review.tizen.org Git - platform/upstream/bluez.git/log

gap: Don't attempt to read the appearance if already set

Devices are unlikely to change appearance over time which is the reason
why we cache then on the storage so this skips reading it on every
reconnection.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

gatt: Fix double free and freed memory dereference

If device is no longer exists or not paired when notifications send it
is possible to get double free and dereference of already freed memory.

To avoid this we need to recheck the state of device after sending
notification.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

device: Limit width of fields in sscanf

In src/device.c few sscanf does not limit width of uuid field. This
could lead to static overflow and stack corruption.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

tools: Limit width of fields in sscanf

In tools/btmgmt.c and tools/hex2hcd.c few sscanf does not limit width
of fields. This could lead to static overflow and stack corruption.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

tools: Fix signed integer overflow in btsnoop.c

If malformed packet is proceed with zero 'size' field we will face with
wrong behaviour of write() call. Value 'toread - 1' gives wrong sign
for value 'written' (-1) in write() call. To prevent this we should
check that 'toread' is not equal to zero.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

tools: Fix buffer overflow in hciattach_tialt.c

Array 'c_brf_chip' of size 8 could be accessed by index > 7. We should
limit array access like in previous check at line 221.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

monitor: Fix out-of-bound read in print_le_states

Accessing le_states_desc_table array with value 15 can cause
out-of-bound read because current size of array is 14.

Currently this cannot lead to any problems becase we do no have such
state in le_states_comb_table but this could be changed in future and
raise described problem.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

tools: Fix g_dbus_setup_private connection check in mpris-proxy

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

shared/gatt-db: Fix gatt_db_attribute_get_index

gatt_db_attribute_get_index was calculating the index based on
attrib->handle - service->attributes[0]->handle which doesn't work when
there are gaps in between handles.

Fixes: https://github.com/bluez/bluez/issues/326
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btdev: Check parameter for CIG related commands

This checks if the parameters given to Set CIG Parameters and Remove CIG
are in the valid range.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

mesh: use explicit uint32_t when bit shifting left

This addresses a situation when a boolean type is represented by
an integer and performing a left shift on a boolean causes
an integer overflow.

This fixes the following runtime error:
"left shift of 1 by 31 places cannot be represented in type 'int'"

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

a2dp: Fix crash when SEP codec has not been initialized

If SEP has not been properly discovered avdtp_get_codec may return NULL
thus causing crashes such as when running AVRCP/TG/VLH/BI-01-C after
AVRCP/TG/RCR/BV-04-C.

Prevent remote endpoint registration if its codec is not available.

Remove queue_isempty check from store_remote_seps since that prevents
cleaning up if no seps could be registered.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

client: Add support for player submenu

This moves adds the functionality of bluetooth-player into
bluetoothctl.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

shell: Make bt_shell_add_submenu set main menu if none has been set

If not main menu has been set when calling bt_shell_add_submenu then
turns it on it main menu.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

mgmt: Remove mgmt_set_verbose

The likes of btmon already decode the commands/events so there is no
need to have the code hexdump their contents.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

a2dp: Always invalidate the cache if its configuration fails

When a configuration had been restored from last_used cache but it
fails invalidate it so another sep can be used.

Fixes: https://github.com/bluez/bluez/issues/313
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

a2dp: Don't initialize a2dp_sep->destroy until properly registered

On a2dp_add_sep if the record cannot be properly registred
a2dp_unregister_sep would be called which would attempt to destroy the
user_data causing the following backtrace:

