From the BlueZ scanbot:
lib/sdp.c:586:12: warning: Access to field 'attrId' results in a dereference of a null pointer (loaded from variable 'd')
d->attrId = attr;
~ ^
lib/sdp.c:967:10: warning: Access to field 'dtd' results in a dereference of a null pointer (loaded from variable 'd')
switch (d->dtd) {
^~~~~~
Make sure to free already allocated memory if we run out of memory
before the end of the loop.
Error: RESOURCE_LEAK (CWE-772): [#def8] [important]
lib/sdp.c:542:4: alloc_fn: Storage is returned from allocation function "sdp_data_alloc".
lib/sdp.c:542:4: var_assign: Assigning: "data" = storage returned from "sdp_data_alloc(dtd, values[i])".
lib/sdp.c:550:4: var_assign: Assigning: "seq" = "data".
lib/sdp.c:552:3: var_assign: Assigning: "curr" = "data".
lib/sdp.c:553:2: out_of_scope: Variable "data" goes out of scope.
lib/sdp.c:552:3: overwrite_var: Overwriting "curr" in "curr = data".
lib/sdp.c:545:4: leaked_storage: Variable "seq" going out of scope leaks the storage it points to.
543|
544| if (!data)
545|-> return NULL;
546|
547| if (curr)
The return value from gen_attridseq_pdu() can be -ENOMEM or the always
positive return value from sdp_gen_pdu(), but we only guard against a
single negative return value "-1" (-EPERM).
Check for all negative values to avoid manipulating a negative length as
a valid one.
Error: INTEGER_OVERFLOW (CWE-190): [#def10] [important]
lib/sdp.c:4097:2: overflow_sink:
"t->reqsize + cstate_len", which might have underflowed, is passed to
"sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len)".
4095| reqhdr->plen = htons((t->reqsize + cstate_len) - sizeof(sdp_pdu_hdr_t));
4096|
4097|-> if (sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len) < 0) {
4098| SDPERR("Error sending data:%m");
4099| t->err = errno;
Error: INTEGER_OVERFLOW (CWE-190): [#def11] [important]
lib/sdp.c:4492:3: overflow_sink:
"reqsize", which might have underflowed, is passed to
"sdp_send_req_w4_rsp(session, reqbuf, rspbuf, reqsize, &rspsize)".
4490| reqhdr->plen = htons(reqsize - sizeof(sdp_pdu_hdr_t));
4491| rsphdr = (sdp_pdu_hdr_t *) rspbuf;
4492|-> status = sdp_send_req_w4_rsp(session, reqbuf, rspbuf, reqsize, &rspsize);
4493| if (rspsize < sizeof(sdp_pdu_hdr_t)) {
4494| SDPERR("Unexpected end of packet");
This defines BT_ISO_SYNC_TIMEOUT(20 sec) which shall be considered the
default sync_timeout and make all instance previously hardcoding a
value to use it.
We're currently type-casting the output of strlen(sdpdata->val.str) into
an int, which is somewhat problematic given that strlen() can return
values larger than sizeof(int).
We can do better here and use size_t instead, so let's do that.
While at it, also add a comment explaining why the check here is "smaller
than" instead of "smaller than or equal".
Co-developed-by: Zander Brown <zbrown@gnome.org>
sdp_data_t->unitSize for strings in the SDP record is
`sizeof(uint8_t) + strlen(str)`.
The "length" argument of sdp_data_alloc_with_length() is expected to be
only the length of the string (so `sdp_data_t->unitSize - sizeof(uint8_t)`).
Since the last commit, in sdp_copy_seq() we're allocating one byte too much
for strings now, because the `sizeof(uint8_t)` is not subtracted from unitSize
there.
Fix this by making use of the length returned by sdp_data_value() and pass
that on to sdp_data_alloc_with_length().
Co-developed-by: Zander Brown <zbrown@gnome.org>
Assuming the size of of uint8_t is bad practice, we use
sizeof(uint8_t) everywhere else and the use of sizeof makes it clear
we're accounting for the descriptor here rather than just randomly
subtracting 1, so change that.
Co-developed-by: Zander Brown <zbrown@gnome.org>
In extract_str() we create sdp_data_t with strings and allocate
sdp_data_t->val.str an extra 0-byte as NULL termination. In
sdp_data_alloc_with_length() we're missing this, and strlen() in
sdp_get_string_attr() ends up overrunning the sdpdata->val.str buffer
looking for the NULL termination.
Allocate the extra 0-byte for sdp_data_t->val.str to ensure this
overrun can't happen.
