This adds support for decoding Basic Audio Announcements as shown
on:
Basic Audio Profile / Profile Specification
Page 36 of 146
Table 3.15: Format of BASE used in Basic Audio Announcements
< HCI Command: LE Set Periodic Advertising Data (0x08|0x003f) plen 36
Handle: 0
Operation: Complete ext advertising data (0x03)
Data length: 0x21
Service Data: Basic Audio Announcement (0x1851)
Presetation Delay: 40000
Number of Subgroups: 1
Subgroup #0:
Number of BIS(s): 1
Codec: Reserved (0x06)
Codec Specific Configuration: 010101020403010000020428
Metadata: 020202
BIS #0:
Index: 1
Codec Specific Configuration:
This adds support for decoding Broadcast Audio Announcements as shown
on:
Basic Audio Profile / Profile Specification
Page 34 of 146
Table 3.14: Broadcast Source AD format when transmitting Broadcast
Audio Announcements
< HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 36
Handle: 0x00
Operation: Complete extended advertising data (0x03)
Fragment preference: Minimize fragmentation (0x01)
Data length: 0x20
Service Data: Broadcast Audio Announcement (0x1852)
Broadcast ID: 904177 (0x0dcbf1)
Name (complete): Broadcast Audio Source
Before prepending the Report ID check if it is non-zero:
BLUETOOTH SPECIFICATION Page 16 of 26
HID Service Specification
Report ID shall be nonzero in a Report Reference characteristic
descriptor where there is more than one instance of the Report
characteristic for any given Report Type.
Fixes: https://www.spinics.net/lists/linux-bluetooth/msg97262.html
Remove some leftover usage of Python2 code. In particular replace
iteritems() with items() to fix the following error:
AttributeError: 'dbus.Dictionary' object has no attribute 'iteritems'
This adds transport menu:
[bluetooth]# menu transport
Menu transport:
Available commands:
-------------------
list List available transports
show <transport> Transport information
acquire <transport> Acquire Transport
release <transport> Release Transport
send <filename> Send contents of a file
This adds endpoint menu:
[bluetooth]# menu endpoint
Menu endpoint:
Available commands:
-------------------
list [local] List available endpoints
show <endpoint> Endpoint information
register <UUID> <codec> [capabilities...] Register Endpoint
unregister <UUID/object> Register Endpoint
config <endpoint> <local endpoint> [preset] Configure Endpoint
presets <UUID> [default] List available presets
The test for `DISCOVERABLE` should be done with
`MGMT_SETTING_DISCOVERABLE` instead of `MGMT_OP_SET_DISCOVERABLE`.
Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
Devices are unlikely to change appearance over time which is the reason
why we cache then on the storage so this skips reading it on every
reconnection.
If device is no longer exists or not paired when notifications send it
is possible to get double free and dereference of already freed memory.
To avoid this we need to recheck the state of device after sending
notification.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
In src/device.c few sscanf does not limit width of uuid field. This
could lead to static overflow and stack corruption.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
In tools/btmgmt.c and tools/hex2hcd.c few sscanf does not limit width
of fields. This could lead to static overflow and stack corruption.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
If malformed packet is proceed with zero 'size' field we will face with
wrong behaviour of write() call. Value 'toread - 1' gives wrong sign
for value 'written' (-1) in write() call. To prevent this we should
check that 'toread' is not equal to zero.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
Array 'c_brf_chip' of size 8 could be accessed by index > 7. We should
limit array access like in previous check at line 221.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
Accessing le_states_desc_table array with value 15 can cause
out-of-bound read because current size of array is 14.
Currently this cannot lead to any problems becase we do no have such
state in le_states_comb_table but this could be changed in future and
raise described problem.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
gatt_db_attribute_get_index was calculating the index based on
attrib->handle - service->attributes[0]->handle which doesn't work when
there are gaps in between handles.
