Apparently some stacks set the current UID to 0 when paused/stopped
which causes the following:
bluetoothd[23185]: profiles/audio/player.c:media_player_set_playlist_item() 0
bluetoothd[23185]: profiles/audio/player.c:media_folder_create_item() (null) type audio uid 0
process 23185: arguments to dbus_message_iter_append_basic() were incorrect, assertion "_dbus_check_is_valid_path (*string_p)" failed in file dbus-message.c line 2531.
This is normally a bug in some application using the D-Bus library.
D-Bus not built with -rdynamic so unable to print a backtrace
UID 0 is not a valid UID according to the spec so the code should not
attempt to create any object to represent it.
This reverts commit 1796f00e84.
This patch causes a regression with the Nokia BH217 headset. A correct
patch must take into account fragmented responses.
Conditional jump or move depends on uninitialised value(s)
at 0x42C1AF: obex_put_stream_start (obex.c:869)
by 0x428D1A: mns_put (mns.c:148)
by 0x42B521: cmd_put (obex.c:982)
by 0x419FB5: incoming_data (gobex.c:1022)
by 0x3F31A47A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A47D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A48181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x40DEE2: main (main.c:319)
Uninitialised value was created by a stack allocation
at 0x42C160: obex_put_stream_start (obex.c:862)
The MAP specification allows to reuse one MNS server instance for all
local MAS client instances. This dispatching of event reports to the
correct MAS client instance is done by the MAS instance id and the
device address.
The dispatcher component allows MAS client instances to register a
notification handler. Events reports are forwarded by the MNS server using
map_dispatch_event.
The userdata pointer in btd_service provides the necessary information
to find which service should be connected. This makes possible to remove
the restriction of having one single UUID instance per profile.
The code dereferences a NULL pointer if find_connection() doesn't find
an existing connection, which will be the case if the input UUID is
invalid or not supported.
cmd + options have a maximum length of 25. Align the description
after this value. In order not to reach 80 chars so easily change the
first \t to 2 spaces, like is done in udev, kmod, systemd, etc.
The remote address used for dispatching the MAP notifications is
initialized when the MNS is connected. Therefore it needs to be freed
when the session is destroyed and not after receiving an event report.
Trace:
0 0x00007ffff6a6a1c9 in raise () from /usr/lib/libc.so.6
1 0x00007ffff6a6b5c8 in abort () from /usr/lib/libc.so.6
2 0x00007ffff6aa8037 in __libc_message () from /usr/lib/libc.so.6
3 0x00007ffff6aad8ae in malloc_printerr () from /usr/lib/libc.so.6
4 0x00007ffff6aae587 in _int_free () from /usr/lib/libc.so.6
5 0x00000000004273b0 in event_report_close (obj=0x69a5b0)
at obexd/client/mns.c:295
6 0x0000000000429549 in os_reset_session (os=0x69c210)
at obexd/src/obex.c:199
7 0x000000000041bec6 in transfer_complete (transfer=0x69a9d0, err=0x0)
at gobex/gobex-transfer.c:103
8 0x000000000041c20c in transfer_put_req (obex=0x69b470,
req=<optimized out>, user_data=0x69a9d0) at
gobex/gobex-transfer.c:407
9 0x000000000041988d in handle_request (req=0x69f3d0, obex=0x69b470)
at gobex/gobex.c:1022
10 incoming_data (io=<optimized out>, cond=<optimized out>,
user_data=0x69b470) at gobex/gobex.c:1194
11 0x00007ffff702de46 in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
12 0x00007ffff702e198 in ?? () from /usr/lib/libglib-2.0.so.0
13 0x00007ffff702e59a in g_main_loop_run () from
/usr/lib/libglib-2.0.so.0
14 0x000000000040dead in main (argc=1, argv=0x7fffffffddc8)
at obexd/src/main.c:319
The function obc_session_mkdir needs to use file_op_complete as
callback.