Co-developed-by: Zander Brown <zbrown@gnome.org>
This handles recently introduced Scan Response flag since that
shouldn't affect connectable flag the device would be considered
connectable but it shall not create a new device by itself.
BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2450
• If extended advertising PDU types are being used (bit 4 = 0) then:
The advertisement shall not be both connectable and scannable.
So instead this attempts to set name as part of Advertising Data rather
then setting it as Scan Response:
bluetoothctl> advertise.secondary 2M
bluetoothctl> advertise.name Intel-3
bluetoothctl> advertise on
< HCI Command: LE Set Extended Advertising Parameters (0x08|0x0036) plen 25
Handle: 0x01
Properties: 0x0001
Connectable
Min advertising interval: 1280.000 msec (0x0800)
Max advertising interval: 1280.000 msec (0x0800)
Channel map: 37, 38, 39 (0x07)
Own address type: Public (0x00)
Peer address type: Public (0x00)
Peer address: 00:00:00:00:00:00 (OUI 00-00-00)
Filter policy: Allow Scan Request from Any, Allow Connect Request from Any (0x00)
TX power: Host has no preference (0x7f)
Primary PHY: LE 1M (0x01)
Secondary max skip: 0x00
Secondary PHY: LE 2M (0x02)
SID: 0x00
Scan request notifications: Disabled (0x00)
> HCI Event: Command Complete (0x0e) plen 5
LE Set Extended Advertising Parameters (0x08|0x0036) ncmd 1
Status: Success (0x00)
TX power (selected): 7 dbm (0x07)
< HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 4
Handle: 0x01
Operation: Complete extended advertising data (0x03)
Fragment preference: Minimize fragmentation (0x01)
Data length: 0x00
@ MGMT Event: Command Complete (0x0001) plen 7
Add Extended Advertising Parameters (0x0054) plen 4
Status: Success (0x00)
Instance: 1
TX power: 7 dbm (0x07)
Available adv data len: 31
Available scan rsp data len: 31
> HCI Event: Command Complete (0x0e) plen 4
LE Set Extended Advertising Data (0x08|0x0037) ncmd 1
Status: Success (0x00)
@ MGMT Command: Add Extended Advertising Data (0x0055) plen 23
Instance: 1
Advertising data length: 12
Name (complete): Intel-3
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
Scan response length: 0
< HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 16
Handle: 0x01
Operation: Complete extended advertising data (0x03)
Fragment preference: Minimize fragmentation (0x01)
Data length: 0x0c
Name (complete): Intel-3
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
> HCI Event: Command Complete (0x0e) plen 4
LE Set Extended Advertising Data (0x08|0x0037) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Extended Scan Response Data (0x08|0x0038) plen 4
Handle: 0x01
Operation: Complete scan response data (0x03)
Fragment preference: Minimize fragmentation (0x01)
Data length: 0x00
> HCI Event: Command Complete (0x0e) plen 4
LE Set Extended Scan Response Data (0x08|0x0038) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Extended Advertising Enable (0x08|0x0039) plen 6
Extended advertising: Enabled (0x01)
Number of sets: 1 (0x01)
Entry 0
Handle: 0x01
Duration: 0 ms (0x00)
Max ext adv events: 0
> HCI Event: Command Complete (0x0e) plen 4
LE Set Extended Advertising Enable (0x08|0x0039) ncmd 2
Status: Success (0x00)
@ MGMT Event: Command Complete (0x0001) plen 4
Add Extended Advertising Data (0x0055) plen 1
Status: Success (0x00)
Instance: 1
Report failure when resolving remote name to userspace. This is useful
so the userspace can make an informed decision when to retry name
resolving procedure.
Reviewed-by: Miao-chen Chou <mcchou@chromium.org>
This patch adds definitions of the new Advertisement Monitor Device
Found and Device Lost events to indicate that the controller has
started/stopped tracking a particular device.
Reviewed-by: Miao-chen Chou <mcchou@google.com>
HCI_MAX_ACL_SIZE actually includes the maximum frames in AMP controller
so this changes it to properly define the max ACL frames on non-AMP
controllers and introduces a dedicated define for AMP controller as
HCI_MAX_AMP_SIZE.
BT core spec 5.3 promotes the usage of inclusive languages.
This CL replaces some terms with the more appropriate counterparts,
such as "central", "peripheral", and "accept list".
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Use of zero as the size for arrays as the last element of a structure
is a GNU C extension, which as of GCC 10 produces diagnostics when
values in the extended array are referenced. Switch to the C99
standard idiom for flexible array members, already in use in a few
other headers.