Invalid write of size 8
   at 0x2F41EB: endpoint_init_a2dp_source (media.c:687)
   by 0x2F41EB: media_endpoint_create (media.c:1030)
   by 0x2F6713: register_endpoint (media.c:1155)
   by 0x46983F: process_message (object.c:246)
   by 0x4A574A8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.14)
   by 0x45F0BF: message_dispatch (mainloop.c:59)
   by 0x495239A: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x495605E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x49AB2A7: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x4955772: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x4CA924: mainloop_run (mainloop-glib.c:66)
   by 0x4CAE1B: mainloop_run_with_signal (mainloop-notify.c:188)
   by 0x2AE791: main (main.c:1258)
Address 0x6e47a30 is 0 bytes inside a block of size 112 free'd
   at 0x48470E4: free (vg_replace_malloc.c:872)
   by 0x4957CDC: g_free (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x2C2D57: a2dp_unregister_sep (a2dp.c:2588)
   by 0x2D124C: a2dp_add_sep (a2dp.c:2697)
   by 0x2F41D5: endpoint_init_a2dp_source (media.c:687)
   by 0x2F41D5: media_endpoint_create (media.c:1030)
   by 0x2F6713: register_endpoint (media.c:1155)
   by 0x46983F: process_message (object.c:246)
   by 0x4A574A8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.14)
   by 0x45F0BF: message_dispatch (mainloop.c:59)
   by 0x495239A: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x495605E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x49AB2A7: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

adapter: Fix adding SDP records when operating on LE only mode

If mode is set to BT_MODE_LE SDP protocol won't be operational so it is
useless to attempt to add records.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

mesh: Fix address overrun error in rx filter

This fixes the following error for invalid read access when registering
filter for incoming messages:

140632==ERROR: AddressSanitizer: stack-buffer-overflow on address...
#0 0x7f60c185741d in MemcmpInterceptorCommon(...
    #1 0x7f60c1857af8 in __interceptor_memcmp (/lib64/libasan.so...
    #2 0x55a10101536e in find_by_filter mesh/mesh-io-unit.c:494
    #3 0x55a1010d8c46 in l_queue_remove_if ell/queue.c:517
    #4 0x55a101014ebd in recv_register mesh/mesh-io-unit.c:506
    #5 0x55a10102946f in mesh_net_attach mesh/net.c:2885
    #6 0x55a101086f64 in send_reply mesh/dbus.c:153
    #7 0x55a101124c3d in handle_method_return ell/dbus.c:216
    #8 0x55a10112c8ef in message_read_handler ell/dbus.c:276
    #9 0x55a1010dae20 in io_callback ell/io.c:120
    #10 0x55a1010dff7e in l_main_iterate ell/main.c:478
    #11 0x55a1010e06e3 in l_main_run ell/main.c:525
    #12 0x55a1010e06e3 in l_main_run ell/main.c:507
    #13 0x55a1010e0bfc in l_main_run_with_signal ell/main.c:647
    #14 0x55a10100316e in main mesh/main.c:292
    #15 0x7f60c0c6855f in __libc_start_call_main (/lib64/libc.so.6+...
    #16 0x7f60c0c6860b in __libc_start_main_alias_1 (/lib64/libc.so.6+...
    #17 0x55a101003ce4 in _start (/home/istotlan/bluez/mesh/bluetooth-m...

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

device: Don't use DBG in gatt_debug

gatt_debug callback is used to print debug strings from bt_att which
includes the file and function names so using DBG would add yet another
set of file and function prefixes which makes the logs confusing.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

att: Rename att_debug and att_verbose to DBG and VERBOSE

att_debug and att_verbose are macros which are more common to be
used as uppercase, this also change them to use DBG like other parts of
the code.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

gatt-server: Add DBG macro

This adds gatt_log wrapper for util_debug and DBG so file and function
names are printed with the logs.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

gatt-client: Add DBG macro

This adds gatt_log wrapper for util_debug and DBG macro so file and
function names are printed which is more consistent with other parts of
the daemon code.

