Devices are unlikely to change appearance over time which is the reason
why we cache then on the storage so this skips reading it on every
reconnection.
If device is no longer exists or not paired when notifications send it
is possible to get double free and dereference of already freed memory.
To avoid this we need to recheck the state of device after sending
notification.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
In src/device.c few sscanf does not limit width of uuid field. This
could lead to static overflow and stack corruption.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
In tools/btmgmt.c and tools/hex2hcd.c few sscanf does not limit width
of fields. This could lead to static overflow and stack corruption.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
If malformed packet is proceed with zero 'size' field we will face with
wrong behaviour of write() call. Value 'toread - 1' gives wrong sign
for value 'written' (-1) in write() call. To prevent this we should
check that 'toread' is not equal to zero.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
Array 'c_brf_chip' of size 8 could be accessed by index > 7. We should
limit array access like in previous check at line 221.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
Accessing le_states_desc_table array with value 15 can cause
out-of-bound read because current size of array is 14.
Currently this cannot lead to any problems becase we do no have such
state in le_states_comb_table but this could be changed in future and
raise described problem.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
gatt_db_attribute_get_index was calculating the index based on
attrib->handle - service->attributes[0]->handle which doesn't work when
there are gaps in between handles.
Fixes: https://github.com/bluez/bluez/issues/326
This addresses a situation when a boolean type is represented by
an integer and performing a left shift on a boolean causes
an integer overflow.
This fixes the following runtime error:
"left shift of 1 by 31 places cannot be represented in type 'int'"
If SEP has not been properly discovered avdtp_get_codec may return NULL
thus causing crashes such as when running AVRCP/TG/VLH/BI-01-C after
AVRCP/TG/RCR/BV-04-C.
Prevent remote endpoint registration if its codec is not available.
Remove queue_isempty check from store_remote_seps since that prevents
cleaning up if no seps could be registered.
On a2dp_add_sep if the record cannot be properly registred
a2dp_unregister_sep would be called which would attempt to destroy the
user_data causing the following backtrace:
Invalid write of size 8
at 0x2F41EB: endpoint_init_a2dp_source (media.c:687)
by 0x2F41EB: media_endpoint_create (media.c:1030)
by 0x2F6713: register_endpoint (media.c:1155)
by 0x46983F: process_message (object.c:246)
by 0x4A574A8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.14)
by 0x45F0BF: message_dispatch (mainloop.c:59)
by 0x495239A: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x495605E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x49AB2A7: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x4955772: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x4CA924: mainloop_run (mainloop-glib.c:66)
by 0x4CAE1B: mainloop_run_with_signal (mainloop-notify.c:188)
by 0x2AE791: main (main.c:1258)
Address 0x6e47a30 is 0 bytes inside a block of size 112 free'd
at 0x48470E4: free (vg_replace_malloc.c:872)
by 0x4957CDC: g_free (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x2C2D57: a2dp_unregister_sep (a2dp.c:2588)
by 0x2D124C: a2dp_add_sep (a2dp.c:2697)
by 0x2F41D5: endpoint_init_a2dp_source (media.c:687)
by 0x2F41D5: media_endpoint_create (media.c:1030)
by 0x2F6713: register_endpoint (media.c:1155)
by 0x46983F: process_message (object.c:246)
by 0x4A574A8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.14)
by 0x45F0BF: message_dispatch (mainloop.c:59)
by 0x495239A: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x495605E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x49AB2A7: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
This fixes the following error for invalid read access when registering
filter for incoming messages:
140632==ERROR: AddressSanitizer: stack-buffer-overflow on address...
#0 0x7f60c185741d in MemcmpInterceptorCommon(...
#1 0x7f60c1857af8 in __interceptor_memcmp (/lib64/libasan.so...
#2 0x55a10101536e in find_by_filter mesh/mesh-io-unit.c:494
#3 0x55a1010d8c46 in l_queue_remove_if ell/queue.c:517
#4 0x55a101014ebd in recv_register mesh/mesh-io-unit.c:506
#5 0x55a10102946f in mesh_net_attach mesh/net.c:2885
#6 0x55a101086f64 in send_reply mesh/dbus.c:153
#7 0x55a101124c3d in handle_method_return ell/dbus.c:216
#8 0x55a10112c8ef in message_read_handler ell/dbus.c:276
#9 0x55a1010dae20 in io_callback ell/io.c:120
#10 0x55a1010dff7e in l_main_iterate ell/main.c:478
#11 0x55a1010e06e3 in l_main_run ell/main.c:525
#12 0x55a1010e06e3 in l_main_run ell/main.c:507
#13 0x55a1010e0bfc in l_main_run_with_signal ell/main.c:647
#14 0x55a10100316e in main mesh/main.c:292
#15 0x7f60c0c6855f in __libc_start_call_main (/lib64/libc.so.6+...
#16 0x7f60c0c6860b in __libc_start_main_alias_1 (/lib64/libc.so.6+...
#17 0x55a101003ce4 in _start (/home/istotlan/bluez/mesh/bluetooth-m...
gatt_debug callback is used to print debug strings from bt_att which
includes the file and function names so using DBG would add yet another
set of file and function prefixes which makes the logs confusing.
This adds gatt_log wrapper for util_debug and DBG macro so file and
function names are printed which is more consistent with other parts of
the daemon code.
mgmt_debug callback is used to print debug strings from mgmt instances
which includes the file and function names so using DBG would add yet
another set of file and function prefixes which makes the logs
confusing.
This introduces mgmt_set_verbose which can be used to enable printing
the the likes hexdump of packets, by default it is disabled since in
most cases the hexdump is not very useful and there are better tools
to collect the hexdumo like btmon.
gatt_db_attribute_notify was only accepting passing the Characteristic
Declaration instead of accepting its value as well,
gatt_db_service_foreach_desc also have similar limitation so both have
been updated to allow working with both value and declaration.
