[PATCH BlueZ v2 resend 0/6] fix errors found by SVACE static analyzer #1

[PATCH BlueZ v2 resend 0/6] fix errors found by SVACE static analyzer #1

[Roman Smirnov]

Several bug fixes.

Previous emails:
https://lore.kernel.org/linux-bluetooth/20240702085508.30513-1-r.smirnov@omp.ru/
https://lore.kernel.org/linux-bluetooth/20240702134106.102024-1-r.smirnov@omp.ru/
https://lore.kernel.org/linux-bluetooth/20240704090756.31351-1-r.smirnov@omp.ru/
https://lore.kernel.org/linux-bluetooth/20240704104928.43336-1-r.smirnov@omp.ru/

Roman Smirnov (6):
  gatt: add return value check of io_get_fd() to sock_io_send()
  shared/vcp: add NULL checks to foreach_aics_service()
  client/player: add error code handling to transport_recv()
  shared/vcp: prevent dereferencing of NULL pointers
  client/player: fix the order of args in cmd_register_endpoint()
  shared/gatt-client: add NULL check to discover_secondary_cb()

 client/player.c          | 10 ++++++++--
 src/gatt-database.c      |  9 ++++++++-
 src/shared/gatt-client.c |  4 +++-
 src/shared/vcp.c         | 23 +++++++----------------
 4 files changed, 26 insertions(+), 20 deletions(-)

-- 
2.43.0

[PATCH BlueZ v2 resend 1/6] gatt: add return value check of io_get_fd() to sock_io_send()

[Roman Smirnov]

It is necessary to add a return value check.

Found with the SVACE static analysis tool.
---
 src/gatt-database.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/gatt-database.c b/src/gatt-database.c
index 8472aac59..6c84b085c 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -2630,6 +2630,7 @@ static int sock_io_send(struct io *io, const void *data, size_t len)
 {
 	struct msghdr msg;
 	struct iovec iov;
+	int fd;
 
 	iov.iov_base = (void *) data;
 	iov.iov_len = len;
@@ -2638,7 +2639,13 @@ static int sock_io_send(struct io *io, const void *data, size_t len)
 	msg.msg_iov = &iov;
 	msg.msg_iovlen = 1;
 
-	return sendmsg(io_get_fd(io), &msg, MSG_NOSIGNAL);
+	fd = io_get_fd(io);
+	if (fd < 0) {
+		error("io_get_fd() returned %d\n", fd);
+		return fd;
+	}
+
+	return sendmsg(fd, &msg, MSG_NOSIGNAL);
 }
 
 static void att_disconnect_cb(int err, void *user_data)
-- 
2.43.0

[PATCH BlueZ v2 resend 2/6] shared/vcp: add NULL checks to foreach_aics_service()

[Roman Smirnov]

Make foreach_aics_service() safe for passing NULL pointers.

Found with the SVACE static analysis tool.
---
 src/shared/vcp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/shared/vcp.c b/src/shared/vcp.c
index 602d46dc1..43ef1d186 100644
--- a/src/shared/vcp.c
+++ b/src/shared/vcp.c
@@ -2729,6 +2729,9 @@ static void foreach_aics_service(struct gatt_db_attribute *attr,
 	struct bt_vcp *vcp = user_data;
 	struct bt_aics *aics = vcp_get_aics(vcp);
 
+	if (!aics || !attr)
+		return;
+
 	aics->service = attr;
 
 	gatt_db_service_set_claimed(attr, true);
-- 
2.43.0

[PATCH BlueZ v2 resend 3/6] client/player: add error code handling to transport_recv()

[Roman Smirnov]

It is necessary to add return value check as in sock_send().