Change-Id: I802443ecd6bd249c174c1dcf0d1f8ed246425427
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

att: Log file and function names

This adds logging of file and function names.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

adapter: Don't use DBG in mgmt_debug

mgmt_debug callback is used to print debug strings from mgmt instances
which includes the file and function names so using DBG would add yet
another set of file and function prefixes which makes the logs
confusing.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

mgmt: Introduce mgmt_set_verbose

This introduces mgmt_set_verbose which can be used to enable printing
the the likes hexdump of packets, by default it is disabled since in
most cases the hexdump is not very useful and there are better tools
to collect the hexdumo like btmon.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

mgmt: Add DBG macro

This adds mgmt_log wrapper for util_debug and DBG so file and function
names are printed with the logs.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

log: Don't log __FILE__ and __func__ with DBG_IDX

This removes __FILE__ and __func__ from DBG_IDX since users of it may
already contain such information embedded in the format.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

Release 5.64

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

gatt-db: Fix gatt_db_attribute_notify

gatt_db_attribute_notify was only accepting passing the Characteristic
Declaration instead of accepting its value as well,
gatt_db_service_foreach_desc also have similar limitation so both have
been updated to allow working with both value and declaration.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

gatt: Print error if gatt_db_attribut_notify fails

This prints an error if gatt_db_attribut_notify fails.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

test-runner: Update help information

This updates usage so it list -l/--emulator properly:

test-runner - Automated test execution utility
Usage:
test-runner [options] [--] <command> [args]
Options:
-a, --auto             Find tests and run them
-d, --dbus             Start D-Bus daemon
-m, --monitor          Start btmon
-l, --emulator         Start btvirt
-u, --unix [path]      Provide serial device
-q, --qemu <path>      QEMU binary
-k, --kernel <image>   Kernel image (bzImage)
-h, --help             Show help options

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

test-runner: Fix -l/--emulator

This fixes -l/--emulator not able to start depending on what parameters
are given as it was not setting the directory properly.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btdev: Fix response to LE Set Extended Advertising Parameters

The response should both the status and TX Power regardless if the
command succeeds or not.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

audio: Fix crash in a2dp_discover

Sample stack trace:
0x0000567c394e4c6b (bluetoothd - a2dp.c: 270) setup_cb_free
0x0000567c394e4a94 (bluetoothd - a2dp.c: 2884) a2dp_discover
0x0000567c394e3c03 (bluetoothd - sink.c: 275) sink_setup_stream
0x0000567c394e3d4f (bluetoothd - sink.c: 299) sink_connect
0x0000567c39535183 (bluetoothd - service.c: 294) btd_service_connect
0x0000567c39539f68 (bluetoothd - device.c: 2006) connect_next
0x0000567c3954086d (bluetoothd - device.c: 2060) service_state_changed
0x0000567c39534efb (bluetoothd - service.c: 111) change_state
0x0000567c3953559c (bluetoothd - service.c: 0)
btd_service_connecting_complete
0x0000567c39534a5c (bluetoothd - profile.c: 1641) record_cb
0x0000567c395197cd (bluetoothd - sdp-client.c: 298) connect_watch
0x00007b14bc8034f6 (libglib-2.0.so.0 - gmain.c: 3337)
g_main_context_dispatch
0x00007b14bc803801 (libglib-2.0.so.0 - gmain.c: 4131)
g_main_context_iterate
0x00007b14bc803a7d (libglib-2.0.so.0 - gmain.c: 4329) g_main_loop_run
0x0000567c39566af1 (bluetoothd - mainloop-glib.c: 79) mainloop_run
0x0000567c39566ddb (bluetoothd - mainloop-notify.c: 201)
mainloop_run_with_signal
0x0000567c3954bf4c (bluetoothd - main.c: 1222) main
0x00007b14bc579797 (libc.so.6 - libc-start.c: 332) __libc_start_main
0x0000567c394df449 (bluetoothd) _start
0x00007ffd70145737

This could be triggered from a2dp_discover -> avdtp_discover ->
send_request -> send_req -> l2cap_connect (return error) ->
avdtp_set_state (to disconnect state)-> channel_remove -> channel_free
-> finalize_setup_errno (discover cb is freed) -> error handling all
the way back to a2dp_discover -> a2dp_discover (discover cb is freed
again, crashed!).

The fix is to attach cb with setup after avdtp_discover success.

