If there are multiple notifications in the same frame the callback may
alter it when using l2cap_frame_pull helpers, so instead this passes a
cloned frame with just the expected length so callbacks cannot alter
original frame.
If there is a pending notify multiple the code was not removing before
freeing the object causing the following crash:
Invalid read of size 8
at 0x4A3D10: notify_multiple (gatt-server.c:1703)
by 0x4D05F0: timeout_callback (timeout-glib.c:25)
by 0x4956900: ??? (in /usr/lib64/libglib-2.0.so.0.7000.5)
by 0x49560AE: g_main_context_dispatch
(in /usr/lib64/libglib-2.0.so.0.7000.5)
by 0x49AB307: ??? (in /usr/lib64/libglib-2.0.so.0.7000.5)
by 0x49557C2: g_main_loop_run
(in /usr/lib64/libglib-2.0.so.0.7000.5)
by 0x4D0A34: mainloop_run (mainloop-glib.c:66)
by 0x4D0F2B: mainloop_run_with_signal (mainloop-notify.c:188)
by 0x2B0CD1: main (main.c:1276)
Address 0x6ca35c8 is 136 bytes inside a block of size 144 free'd
at 0x48470E4: free (vg_replace_malloc.c:872)
by 0x415E73: gatt_server_cleanup (device.c:698)
by 0x415E73: attio_cleanup (device.c:715)
by 0x47745B: queue_foreach (queue.c:207)
by 0x490C54: disconnect_cb (att.c:701)
by 0x4CF4AF: watch_callback (io-glib.c:157)
by 0x49560AE: g_main_context_dispatch
(in /usr/lib64/libglib-2.0.so.0.7000.5)
by 0x49AB307: ??? (in /usr/lib64/libglib-2.0.so.0.7000.5)
by 0x49557C2: g_main_loop_run
(in /usr/lib64/libglib-2.0.so.0.7000.5)
by 0x4D0A34: mainloop_run (mainloop-glib.c:66)
by 0x4D0F2B: mainloop_run_with_signal (mainloop-notify.c:188)
by 0x2B0CD1: main (main.c:1276)
This attempt to decode the attribute type if its gatt_db can be loaded:
< ACL Data TX: Handle 3585 flags 0x00 dlen 9
ATT: Write Request (0x12) len 4
Handle: 0x000b Type: Client Characteristic Configuration (0x2902)
Data: 0200
This caches connection information including the device addres so it can
be printed alongside the handle:
> HCI Event: Disconnect Complete (0x05) plen 4
Status: Success (0x00)
Handle: 3585 Address: 68:79:12:XX:XX:XX (OUI 68-79-12)
Reason: Connection Terminated By Local Host (0x16)
On some rare occasions, the peer HID device might disconnect the ctrl
channel when we are trying to connect the intr channel. If this
happens, interrupt_connect_cb() will not be called by btio, and we
will be stuck in "connecting" state. Any future connection attempt to
the peer device will fail because of "busy".
This patch prevents that by checking if we need to report connection
failure when the ctrl channel is disconnected.
Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org>
If there is multiple instances the gatt_db of the instances was not
initialized causing the report_map_attr to be NULL which prevents the
report_map to be read and uhid device to be created.
Fixes: https://github.com/bluez/bluez/issues/298
If device uses RPA it shall only enable wakeup if RPA Resolution has
been enabled otherwise it cannot be programmed in the acceptlist which
can cause suspend to fail.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=215768
This adds initiator argument to service_accept so profiles accepting
the connection can use btd_service_is_initiator to determine if the
connection was initiated locally (central) or remotely (peripheral).
After connect the Bluetooth mouse, open two Bluetoothctl at the same time,
when remove the mouse, quickly go to power off,
try to paired the mouse again when I was power on,
found that the error 0x13 was always reported.
try to connect directly,can connect successfully.
but use the info command to query the information of the mouse
and find that the pairing status of the mouse is No.
so I try to delete the paired information in the kernel
through the "* cancel_pairing()" interface.
