Zephyr(1) has been using the same bus defines as Linux so tools likes of
btmon, etc, are able to decode the bus under HCI, so this attempts to
synchronize the definitions by adding the missing bus type IPC(11) and its
decoding string.
[1] https://github.com/zephyrproject-rtos/zephyr/pull/80808
From the BlueZ scanbot:
lib/sdp.c:586:12: warning: Access to field 'attrId' results in a dereference of a null pointer (loaded from variable 'd')
d->attrId = attr;
~ ^
lib/sdp.c:967:10: warning: Access to field 'dtd' results in a dereference of a null pointer (loaded from variable 'd')
switch (d->dtd) {
^~~~~~
Make sure to free already allocated memory if we run out of memory
before the end of the loop.
Error: RESOURCE_LEAK (CWE-772): [#def8] [important]
lib/sdp.c:542:4: alloc_fn: Storage is returned from allocation function "sdp_data_alloc".
lib/sdp.c:542:4: var_assign: Assigning: "data" = storage returned from "sdp_data_alloc(dtd, values[i])".
lib/sdp.c:550:4: var_assign: Assigning: "seq" = "data".
lib/sdp.c:552:3: var_assign: Assigning: "curr" = "data".
lib/sdp.c:553:2: out_of_scope: Variable "data" goes out of scope.
lib/sdp.c:552:3: overwrite_var: Overwriting "curr" in "curr = data".
lib/sdp.c:545:4: leaked_storage: Variable "seq" going out of scope leaks the storage it points to.
543|
544| if (!data)
545|-> return NULL;
546|
547| if (curr)
The return value from gen_attridseq_pdu() can be -ENOMEM or the always
positive return value from sdp_gen_pdu(), but we only guard against a
single negative return value "-1" (-EPERM).
Check for all negative values to avoid manipulating a negative length as
a valid one.
Error: INTEGER_OVERFLOW (CWE-190): [#def10] [important]
lib/sdp.c:4097:2: overflow_sink:
"t->reqsize + cstate_len", which might have underflowed, is passed to
"sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len)".
4095| reqhdr->plen = htons((t->reqsize + cstate_len) - sizeof(sdp_pdu_hdr_t));
4096|
4097|-> if (sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len) < 0) {
4098| SDPERR("Error sending data:%m");
4099| t->err = errno;
Error: INTEGER_OVERFLOW (CWE-190): [#def11] [important]
lib/sdp.c:4492:3: overflow_sink:
"reqsize", which might have underflowed, is passed to
"sdp_send_req_w4_rsp(session, reqbuf, rspbuf, reqsize, &rspsize)".
4490| reqhdr->plen = htons(reqsize - sizeof(sdp_pdu_hdr_t));
4491| rsphdr = (sdp_pdu_hdr_t *) rspbuf;
4492|-> status = sdp_send_req_w4_rsp(session, reqbuf, rspbuf, reqsize, &rspsize);
4493| if (rspsize < sizeof(sdp_pdu_hdr_t)) {
4494| SDPERR("Unexpected end of packet");
This defines BT_ISO_SYNC_TIMEOUT(20 sec) which shall be considered the
default sync_timeout and make all instance previously hardcoding a
value to use it.
We're currently type-casting the output of strlen(sdpdata->val.str) into
an int, which is somewhat problematic given that strlen() can return
values larger than sizeof(int).
We can do better here and use size_t instead, so let's do that.
While at it, also add a comment explaining why the check here is "smaller
than" instead of "smaller than or equal".
Co-developed-by: Zander Brown <zbrown@gnome.org>
sdp_data_t->unitSize for strings in the SDP record is
`sizeof(uint8_t) + strlen(str)`.
The "length" argument of sdp_data_alloc_with_length() is expected to be
only the length of the string (so `sdp_data_t->unitSize - sizeof(uint8_t)`).
Since the last commit, in sdp_copy_seq() we're allocating one byte too much
for strings now, because the `sizeof(uint8_t)` is not subtracted from unitSize
there.
Fix this by making use of the length returned by sdp_data_value() and pass
that on to sdp_data_alloc_with_length().
Co-developed-by: Zander Brown <zbrown@gnome.org>
Assuming the size of of uint8_t is bad practice, we use
sizeof(uint8_t) everywhere else and the use of sizeof makes it clear
we're accounting for the descriptor here rather than just randomly
subtracting 1, so change that.
Co-developed-by: Zander Brown <zbrown@gnome.org>
In extract_str() we create sdp_data_t with strings and allocate
sdp_data_t->val.str an extra 0-byte as NULL termination. In
sdp_data_alloc_with_length() we're missing this, and strlen() in
sdp_get_string_attr() ends up overrunning the sdpdata->val.str buffer
looking for the NULL termination.