Suggested-by: luiz.dentz@gmail.com
Reviewed-by: Archie Pusaka <apusaka@chromium.org>
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

bthost: Add support for Create BIG

This adds bthost_create_big

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

bthost: Add support for Periodic Advertising

This adds bthost_set_pa_params and bthost_set_pa_enable.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

bthost: Add support for BT_H4_ISO_PKT

This adds sending and receiving BT_H4_ISO_PKT packets.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btdev: Implements BT_HCI_CMD_LE_BIG_TERM_SYNC

This sends BT_HCI_EVT_DISCONNECT_COMPLETE when handling
BT_HCI_CMD_LE_BIG_TERM_SYNC.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btdev: Implements BT_HCI_CMD_LE_BIG_CREATE_SYNC

This sends BT_HCI_EVT_LE_BIG_SYNC_ESTABLISHED when handling
BT_HCI_CMD_LE_BIG_CREATE_SYNC.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

monitor: Rename Periodic Advertising terms to PA/pa

This renames the use of Periodic Advertising in the API to just PA.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btdev: Send BT_HCI_EVT_LE_PER_SYNC_ESTABLISHED if remote start pa

This sends BT_HCI_EVT_LE_PER_SYNC_ESTABLISHED if remote device start
to periodic advertise when BT_HCI_CMD_LE_PERIODIC_ADV_CREATE_SYNC is
pending.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btdev: Send BT_HCI_EVT_LE_PER_SYNC_ESTABLISHED when scan is initiated

This sends BT_HCI_EVT_LE_PER_SYNC_ESTABLISHED if scan is initiated
while BT_HCI_CMD_LE_PERIODIC_ADV_CREATE_SYNC is pending.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btdev: Implement BT_HCI_CMD_LE_PERIODIC_ADV_TERM_SYNC

This adds implementation of BT_HCI_CMD_LE_PERIODIC_ADV_TERM_SYNC.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btdev: Implement BT_HCI_CMD_LE_PERIODIC_ADV_CREATE_SYNC_CANCEL

This adds implementation of
BT_HCI_CMD_LE_PERIODIC_ADV_CREATE_SYNC_CANCEL generating
BT_HCI_EVT_LE_PER_SYNC_ESTABLISHED if necessary.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btdev: Implement BT_HCI_CMD_LE_PERIODIC_ADV_CREATE_SYNC

This adds implementation of BT_HCI_CMD_LE_PERIODIC_ADV_CREATE_SYNC
generating BT_HCI_EVT_LE_PER_SYNC_ESTABLISHED and
BT_HCI_EVT_LE_PER_ADV_REPORT.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

monitor: Fix Create BIG PDU

The PDU of Create BIG is actually fixed size as the num_bis is
related to the number of indexes to be connected and not the BIS
parameters.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

device: Fix writing out of bounds array

%32s expect a buffer of at least 33 bytes since it is a string it needs
to be NULL terminated.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

gatt: sanitize input at profile registration

Check whether type of UUIDs property of GattProfile1 object
is correct.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

client: Add support for scan <le/bredr>

This adds support for entering the transport directly as an scan
argument rather than having to first set it scan.transport.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

test-runner: Fix parsing of command line

Instead of parsing the command line, which can contain a shell script,
run using /bin/sh so it allows more complex command line to be tested:

sudo tools/test-runner -l -d -k <pathto/bzImage> --
'client/bluetoothctl power on && sleep 2 && client/bluetoothctl power
off'

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

shared/shell: Introduce bt_shell_exec

This introduces bt_shell_exec which can be used to inject commands into
a bt_shell without using stdin/user input.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

test-runner: Add option to start emulator

This adds an option (-l/--emulator) to start btvirt before processing
the command which is convenient to runs tools like bluetoothctl:

sudo tools/test-runner -l -d -k <pathto/bzImage> --
client/bluetoothctl power on

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

hog-lib: Fix not waiting for UHID_START

With use of UHID_CREATE2 the code needs to wait for UHID_START in order
to know if the reports are numbered or not.