Fixes: https://github.com/bluez/bluez/issues/326
This addresses a situation when a boolean type is represented by
an integer and performing a left shift on a boolean causes
an integer overflow.
This fixes the following runtime error:
"left shift of 1 by 31 places cannot be represented in type 'int'"
If SEP has not been properly discovered avdtp_get_codec may return NULL
thus causing crashes such as when running AVRCP/TG/VLH/BI-01-C after
AVRCP/TG/RCR/BV-04-C.
Prevent remote endpoint registration if its codec is not available.
Remove queue_isempty check from store_remote_seps since that prevents
cleaning up if no seps could be registered.
On a2dp_add_sep if the record cannot be properly registred
a2dp_unregister_sep would be called which would attempt to destroy the
user_data causing the following backtrace:
Invalid write of size 8
at 0x2F41EB: endpoint_init_a2dp_source (media.c:687)
by 0x2F41EB: media_endpoint_create (media.c:1030)
by 0x2F6713: register_endpoint (media.c:1155)
by 0x46983F: process_message (object.c:246)
by 0x4A574A8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.14)
by 0x45F0BF: message_dispatch (mainloop.c:59)
by 0x495239A: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x495605E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x49AB2A7: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x4955772: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x4CA924: mainloop_run (mainloop-glib.c:66)
by 0x4CAE1B: mainloop_run_with_signal (mainloop-notify.c:188)
by 0x2AE791: main (main.c:1258)
Address 0x6e47a30 is 0 bytes inside a block of size 112 free'd
at 0x48470E4: free (vg_replace_malloc.c:872)
by 0x4957CDC: g_free (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x2C2D57: a2dp_unregister_sep (a2dp.c:2588)
by 0x2D124C: a2dp_add_sep (a2dp.c:2697)
by 0x2F41D5: endpoint_init_a2dp_source (media.c:687)
by 0x2F41D5: media_endpoint_create (media.c:1030)
by 0x2F6713: register_endpoint (media.c:1155)
by 0x46983F: process_message (object.c:246)
by 0x4A574A8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.14)
by 0x45F0BF: message_dispatch (mainloop.c:59)
by 0x495239A: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x495605E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7000.4)
by 0x49AB2A7: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
This fixes the following error for invalid read access when registering
filter for incoming messages:
140632==ERROR: AddressSanitizer: stack-buffer-overflow on address...
#0 0x7f60c185741d in MemcmpInterceptorCommon(...
#1 0x7f60c1857af8 in __interceptor_memcmp (/lib64/libasan.so...
#2 0x55a10101536e in find_by_filter mesh/mesh-io-unit.c:494
#3 0x55a1010d8c46 in l_queue_remove_if ell/queue.c:517
#4 0x55a101014ebd in recv_register mesh/mesh-io-unit.c:506
#5 0x55a10102946f in mesh_net_attach mesh/net.c:2885
#6 0x55a101086f64 in send_reply mesh/dbus.c:153
#7 0x55a101124c3d in handle_method_return ell/dbus.c:216
#8 0x55a10112c8ef in message_read_handler ell/dbus.c:276
#9 0x55a1010dae20 in io_callback ell/io.c:120
#10 0x55a1010dff7e in l_main_iterate ell/main.c:478
#11 0x55a1010e06e3 in l_main_run ell/main.c:525
#12 0x55a1010e06e3 in l_main_run ell/main.c:507
#13 0x55a1010e0bfc in l_main_run_with_signal ell/main.c:647
#14 0x55a10100316e in main mesh/main.c:292
#15 0x7f60c0c6855f in __libc_start_call_main (/lib64/libc.so.6+...
#16 0x7f60c0c6860b in __libc_start_main_alias_1 (/lib64/libc.so.6+...
#17 0x55a101003ce4 in _start (/home/istotlan/bluez/mesh/bluetooth-m...
gatt_debug callback is used to print debug strings from bt_att which
includes the file and function names so using DBG would add yet another
set of file and function prefixes which makes the logs confusing.
