Browsing services using sdptool can lead to writing to invalid heap
locations.
valgrind's output of exemplary call: sdptool browse local
==2203== HEAP SUMMARY:
==2203== in use at exit: 0 bytes in 0 blocks
==2203== total heap usage: 251 allocs, 251 frees, 140,156 bytes allocated
==2203==
==2203== All heap blocks were freed -- no leaks are possible
==2203==
==2203== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
==2203==
==2203== 1 errors in context 1 of 2:
==2203== Invalid write of size 2
==2203== at 0x805B882: bt_put_be16 (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8062BD0: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== Address 0x4391359 is 7 bytes before a block of size 2,048 alloc'd
==2203== at 0x402B6A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x8062B4B: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==
==2203==
==2203== 5 errors in context 2 of 2:
==2203== Invalid write of size 1
==2203== at 0x402D363: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x80613E7: gen_dataseq_pdu (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8061472: gen_attridseq_pdu (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8062C00: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== Address 0x439135b is 5 bytes before a block of size 2,048 alloc'd
==2203== at 0x402B6A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x8062B4B: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==
==2203== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
If attrib is freed in cmd->func(), then it will be used if either
request or response queue has some data to send.
This patch moves calling wake_up_sender() which increases the ref
count of attrib so that it wont get freed in cmd->func().
The discovery_list list has the list of current discovery clients and is
removed on adapter_stop (for example due a "power off" command). The
g_slist_free_full will call discovery_free on every element of the list
and remove the nodes of the list, but discovery_destroy (called by
discovery_free) will not only free the element, but also remove it from
the list. This causes the list node to be freed twice, once by
g_slist_free_full and once by g_slist_remove.
This fix calls successively discovery_destroy and lets it remove the
list's elements one by one.
The eir_uuids list is usually freed by device_svc_resolved, but that
doesn't happen if the device is removed before a SDP browse ends.
This fix deletes the eir_uuids list on device_free.
The parameter le was changed to psm and its type was modified from
boolean to int, but header was unmodified. That change occurred in commit
0cc2459963.
This patch enables argument autocompletion for the agent command with
the list of capabilities an agent can have, adding also "on" (for the
default "") and "off". The command passes the argument (parsing and
verifying it) to the dbus method call.
Registering an agent shares the user input interface with the normal console
command interface. The way it is implemented (using rl_message, rl_save_prompt
and rl_restore_prompt) conflicts with the rl_printf calls that may appear
while waiting for user input, loosing the [bluetooth]# prompt.
This patch fixes this and makes clear if the expected input is a command or an
agent reply changing the color and text of the prompt.
Events like [NEW], [CHG] and [DEL] can appear in the command console at
any time, even when the user is typing a command. The last line is kept
making the event line appear just before it, something that can be
unnoticed. This patch add meaningful colors for those three event to make
it easier to see them.
When doing recursive SDP searches, we must not overwrite our own values
after we retrieved them from SDP. Otherwise, the UUID test will always we
false.
The last argument for the functions pincode_cb, passkey_cb and
confirm_cb is a user data pointer with the "void *". Those functions
expect a "struct authentication_req *", but insted a "struct
btd_device*" without any complaint from the compiler due the void* cast.
This fix passes the right argument to those functions.
Other uses of those functions as callbacks (agent_request_passkey,
agent_request_pincode, agent_request_authorization and
agent_request_confirmation) pass the right struct authentication_req *.
The find_key function should return a pointer to the begining of the
line in the config file (map) that has the given keyword. This patch
fixes a wrong logic when the another keyword has the given keyword as a
prefix and appears in the first line of the file.