Fixes: https://github.com/bluez/bluez/issues/298
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btproxy: Attempt to bind the next index

If no specific index is given attempt to bind the next index if the
current one is already in use.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

neard: Fix reading State message

dbus_message_iter_recurse only makese sense for container types, this is a string.

Fixes: https://github.com/bluez/bluez/issues/300
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

src/shared/util.h: include sys/types.h

Include sys/types.h to avoid the following build failure on musl raised
since commit fb57ad9b9d107856e5f1c8135da04ffa2f7a11ac:

In file included from src/shared/queue.c:15:
./src/shared/util.h:106:1: error: unknown type name 'ssize_t';
did you mean 'size_t'?
  106 | ssize_t util_getrandom(void *buf, size_t buflen, unsigned int flags);
      | ^~~~~~~
      | size_t

Fixes:
- http://autobuild.buildroot.org/results/83eaeb3863040645409f5787fdbdde79385c5257
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

error: Fix typo

s/suuported/supported

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

monitor: fix division by zero about conn->tx_pkt_med

In a connection without outgoing traffic, conn->tx_num will remain 0.
In this case, conn->tx_pkt_med should be simply 0 without calculating
"conn->tx_bytes / conn->tx_num".

This was likely to happen, for example, when "btmon -w btsnoop.log"
was launched in the middle of a LE mouse connection, and a number of
incoming ACL Data RX were received as the mouse movements. When
running "btmon -a btsnoop.log", it would encounter this error.

Reviewed-by: Alain Michaud <alainm@chromium.org>
Reviewed-by: Yun-Hao Chung <howardchung@chromium.org>
Reviewed-by: Shuo-Peng Liao <deanliao@chromium.org>
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

adapter-api: Document per-client discovery sessions

The fact that each client can start its own discovery wasn't clear from
the documentation and only becomes obvious when reading the sources.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

player: Fix Track being emitted with empty metadata

This sometimes causes the Track to be schedule while some metadata are
still pending, also don't remove the Duration from track when updating
its metadata since Duration is typically updated by player status rather
than metadata.

Fixes: https://github.com/bluez/bluez/issues/291
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

gobex: Fix read from pointer after free

This patch sets the pointer to null after free since the g_free(p)
doesn't set the pointer to NULL.

This is reported by the Coverity.

Fixes: 7e7d826aa1db ("gobex: Print error if data cannot be written")
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

Makefile.tools: remove duplicate link entry

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

shared: Fix the incorrect type with bit shift

This patch fixes the following runtime error:

$ sudo ./monitor/btmon -w test.btsnoop
Bluetooth monitor ver 5.63
src/shared/btsnoop.c:339:18: runtime error: left shift of 65535 by 16 places cannot be represented in type 'int'

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

main.conf: Fix parsing of mode options

This replace the use of g_key_file_get_integer, which is limited to
only decimal values, to g_key_file_get_string and then use strtol to
convert the string value to integer.

Fixes: https://github.com/bluez/bluez/issues/293
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

adapter: Fix allowing multiple adapters with the same address

The bdaddr of an adapter is used for its unique storage path so having
multiple adapters with the same address would likely cause problems
with its storage as they would be shared.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

main.conf: Introduce MaxControllers

This introduces MaxControllers which can be used to limit the number of
adapters exposed in the system.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

adapter: battery provider for non-LE controllers

Enable battery provider dbus interface BatteryProviderManager1 for
non-LE controllers, so external clients like pipewire can provide
battery information for bluetooth headsets on non-LE controllers.

Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org>
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

build: Fix errors with glibc < 2.25

getrandom and sys/random.h are only available since glibc 2.25:
https://www.gnu.org/software/gnulib/manual/html_node/sys_002frandom_002eh.html
resulting in the following build failures since version 5.63 and
https://git.kernel.org/pub/scm/bluetooth/bluez.git/log/?qt=grep&q=getrandom:

plugins/autopair.c:20:24: fatal error: sys/random.h: No such file or directory
#include <sys/random.h>
^

To fix this build failure, add util_getrandom and a fallback (borrowed
from pipewire and licensed under MIT):
https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/src/pipewire/utils.c

Fixes:
- http://autobuild.buildroot.org/results/6b8870d12e0804d6154230a7322c49416c1dc0e2
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

lib: fix hci_strtolm crash

|str| can be NULL in the case of reading lm value. Calling strcasestr
could lead to a crash.

