Due to using g_dbus_emit_property_changed() and g_dbus_get_properties(),
obex_dbus_signal_property_changed() is unused since commit 96063756
("obex-client: Rename org.bluez.obex.Transfer to Transfer1"), and
OBC_PROPERTIES_ARRAY_SIGNATURE macro is unused since commit 3eadc034
("obex-client: Make use of g_dbus_get_properties to get transfer properties").
Prints out "<unknown>" string if there is no response name as below:
obexd[8117]: obexd/src/obex.c:cmd_connect()
obexd[8117]: CONNECT(0x0), (null)(0xffffffff)
Also replaces emit_transfer_progress() with the new wrapper function
because the total/transferred arguments have not been used since commit
a5c2b6e8 ("obexd: Align client and server spec of org.bluez.obex.Transfer1")
and g_dbus_emit_property_changed_full() checks if the path argument is
NULL.
When obexd is started with the option auto-accept or the agent is killed
after starting to transfer a file, obexd crashes due to cancellation of
the transfer from a client as below:
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x0
at 0x158A40: transfer_cancel (manager.c:272)
by 0x18A5D2: process_message.isra.4 (object.c:259)
by 0x18AE44: generic_message (object.c:1079)
by 0x5290FD2: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.13)
by 0x5282623: dbus_connection_dispatch (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.13)
by 0x184DBF: message_dispatch (mainloop.c:72)
by 0x5505E24: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.1)
by 0x55061EF: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.1)
by 0x5506501: g_main_loop_run (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.1)
by 0x137902: main (main.c:322)
A fd is duplicated if dbus type is unix fd, and then it is not closed
even after the file is finished transporting. In the end obexd can not
transport due to the limitation of open-able fd as below.
Warning: invalid file descriptor 1031 in syscall fcntl(DUPFD_CLOEXEC)()
FILE DESCRIPTORS: 1021 open at exit.
Open pf-31 socket 1023:
at 0x5061F1F: fcntl_common (fcntl.c:46)
by 0x5061F1F: fcntl (fcntl.c:79)
by 0x52A1C3D: _dbus_dup (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.13)
by 0x528C7B8: dbus_message_iter_get_basic (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.13)
by 0x149E04: profile_new_connection (bluetooth.c:136)
by 0x18AAF2: process_message.isra.3 (object.c:259)
by 0x18B364: generic_message (object.c:1079)
by 0x5290FD2: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.13)
by 0x5282623: dbus_connection_dispatch (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.13)
by 0x1852FF: message_dispatch (mainloop.c:72)
by 0x5505E24: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.1)
by 0x55061EF: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.1)
by 0x5506501: g_main_loop_run (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.1)
Since this glibc commit:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=37f802f86400684c8d13403958b2c598721d6360
glibc doesn't include declare ssize_t when fcntl.h is included (fcntl.h
included <bits/uio.h> which includes <sys/types.h>).
This fixes the following compile-time error:
In file included from obexd/plugins/mas.c:41:0:
./obexd/src/obex.h:37:1: error: unknown type name ‘ssize_t’; did you mean ‘size_t’?
ssize_t obex_get_size(struct obex_session *os);
^~~~~~~
By sending OPP Put request before CONNECT we were able to cause
SIGSEGV in obexd. Crash was caused by null pointer dereference.
Crash was found using Synopsys Defensics Obex Server test suite.
This was fixed by calling os->service->connect if CONNECT was not
done before.
In messages-dummy it is not necessary to add parent folder in the
response to folder-lisintg. when tested with some carkit the present
method is not working when navigating to different folders. so removing
it.
Remote device is not able to fetch call logs from different folder.
It always returns the call logs requested in first request.
Considering a situation to fetch from och and then from cch,
there are two ways to request x-bt/vcard-listing:
Case I:
1. SetPhoneBook to /telecom/och (absolute path)
2. PullvCardListing with name header '' (empty)
Remote devices using this method always calls SetPhoneBook with absolute path
to set the path and we clear the cache when new path is set.
Case II:
1. SetPhoneBook to /telecom (relative path)
2. PullvCardListing with name header 'och'
Remote devices using this method calls SetPhoneBook with '/telecom' only once
and cache is not cleared when second PullvCardListing is made with name header.
This results in cached incorrect list sent to remote device.
Clear cache if name header is present would prevent sending of
cache list as it is not present. Instead it would request to
create new cache based on new name header.
When sending the ExchangeBusinessCards() command, the command returns
a failure. It isn't clear what that failure is. Upon looking through
the code, it is obvious the function is not implemented.
This patch just adds an extra detail message 'Not Implemented' to make
the failure a little more clear about what the problem is.