Definitely `dbus_bool_t b;` must be initialized before comparing it
with current value.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
Some branches of execution can make handle (socket) leakage.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
According to man buffer allocated by getline() should be freed by
the user program even if getline() failed.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
printf() was using function that return dynamic allocated memory as
a parameter.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
This treats empty LocalName ("") the same as omitting it so not name is
set in the advertising data since some D-Bus binding seems to have
problems to omit properties at runtime.
Fixes: https://github.com/bluez/bluez/issues/337
Use the property name as optional filters to the command "devices" and
show the "Bonded" property for the command "info".
Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org>
Reviewed-by: Yun-Hao Chung <howardchung@chromium.org>
Add "Bonded" to dbus device property table. When setting the "Bonded
flag, check the status of the Bonded property first. If the Bonded
property is changed, send property changed signal.
Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org>
Reviewed-by: Yun-Hao Chung <howardchung@chromium.org>
Bonded flag is used to indicate the link key or ltk of the remote
device has been stored.
Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org>
Reviewed-by: Yun-Hao Chung <howardchung@chromium.org>
This decodes the LTV fields of Basic Audio Announcements:
< HCI Command: LE Set Periodic Advertising Data (0x08|0x003f) plen 41
Handle: 0
Operation: Complete ext advertising data (0x03)
Data length: 0x26
Service Data: Basic Audio Announcement (0x1851)
Presetation Delay: 40000
Number of Subgroups: 1
Subgroup #0:
Number of BIS(s): 1
Codec: LC3 (0x06)
Codec Specific Configuration #0: len 0x02 type 0x01
Codec Specific Configuration: 03
Codec Specific Configuration #1: len 0x02 type 0x02
Codec Specific Configuration: 01
Codec Specific Configuration #2: len 0x05 type 0x03
Codec Specific Configuration: 01000000
Codec Specific Configuration #3: len 0x03 type 0x04
Codec Specific Configuration: 2800
Metadata #0: len 0x03 type 0x02
Metadata: 0200
BIS #0:
Index: 1
Codec Specific Configuration:
In case AVRCP is connected first and
media_transport_update_device_volume is called without any media_player
being available the volume setting would be lost and Transport.Volume
won't be available, so this introduces btd_device_{set,get}_volume
helpers which is used to store the volume temporarely so
media_player_get_device_volume is able to restore it when the transport
is created.
Fixes: https://github.com/bluez/bluez/issues/335
This adds support for decoding Basic Audio Announcements as shown
on:
Basic Audio Profile / Profile Specification
Page 36 of 146
Table 3.15: Format of BASE used in Basic Audio Announcements
< HCI Command: LE Set Periodic Advertising Data (0x08|0x003f) plen 36
Handle: 0
Operation: Complete ext advertising data (0x03)
Data length: 0x21
Service Data: Basic Audio Announcement (0x1851)
Presetation Delay: 40000
Number of Subgroups: 1
Subgroup #0:
Number of BIS(s): 1
Codec: Reserved (0x06)
Codec Specific Configuration: 010101020403010000020428
Metadata: 020202
BIS #0:
Index: 1
Codec Specific Configuration:
This adds support for decoding Broadcast Audio Announcements as shown
on:
Basic Audio Profile / Profile Specification
Page 34 of 146
Table 3.14: Broadcast Source AD format when transmitting Broadcast
Audio Announcements
< HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 36
Handle: 0x00
Operation: Complete extended advertising data (0x03)
Fragment preference: Minimize fragmentation (0x01)
Data length: 0x20
Service Data: Broadcast Audio Announcement (0x1852)
Broadcast ID: 904177 (0x0dcbf1)
Name (complete): Broadcast Audio Source
Before prepending the Report ID check if it is non-zero:
BLUETOOTH SPECIFICATION Page 16 of 26
HID Service Specification
Report ID shall be nonzero in a Report Reference characteristic
descriptor where there is more than one instance of the Report
characteristic for any given Report Type.
Fixes: https://www.spinics.net/lists/linux-bluetooth/msg97262.html
Remove some leftover usage of Python2 code. In particular replace
iteritems() with items() to fix the following error:
AttributeError: 'dbus.Dictionary' object has no attribute 'iteritems'
