16 and 32-bit UUIDs are always created using host order. However,
no matter the system type, 128-bit UUID must use big-endian byte
order format (similar to human-readble format).
bt_uuid_to_string() helper should get the raw UUID value. Caller should
convert the 128-bit UUID before call this helper (if applicable).
bt_uuid_t stores 128-bit UUID using big-endian format (human-readable
format), swapping byte order is not necessary.
No matter the system, 128-bit UUIDs should not be converted to any byte
order when creating the UUID. Conversion to big/little endian should be
performed when transfering the data over-the-air only. bt_uuid_t should
handle 128-bit UUID on big-endian format (human-readable format).
This patch acknowledges the endianess of ediv and rand as they are
received from the kernel and stores them as logical decimal integers in
storage. This involves converting to little endian before passing to the
kernel and from little endian after receiving from the kernel.
This patch moves GATT UUIDs definitions to a common header. uuid.h contains
helper functions to manipulate Bluetooth UUIDs and some common BR/EDR services
UUIDs.
Somehow, the invalid multibyte sequence "\xC2\xA0" (which is displayed
as a whitespace) was inserted on a company identifier string. Fix this
to avoid a bogus diff when running tools/update_compids.sh.
Error path on default case was not breaking loop. To keep error
handling similar all error path were converted to use goto.
This fix following:
target C: libbluetooth <= external/bluetooth/bluez/android/../lib/sdp.c
lib/sdp.c: In function 'sdp_set_profile_descs':
lib/sdp.c:487:10: warning: 'values[0]' may be used uninitialized in
this function [-Wmaybe-uninitialized]
lib/sdp.c:2562:19: note: 'values[0]' was declared here
lib/sdp.c:545:11: warning: 'dtds[0]' may be used uninitialized in this
function [-Wmaybe-uninitialized]
lib/sdp.c:2562:9: note: 'dtds[0]' was declared here
This is an improved version of recently reverted commit 1796f00e84.
Response size is verified against minimal allowed value only if it is
complete response. If response is partial it is allowed by spec that
it will be split in arbitrary manner.
Verified against Nokia BH217 on which original commit caused
regression.
This reverts commit 1796f00e84.
This patch causes a regression with the Nokia BH217 headset. A correct
patch must take into account fragmented responses.
The sequence itself is not an index of dtds, values, lengths, thats why
SDP_SEQ8 is used directly as dtd, so accessing length[i] is always off
by one.
Furthermore the length is not really used by sdp_data_alloc_with_length
when the dtd is SDP_SEQ8 which is probably why it doesn't crash.
Browsing services using sdptool can lead to writing to invalid heap
locations.
valgrind's output of exemplary call: sdptool browse local
==2203== HEAP SUMMARY:
==2203== in use at exit: 0 bytes in 0 blocks
==2203== total heap usage: 251 allocs, 251 frees, 140,156 bytes allocated
==2203==
==2203== All heap blocks were freed -- no leaks are possible
==2203==
==2203== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
==2203==
==2203== 1 errors in context 1 of 2:
==2203== Invalid write of size 2
==2203== at 0x805B882: bt_put_be16 (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8062BD0: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== Address 0x4391359 is 7 bytes before a block of size 2,048 alloc'd
==2203== at 0x402B6A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x8062B4B: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==
==2203==
==2203== 5 errors in context 2 of 2:
==2203== Invalid write of size 1
==2203== at 0x402D363: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x80613E7: gen_dataseq_pdu (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8061472: gen_attridseq_pdu (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8062C00: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== Address 0x439135b is 5 bytes before a block of size 2,048 alloc'd
==2203== at 0x402B6A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x8062B4B: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==
==2203== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
The "seq->val.dataseq != NULL" check is also removed from the for()
statement because it should be done after verifying that the data
element is a sequence (inside the "if (SDP_IS_SEQ(...))" block.)
