTU is checked and if the payload does not fit,
the prepare and execute write are used to do the transaction.
This patch avoids invalid memory access when decoding ATT read response
PDUs. The ATT_MTU value is a per ATT Bearer value defined by the higher
layer specification.
Commit "aa3b9016bf444b60e1b7e1804dfc323a23a93c5a Convert GDBus methods
to use macro helpers" converted the previous tables to use the new
macros but some flags were lost.
The attrib server code relies on these id's to be unique globally and
not just per GAttrib instance. As an easy fix make them global by adding
a static guint to g_attrib_register.