Found with the SVACE static analysis tool.
---
 client/player.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/client/player.c b/client/player.c
index 584fc5e81..de4491b53 100644
--- a/client/player.c
+++ b/client/player.c
@@ -4514,7 +4514,13 @@ static bool transport_recv(struct io *io, void *user_data)
 	uint8_t buf[1024];
 	int ret, len;
 
-	ret = read(io_get_fd(io), buf, sizeof(buf));
+	ret = io_get_fd(io);
+	if (ret < 0) {
+		bt_shell_printf("io_get_fd() returned %d\n", ret);
+		return true;
+	}
+
+	ret = read(ret, buf, sizeof(buf));
 	if (ret < 0) {
 		bt_shell_printf("Failed to read: %s (%d)\n", strerror(errno),
 								-errno);
-- 
2.43.0

[PATCH BlueZ v2 resend 4/6] shared/vcp: prevent dereferencing of NULL pointers

[Roman Smirnov]

util_memdup() will terminate the program if memory
allocation fails.

Found with the SVACE static analysis tool.
---
 src/shared/vcp.c | 20 ++++----------------
 1 file changed, 4 insertions(+), 16 deletions(-)

diff --git a/src/shared/vcp.c b/src/shared/vcp.c
index 43ef1d186..cfc426624 100644
--- a/src/shared/vcp.c
+++ b/src/shared/vcp.c
@@ -2139,14 +2139,8 @@ static void read_vocs_audio_descriptor(struct bt_vcp *vcp, bool success,
 		return;
 	}
 
-	vocs_ao_dec_r = malloc(length+1);
-	memset(vocs_ao_dec_r, 0, length+1);
-	memcpy(vocs_ao_dec_r, value, length);
-
-	if (!vocs_ao_dec_r) {
-		DBG(vcp, "Unable to get VOCS Audio Descriptor");
-		return;
-	}
+	vocs_ao_dec_r = util_memdup(value, length + 1);
+	memset(vocs_ao_dec_r + length, 0, 1);
 
 	DBG(vcp, "VOCS Audio Descriptor: %s", vocs_ao_dec_r);
 	free(vocs_ao_dec_r);
@@ -2543,14 +2537,8 @@ static void read_aics_audio_ip_description(struct bt_vcp *vcp, bool success,
 		return;
 	}
 
-	ip_descrptn = malloc(length+1);
-	memset(ip_descrptn, 0, length+1);
-	memcpy(ip_descrptn, value, length);
-
-	if (!ip_descrptn) {
-		DBG(vcp, "Unable to get Audio Input Description");
-		return;
-	}
+	ip_descrptn = util_memdup(value, length + 1);
+	memset(ip_descrptn + length, 0, 1);
 
 	DBG(vcp, "Audio Input Description: %s", ip_descrptn);
 	free(ip_descrptn);
-- 
2.43.0

[PATCH BlueZ v2 resend 5/6] client/player: fix the order of args in cmd_register_endpoint()

[Roman Smirnov]

Based on the function prototype, ep->cid and ep->vid should be swapped.

Found with the SVACE static analysis tool.
---
 client/player.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/player.c b/client/player.c
index de4491b53..2480ed64b 100644
--- a/client/player.c
+++ b/client/player.c
@@ -3388,7 +3388,7 @@ static void cmd_register_endpoint(int argc, char *argv[])
 
 	if (strrchr(argv[2], ':')) {
 		ep->codec = 0xff;
-		parse_vendor_codec(argv[2], &ep->cid, &ep->vid);
+		parse_vendor_codec(argv[2], &ep->vid, &ep->cid);
 		ep->preset = new0(struct preset, 1);
 		ep->preset->custom.name = strdup("custom");
 		ep->preset->default_preset = &ep->preset->custom;
-- 
2.43.0

[PATCH BlueZ v2 resend 6/6] shared/gatt-client: add NULL check to discover_secondary_cb()

[Roman Smirnov]

It is necessary to prevent dereferencing of a NULL pointer.