0 0x00007ffff72f7553 in ?? () from /usr/lib/libdbus-1.so.3
1 0x00007ffff72f7dff in ?? () from /usr/lib/libdbus-1.so.3
2 0x00007ffff72fef9a in dbus_message_get_sender ()
from /usr/lib/libdbus-1.so.3
3 0x00007ffff72feff9 in dbus_message_new_method_return ()
from /usr/lib/libdbus-1.so.3
4 0x000000000043c93f in async_cb (session=0x6a9d30, transfer=0x0,
err=0x0,
user_data=0x675660) at obexd/client/ftp.c:65
5 0x0000000000438c7c in async_cb (obex=0x6aa980, err=0x0,
rsp=0x67a690,
user_data=0x67ced0) at obexd/client/session.c:1035
6 0x000000000041cbcc in handle_response (obex=0x6aa980, err=0x0,
rsp=0x67a690) at gobex/gobex.c:949
7 0x000000000041d49f in incoming_data (io=0x67d0f0, cond=G_IO_IN,
user_data=0x6aa980) at gobex/gobex.c:1192
8 0x00007ffff702de46 in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
9 0x00007ffff702e198 in ?? () from /usr/lib/libglib-2.0.so.0
10 0x00007ffff702e59a in g_main_loop_run () from
/usr/lib/libglib-2.0.so.0
11 0x0000000000430a09 in main (argc=1, argv=0x7fffffffddc8)
at obexd/src/main.c:319
The file_op_complete callback added for the OBEX session command queuing
is called with a file_data parameter and not with a pending_request.
This fixes a crash when calling one of the file commands (like delete).
0 0x0000000000438cd6 in file_op_complete (session=0x6a9d30,
transfer=0x0,
err=0x0, user_data=0x6762e0) at obexd/client/session.c:1054
1 0x0000000000438c64 in async_cb (obex=0x6aa980, err=0x0,
rsp=0x67a710,
user_data=0x6ac2c0) at obexd/client/session.c:1035
2 0x000000000041cbcc in handle_response (obex=0x6aa980, err=0x0,
rsp=0x67a710) at gobex/gobex.c:949
3 0x000000000041d49f in incoming_data (io=0x67d0f0, cond=G_IO_IN,
user_data=0x6aa980) at gobex/gobex.c:1192
4 0x00007ffff702de46 in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
5 0x00007ffff702e198 in ?? () from /usr/lib/libglib-2.0.so.0
6 0x00007ffff702e59a in g_main_loop_run () from
/usr/lib/libglib-2.0.so.0
7 0x00000000004309f0 in main (argc=1, argv=0x7fffffffddc8)
at obexd/src/main.c:319
The function setpath_complete has to be called with a pending_request as
user_data. In one possible error case, the current code calls it
incorrectly with setpath_data.
This adds a setpath_op_complete callback, that unpacks the user data and
finally calls the user callback. The callback is now used for success and error
cases.
The previous implementation was using setpath_complete which did not
work for error cases, because it was called with incorrect user data.
This was leading to a crash, that can be reproduced by disconnecting PBAP
after trying to select a non existing phone book.
0 setpath_complete (session=0x66bd90, transfer=0x0, err=0x69b370,
user_data=0x69a810) at obexd/client/session.c:912
1 0x000000000042d100 in obc_session_shutdown (session=0x66bd90)
at obexd/client/session.c:537
2 0x000000000040f227 in service_filter (connection=0x664b20,
message=<optimized out>, user_data=0x66bed0) at gdbus/watch.c:486
3 0x000000000040f49b in message_filter (connection=0x664b20,
message=0x66ba30, user_data=<optimized out>) at gdbus/watch.c:554
4 0x00007ffff72f40a6 in dbus_connection_dispatch ()
from /usr/lib/libdbus-1.so.3
5 0x000000000040e148 in message_dispatch (data=0x664b20)
at gdbus/mainloop.c:76
6 0x00007ffff702e9a3 in ?? () from /usr/lib/libglib-2.0.so.0
7 0x00007ffff702de46 in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
8 0x00007ffff702e198 in ?? () from /usr/lib/libglib-2.0.so.0
9 0x00007ffff702e59a in g_main_loop_run () from
/usr/lib/libglib-2.0.so.0
10 0x000000000040dd72 in main (argc=1, argv=0x7fffffffddc8)
at obexd/src/main.c:319
The response to RegisterNotification for event settings changed was
not setting the initial length properly which cause the code to send
malformed/invalid PDUs.
Invalid read of size 8
at 0x470101: update_bredr_services (device.c:2784)
by 0x470591: browse_cb (device.c:2975)
by 0x458B0E: search_completed_cb (sdp-client.c:186)
by 0x47C154: sdp_process (sdp.c:4343)
by 0x458954: search_process_cb (sdp-client.c:205)
by 0x3F31A47A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A47D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A48181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x40A265: main (main.c:595)
Address 0x0 is not stack'd, malloc'd or (recently) free'd
