Due to using g_dbus_emit_property_changed() and g_dbus_get_properties(),
obex_dbus_signal_property_changed() is unused since commit 96063756
("obex-client: Rename org.bluez.obex.Transfer to Transfer1"), and
OBC_PROPERTIES_ARRAY_SIGNATURE macro is unused since commit 3eadc034
("obex-client: Make use of g_dbus_get_properties to get transfer properties").
When sending the ExchangeBusinessCards() command, the command returns
a failure. It isn't clear what that failure is. Upon looking through
the code, it is obvious the function is not implemented.
This patch just adds an extra detail message 'Not Implemented' to make
the failure a little more clear about what the problem is.
If session owner disconnect from the bus while g_obex_connect is pending
it may lead to a crash since it is never canceled connected_cb may still
be called after callback_data is freed.
If the owner disconnects the session should be destroyed even if the
connection is pending:
obexd/client/session.c:owner_disconnected()
obexd/client/session.c:obc_session_shutdown() 0x822abb8
obexd/client/session.c:obc_session_ref() 0x822abb8: ref=3
obexd/client/session.c:obc_session_unref() 0x822abb8: ref=2
obexd/client/bluetooth.c:transport_connect() port 19
obexd/client/bluetooth.c:transport_callback()
obexd/client/session.c:transport_func()
obexd/client/bluetooth.c:bluetooth_getpacketopt()
obexd/client/pbap.c:pbap_probe() /org/bluez/obex/client/session1
obexd/client/session.c:obc_session_ref() 0x822abb8: ref=3
obexd/client/session.c:obc_session_register() Session(0x822abb8) registered /org/bluez/obex/client/session1
obexd/client/session.c:obc_session_unref() 0x822abb8: ref=2
To fix this the code now checks if the connect callback is pending, in
that case destroy the callback releasing the reference it carrying.
session_process_queue needs to be able to access the request .func in
case an error happen and it later calls pending_request_free so .process
shall not attempt to free the request otherwise it will cause crashes:
Invalid read of size 8
at 0x4349D2: session_process_queue (session.c:857)
by 0x434AC5: setpath_complete.isra.1 (session.c:1026)
by 0x434B29: setpath_cb (session.c:1077)
by 0x416448: handle_response (gobex.c:1128)
by 0x41739D: incoming_data (gobex.c:1402)
by 0x59747FA: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.2)
by 0x5974B97: ??? (in /usr/lib64/libglib-2.0.so.0.4200.2)
by 0x5974EC1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.2)
by 0x40E23F: main (main.c:322)
Address 0x66e3d30 is 32 bytes inside a block of size 56 free'd
at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x597A50E: g_free (in /usr/lib64/libglib-2.0.so.0.4200.2)
by 0x4345F5: pending_request_free (session.c:193)
by 0x4348DF: session_process_setpath (session.c:1131)
by 0x4349C9: session_process_queue (session.c:854)
by 0x434AC5: setpath_complete.isra.1 (session.c:1026)
by 0x434B29: setpath_cb (session.c:1077)
by 0x416448: handle_response (gobex.c:1128)
by 0x41739D: incoming_data (gobex.c:1402)
by 0x59747FA: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.2)
by 0x5974B97: ??? (in /usr/lib64/libglib-2.0.so.0.4200.2)
by 0x5974EC1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.2)
This adds supported_features support to obc_driver so driver can
provide this information when connecting.
This is required by PBAP 1.2 (page 48):
'Mandatory if the PSE advertises a PbapSupportedFeatures attribute in
its SDP record, else excluded.'
g_str_equal has been used for the session path compare
which is not NULL-safe. Used the g_strcmp0() for the NULL-Safe
string comparision.