Allocate the extra 0-byte for sdp_data_t->val.str to ensure this
overrun can't happen.
Co-developed-by: Zander Brown <zbrown@gnome.org>
This handles recently introduced Scan Response flag since that
shouldn't affect connectable flag the device would be considered
connectable but it shall not create a new device by itself.
BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2450
• If extended advertising PDU types are being used (bit 4 = 0) then:
The advertisement shall not be both connectable and scannable.
So instead this attempts to set name as part of Advertising Data rather
then setting it as Scan Response:
bluetoothctl> advertise.secondary 2M
bluetoothctl> advertise.name Intel-3
bluetoothctl> advertise on
< HCI Command: LE Set Extended Advertising Parameters (0x08|0x0036) plen 25
Handle: 0x01
Properties: 0x0001
Connectable
Min advertising interval: 1280.000 msec (0x0800)
Max advertising interval: 1280.000 msec (0x0800)
Channel map: 37, 38, 39 (0x07)
Own address type: Public (0x00)
Peer address type: Public (0x00)
Peer address: 00:00:00:00:00:00 (OUI 00-00-00)
Filter policy: Allow Scan Request from Any, Allow Connect Request from Any (0x00)
TX power: Host has no preference (0x7f)
Primary PHY: LE 1M (0x01)
Secondary max skip: 0x00
Secondary PHY: LE 2M (0x02)
SID: 0x00
Scan request notifications: Disabled (0x00)
> HCI Event: Command Complete (0x0e) plen 5
LE Set Extended Advertising Parameters (0x08|0x0036) ncmd 1
Status: Success (0x00)
TX power (selected): 7 dbm (0x07)
< HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 4
Handle: 0x01
Operation: Complete extended advertising data (0x03)
Fragment preference: Minimize fragmentation (0x01)
Data length: 0x00
@ MGMT Event: Command Complete (0x0001) plen 7
Add Extended Advertising Parameters (0x0054) plen 4
Status: Success (0x00)
Instance: 1
TX power: 7 dbm (0x07)
Available adv data len: 31
Available scan rsp data len: 31
> HCI Event: Command Complete (0x0e) plen 4
LE Set Extended Advertising Data (0x08|0x0037) ncmd 1
Status: Success (0x00)
@ MGMT Command: Add Extended Advertising Data (0x0055) plen 23
Instance: 1
Advertising data length: 12
Name (complete): Intel-3
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
Scan response length: 0
< HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 16
Handle: 0x01
Operation: Complete extended advertising data (0x03)
Fragment preference: Minimize fragmentation (0x01)
Data length: 0x0c
Name (complete): Intel-3
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
> HCI Event: Command Complete (0x0e) plen 4
LE Set Extended Advertising Data (0x08|0x0037) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Extended Scan Response Data (0x08|0x0038) plen 4
Handle: 0x01
Operation: Complete scan response data (0x03)
Fragment preference: Minimize fragmentation (0x01)
Data length: 0x00
> HCI Event: Command Complete (0x0e) plen 4
LE Set Extended Scan Response Data (0x08|0x0038) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Extended Advertising Enable (0x08|0x0039) plen 6
Extended advertising: Enabled (0x01)
Number of sets: 1 (0x01)
Entry 0
Handle: 0x01
Duration: 0 ms (0x00)
Max ext adv events: 0
> HCI Event: Command Complete (0x0e) plen 4
LE Set Extended Advertising Enable (0x08|0x0039) ncmd 2
Status: Success (0x00)
@ MGMT Event: Command Complete (0x0001) plen 4
Add Extended Advertising Data (0x0055) plen 1
Status: Success (0x00)
Instance: 1
Report failure when resolving remote name to userspace. This is useful
so the userspace can make an informed decision when to retry name
resolving procedure.
Reviewed-by: Miao-chen Chou <mcchou@chromium.org>
This patch adds definitions of the new Advertisement Monitor Device
Found and Device Lost events to indicate that the controller has
started/stopped tracking a particular device.
Reviewed-by: Miao-chen Chou <mcchou@google.com>
HCI_MAX_ACL_SIZE actually includes the maximum frames in AMP controller
so this changes it to properly define the max ACL frames on non-AMP
controllers and introduces a dedicated define for AMP controller as
HCI_MAX_AMP_SIZE.
BT core spec 5.3 promotes the usage of inclusive languages.
This CL replaces some terms with the more appropriate counterparts,
such as "central", "peripheral", and "accept list".
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