Reviewed-by: Archie Pusaka <apusaka@chromium.org>
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

rfcomm-tester: Increase amount of data from 8k to 32k

This forces the behavior where not all data can be written at once so it
is able to reproduce the from [1].

[1]https://bugzilla.kernel.org/show_bug.cgi?id=215594

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

gobex: Print error if data cannot be written

This makes sure that if the data cannot be written it fails and the
error is properly printed.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

obexctl: Add optional argument channel to connect command

This adds a third argument to connect command so a channel can be passed
to CreateSession which is useful since it possible to force a specific
RFCOMM channel.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

profiles: Fix the reusing gerror without re-initialization

When the GError variable is freeed with g_error_free(), it is not set to
NULL and reusing the same variable again can cause the seg_fault because
it is still pointing the old memory address which is freed.

This patch relaces the g_error_free() to g_clear_error() which frees the
variable and set it to NULL if the variable is used in the function
again.

Fixes: 4ad622d592ba5 ("profiles/a2dp: Fix unchecked return value")
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

device: Fix the reusing gerror without re-initialization

When the GError variable is freeed with g_error_free(), it is not set to
NULL and reusing the same variable again can cause the seg_fault because
it is still pointing the old memory address which is freed.

This patch relaces the g_error_free() to g_clear_error() which frees the
variable and set it to NULL if the variable is used in the function
again.

Fixes: 6a154cd08000b ("device: Fix unchecked return value")
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

adapter: Fix the reusing gerror without re-initialization

When the GError variable is freeed with g_error_free(), it is not set to
NULL and reusing the same variable again can cause the seg_fault because
it is still pointing the old memory address which is freed.

This patch relaces the g_error_free() to g_clear_error() which frees the
variable and set it to NULL if the variable is used in the function
again.

Fixes: 2287c517ca1bd ("adapter: Fix unchecked return value")
Fixes: https://github.com/bluez/bluez/issues/276
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

device: Fix crash when removing device

Calling btd_adapter_remove_device from device_remove_connection can
cause a crash, so instead of removing it immediatelly this set a the
temporary timeout to 0.

Fixes: https://github.com/bluez/bluez/issues/290
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

monitor/sdp: Fixes out-of-bounds array access

This patch fixes the out-of-bounds array access caught by the ASAN.

monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type
'cont_data [8]'
=================================================================
==4180==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978
WRITE of size 9 at 0x7fe2d271a542 thread T0
    #0 0x7fe2d174a57c  (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
    #1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692
    #2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771
    #3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247
    #4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312
    #5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638
    #6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967
    #7 0x7fe2d230b285 in data_callback monitor/control.c:973
    #8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106
    #9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
    #10 0x7fe2d230324a in main monitor/main.c:290
    #11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d)

0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list'
defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384
0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list'
defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow
(/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
...
==4180==ABORTING

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

uuid: Fix crashing if a NULL string is passed to bt_string_to_uuid

bt_string_to_uuid shall chack if the string is valid before attempting
to access its contents.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

adapter: Fix crash when storing link key

The following trace can be observed sometimes when pairing 2 emulator
instances:

src/adapter.c:store_link_key() Unable to load key file from
/var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No
such file or directory)
GLib: g_file_set_contents: assertion 'error == NULL ||
*error == NULL' failed
++++++++ backtrace ++++++++
#1  btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a]
#2  g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6)
[0x7f65ba3f955c]
#3  g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6)
[0x7f65ba3f9743]
#4  g_file_set_contents+0x68
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68]
#5  store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a]
#6  new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904]
#7  queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34]
#8  can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f]
#9  watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2]
#10 g_main_context_dispatch+0x14e
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