*#0 strcmp (p1=0x0, p2=0x7105c "/org/bluez/obex/client/session0")
* at strcmp.c:38
*#1 0xb6e0cd0a in g_str_equal (v1=<value optimized out>,
* v2=<value optimized out>) at ghash.c:1704
*#2 0x000264d8 in find_session (connection=<value optimized out>,
* message=0x55b38, user_data=<value optimized out>)
* at obexd/client/manager.c:162
*#3 remove_session (connection=<value optimized out>, message=0x55b38,
user_data=<value optimized out>) at obexd/client/manager.c:231
In case the transport is disconnected while disconnect command is pending
the session is freed on disconnect_complete but disconnect callback is
still valid causing the following crash:
Invalid read of size 4
at 0x42682A: obc_session_ref (session.c:132)
by 0x42797B: obc_session_shutdown (session.c:580)
by 0x4139DA: incoming_data (gobex.c:1406)
by 0x59712A5: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x5971627: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x5971A39: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x40D78C: main (main.c:320)
Address 0x728d814 is 4 bytes inside a block of size 120 free'd
at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x5976F7E: g_free (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x4134B9: handle_response (gobex.c:1129)
by 0x4139BD: incoming_data (gobex.c:1403)
by 0x59712A5: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x5971627: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x5971A39: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x40D78C: main (main.c:320)
Remove snprintf error check. Fixes clang warnings below:
...
obexd/client/map.c:471:9: warning: Access to field 'message' results in
a dereference of a null pointer (loaded from variable 'err')
err->message);
^~~~~~~~~~~~
obexd/client/map.c:772:9: warning: Access to field 'message' results in
a dereference of a null pointer (loaded from variable 'err')
err->message);
^~~~~~~~~~~~
...
In case of GET operation the code does not use g_obex_get_req_pkt since
the beggining to be able to read the header from the first response, this
means that the request should be cancel with g_obex_cancel_req not with
g_obex_cancel_transfer.
When transport is disconnected unexpectedly it can cause the following
crash:
gobex-DEBUG: gobex/gobex.c:g_obex_send_internal() The transport is not connected
Invalid read of size 8
at 0x42662E: session_process_queue (session.c:789)
by 0x42668F: session_process (session.c:719)
by 0x3D46047E05: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x3D46048157: ??? (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x3D46048559: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x40D5FC: main (main.c:319)
Address 0x5086760 is 32 bytes inside a block of size 56 free'd
at 0x4A074C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x3D4604D9AE: g_free (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x426146: session_process_setpath (session.c:1063)
by 0x426629: session_process_queue (session.c:786)
by 0x42668F: session_process (session.c:719)
by 0x3D46047E05: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x3D46048157: ??? (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x3D46048559: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x40D5FC: main (main.c:319)
The spec clearly states the handles are hexadecimal:
MAP 1.2 - Page 29
""handle" is the message handle in hexadecimal representation with up
to 16 digits; leading zero digits may be used so the MCE shall accept
both handles with and without leading zeros (e.g.,"00000012345678AB"
or "12345678AB")."
Requests need to be cancelled when obc_session_shutdown is called
otherwise they can trigger the callback with invalid/freed data as in
the following backtrace:
Invalid read of size 8
at 0x426684: setpath_cb (session.c:998)
by 0x412AEB: handle_response (gobex.c:949)
by 0x413010: incoming_data (gobex.c:1192)
by 0x3D46047E05: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x3D46048157: ??? (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x3D46048559: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x40D59C: main (main.c:319)
Address 0x571f598 is 40 bytes inside a block of size 56 free'd
at 0x4A074C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x3D4604D9AE: g_free (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x426EA9: obc_session_shutdown (session.c:555)
by 0x4254B4: remove_session (manager.c:62)
by 0x43DC53: process_message.isra.5 (object.c:259)
by 0x3D4981CE85: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
by 0x3D4980FA30: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
by 0x43A9D7: message_dispatch (mainloop.c:76)
by 0x3D46048962: ??? (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x3D46047E05: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x3D46048157: ??? (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x3D46048559: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3600.3)
"Sent" flag value was returned instead of "Protected" one.
This also fix following build error:
CC obexd/client/obexd-map.o
obexd/client/map.c:711:17: error: ‘get_protected’ defined but not
used [-Werror=unused-function]
cc1: all warnings being treated as errors