Found with the SVACE static analysis tool.
---
 src/shared/gatt-client.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c
index b48d739fc..9db3f5211 100644
--- a/src/shared/gatt-client.c
+++ b/src/shared/gatt-client.c
@@ -1276,7 +1276,9 @@ next:
 
 	range = queue_peek_head(op->discov_ranges);
 
-	client->discovery_req = bt_gatt_discover_included_services(client->att,
+	if (range)
+		client->discovery_req = bt_gatt_discover_included_services(
+							client->att,
 							range->start,
 							range->end,
 							discover_incl_cb,
-- 
2.43.0

Re: [PATCH BlueZ v2 resend 0/6] fix errors found by SVACE static analyzer #1

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed, 10 Jul 2024 14:31:43 +0300 you wrote:
> Several bug fixes.
> 
> Previous emails:
> https://lore.kernel.org/linux-bluetooth/20240702085508.30513-1-r.smirnov@omp.ru/
> https://lore.kernel.org/linux-bluetooth/20240702134106.102024-1-r.smirnov@omp.ru/
> https://lore.kernel.org/linux-bluetooth/20240704090756.31351-1-r.smirnov@omp.ru/
> https://lore.kernel.org/linux-bluetooth/20240704104928.43336-1-r.smirnov@omp.ru/
> 
> [...]

Here is the summary with links:
  - [BlueZ,v2,resend,1/6] gatt: add return value check of io_get_fd() to sock_io_send()
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=e56fc72fc667
  - [BlueZ,v2,resend,2/6] shared/vcp: add NULL checks to foreach_aics_service()
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=ba70a116d971
  - [BlueZ,v2,resend,3/6] client/player: add error code handling to transport_recv()
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=12525371ef08
  - [BlueZ,v2,resend,4/6] shared/vcp: prevent dereferencing of NULL pointers
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=7ffc08dd78d6
  - [BlueZ,v2,resend,5/6] client/player: fix the order of args in cmd_register_endpoint()
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=cf3d80a01f1f
  - [BlueZ,v2,resend,6/6] shared/gatt-client: add NULL check to discover_secondary_cb()
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=7a45038dc1e5

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

RE: fix errors found by SVACE static analyzer #1

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 4876 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=870085

---Test result---

Test Summary:
CheckPatch                    PASS      1.72 seconds
GitLint                       FAIL      1.62 seconds
BuildEll                      PASS      24.86 seconds
BluezMake                     PASS      1676.91 seconds
MakeCheck                     PASS      13.44 seconds
MakeDistcheck                 PASS      177.44 seconds
CheckValgrind                 PASS      252.49 seconds
CheckSmatch                   PASS      354.53 seconds
bluezmakeextell               PASS      119.97 seconds
IncrementalBuild              PASS      9386.66 seconds
ScanBuild                     WARNING   1001.44 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[BlueZ,v2,resend,1/6] gatt: add return value check of io_get_fd() to sock_io_send()

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
1: T1 Title exceeds max length (83>80): "[BlueZ,v2,resend,1/6] gatt: add return value check of io_get_fd() to sock_io_send()"
[BlueZ,v2,resend,5/6] client/player: fix the order of args in cmd_register_endpoint()

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
1: T1 Title exceeds max length (85>80): "[BlueZ,v2,resend,5/6] client/player: fix the order of args in cmd_register_endpoint()"
[BlueZ,v2,resend,6/6] shared/gatt-client: add NULL check to discover_secondary_cb()

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
1: T1 Title exceeds max length (83>80): "[BlueZ,v2,resend,6/6] shared/gatt-client: add NULL check to discover_secondary_cb()"
##############################
Test: ScanBuild - WARNING
Desc: Run Scan Build
Output:
src/shared/gatt-client.c:451:21: warning: Use of memory after it is freed
        gatt_db_unregister(op->client->db, op->db_id);
                           ^~~~~~~~~~
src/shared/gatt-client.c:696:2: warning: Use of memory after it is freed
        discovery_op_complete(op, false, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:996:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1102:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1296:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1361:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1636:6: warning: Use of memory after it is freed
        if (read_db_hash(op)) {
            ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1641:2: warning: Use of memory after it is freed
        discover_all(op);
        ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2145:6: warning: Use of memory after it is freed
        if (read_db_hash(op)) {
            ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2153:8: warning: Use of memory after it is freed
                                                        discovery_op_ref(op),
                                                        ^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3242:2: warning: Use of memory after it is freed
        complete_write_long_op(req, success, 0, false);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3264:2: warning: Use of memory after it is freed
        request_unref(req);
        ^~~~~~~~~~~~~~~~~~
12 warnings generated.



---
Regards,
Linux Bluetooth