rfcomm-tester: Add test to write big chunks of data

This attempts to test traffic similar to OBEX using big chunk of data.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

bthost: Increase number of credits

This increase the number of credits so bigger packets can be sent by
the likes of rfcomm-tester.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

bthost: Fix length calculation for RFCOMM header

This fixes the length calculation for large packets that requires more
than 1 byte.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

bthost: Fix not handling ACL fragmentation

Large packets requires the support of ACL fragmentation in order to be
properly processed.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

bootstrap-configure: Don't enable admin plugin by default

Admin plugin doesn't work properly when there are multiple adapters in
the system.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

adv_monitor: Fix spamming errors

If advertising manager is not enabled don't log any error on
btd_adapter_update_found_device, also change
btd_adv_monitor_offload_supported to btd_adv_monitor_offload_enabled
since that is checking if the features has been enabled rather than it
is just supported.

Fixes: https://github.com/bluez/bluez/issues/286
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

gdbus: Emit InterfacesAdded of parents objects first

This makes InterfacesAdded respect the object hierarchy in case its
parent has pending interfaces to be added.

Fixes: https://github.com/bluez/bluez/issues/272
Fixes: https://github.com/bluez/bluez/issues/284
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1534857
Fixes: https://bugs.archlinux.org/task/57464
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

mesh: Skip unneeded logs

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

mesh: Make key_aid and net_key_id naming consistent

- key_aid refers to application key AID
- net_key_id refers to unique, internal id of the network key, used in
net-keys.h

Also, remove unused mesh_frnd_pkt struct.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

mesh: Fix sequence number of message in friend queue

As pointed out by https://github.com/bluez/bluez/issues/250, the last
segment of a multi-segmented message added to Friend Queue was getting
reset to the seqAuth value incorrectly. The correct sequence was set
within the preceding for loop.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btdev: Fix response to BT_HCI_CMD_LE_REMOVE_CIG

BT_HCI_CMD_LE_REMOVE_CIG should respond with the CIG ID from the
command instead of always responding with 0x00.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btdev: Fix command status of BT_HCI_CMD_LE_TERM_BIG

The status was reporting BT_HCI_CMD_DISCONNECT instead of
BT_HCI_CMD_LE_TERM_BIG.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

monitor: Fix misaligment errors when parsing BIG/CIG events

This fixes erros such as:

  monitor/packet.c:8129:2: runtime error: load of misaligned address
  0x55956a438f2d for type 'const uint16_t', which requires 2 byte
  alignment

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

build: Always define confdir and statedir

As we will need those paths to lock down on them.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

adapter: Remove custom MGMT send/reply timeout

This removes the custom MGMT send/reply timeout since bt_mgmt itself
can handle them itself and it actually start the timer only when the
command is actually sent to the kernel rather then when it is queued.

Fixes: https://github.com/bluez/bluez/issues/275
Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

shared/mgmt: Add request timeout handling

This adds request timeout handling when using mgmt_send_timeout and
mgmt_reply_timeout, the timeout is applied to the request only when it
is actually transmitted and not while queued.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

btdev: Add implementation for BT_HCI_CMD_LE_TERM_BIG

This adds handler for BT_HCI_CMD_LE_TERM_BIG and generate
BT_HCI_EVT_LE_BIG_TERMINATE to indicate to the host stack that the
BIG has been terminated.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

gatt: Make use of gatt_db_attribute_notify

This makes use of gatt_db_attribute_notify to send indications of
Service Changed.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

shared/gatt-db: Introduce gatt_db_attribute_notify

This introduces gatt_db_attribute_notify which can be used to trigger a
notification using the callback set by gatt_db_ccc_register.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

gatt: Make use of gatt_db_service_add_ccc

This uses gatt_db_service_add_ccc and gatt_db_ccc_register so any ccc
registered with the use of the former gets proper state tracking.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>