There are two functions in phonebook-dummy that were returning
'int's instead of 'struct dummy_data'
phonebook_create_cache
phonebook_get_entry
As a result, when an obex-client sends the GetSize command, the obexd
on the server segfaults.
Fix this by storing the id and returning the dummy_data struct.
The GetSize test now passes correctly.
When the remote device sends the 'CreateFolder' command, obexd
first tries to verify the path in ftp_setpath(). Because we are
creating a new directory, the verify_path() is expected to fail (it does
not exist yet; ENOENT).
Trap that special case and cause the function to fail directly to the
create directory path.
If session owner disconnect from the bus while g_obex_connect is pending
it may lead to a crash since it is never canceled connected_cb may still
be called after callback_data is freed.
When client queries for the size of a phonebook we fall into a
indefinite loop as g_obex_apparam_encode always returns the same
number of items added to the buffer regardless how often it is
called. In former times where this code wasn't using GObexApparams
a array was reduced each time the headers where added and so we could
easily find out when we've added all headers. However today we need
to solve this a bit differently by also setting the firstpacket flag
when we receive the phonebook size result from the phonebook
implementation which then lets us correctly go through without
falling into a indefinite loop.
If the owner disconnects the session should be destroyed even if the
connection is pending:
obexd/client/session.c:owner_disconnected()
obexd/client/session.c:obc_session_shutdown() 0x822abb8
obexd/client/session.c:obc_session_ref() 0x822abb8: ref=3
obexd/client/session.c:obc_session_unref() 0x822abb8: ref=2
obexd/client/bluetooth.c:transport_connect() port 19
obexd/client/bluetooth.c:transport_callback()
obexd/client/session.c:transport_func()
obexd/client/bluetooth.c:bluetooth_getpacketopt()
obexd/client/pbap.c:pbap_probe() /org/bluez/obex/client/session1
obexd/client/session.c:obc_session_ref() 0x822abb8: ref=3
obexd/client/session.c:obc_session_register() Session(0x822abb8) registered /org/bluez/obex/client/session1
obexd/client/session.c:obc_session_unref() 0x822abb8: ref=2
To fix this the code now checks if the connect callback is pending, in
that case destroy the callback releasing the reference it carrying.
session_process_queue needs to be able to access the request .func in
case an error happen and it later calls pending_request_free so .process
shall not attempt to free the request otherwise it will cause crashes:
Invalid read of size 8
at 0x4349D2: session_process_queue (session.c:857)
by 0x434AC5: setpath_complete.isra.1 (session.c:1026)
by 0x434B29: setpath_cb (session.c:1077)
by 0x416448: handle_response (gobex.c:1128)
by 0x41739D: incoming_data (gobex.c:1402)
by 0x59747FA: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.2)
by 0x5974B97: ??? (in /usr/lib64/libglib-2.0.so.0.4200.2)
by 0x5974EC1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.2)
by 0x40E23F: main (main.c:322)
Address 0x66e3d30 is 32 bytes inside a block of size 56 free'd
at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x597A50E: g_free (in /usr/lib64/libglib-2.0.so.0.4200.2)
by 0x4345F5: pending_request_free (session.c:193)
by 0x4348DF: session_process_setpath (session.c:1131)
by 0x4349C9: session_process_queue (session.c:854)
by 0x434AC5: setpath_complete.isra.1 (session.c:1026)
by 0x434B29: setpath_cb (session.c:1077)
by 0x416448: handle_response (gobex.c:1128)
by 0x41739D: incoming_data (gobex.c:1402)
by 0x59747FA: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.2)
by 0x5974B97: ??? (in /usr/lib64/libglib-2.0.so.0.4200.2)
by 0x5974EC1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.2)
This adds supported_features support to obc_driver so driver can
provide this information when connecting.
This is required by PBAP 1.2 (page 48):
'Mandatory if the PSE advertises a PbapSupportedFeatures attribute in
its SDP record, else excluded.'
g_str_equal has been used for the session path compare
which is not NULL-safe. Used the g_strcmp0() for the NULL-Safe
string comparision.
*#0 strcmp (p1=0x0, p2=0x7105c "/org/bluez/obex/client/session0")
* at strcmp.c:38
*#1 0xb6e0cd0a in g_str_equal (v1=<value optimized out>,
* v2=<value optimized out>) at ghash.c:1704
*#2 0x000264d8 in find_session (connection=<value optimized out>,
* message=0x55b38, user_data=<value optimized out>)
* at obexd/client/manager.c:162
*#3 remove_session (connection=<value optimized out>, message=0x55b38,
user_data=<value optimized out>) at obexd/client/manager.c:231
