[PATCH BlueZ 01/15] AVRCP: Fix crash when registering unsupported notification

[PATCH BlueZ 01/15] AVRCP: Fix crash when registering unsupported notification

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Reject command if notification is not supported otherwise this can
cause crashes.
---
 profiles/audio/avrcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 4558407..5bddd08 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -1355,7 +1355,7 @@ static uint8_t avrcp_handle_register_notification(struct avrcp *session,
 	 * one is applicable only for EVENT_PLAYBACK_POS_CHANGED. See AVRCP
 	 * 1.3 spec, section 5.4.2.
 	 */
-	if (len != 5)
+	if (len != 5 || !(session->supported_events & (1 << pdu->params[0])))
 		goto err;
 
 	switch (pdu->params[0]) {
-- 
1.8.1.4

[PATCH BlueZ 02/15] AVCTP: Fix coding style

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Fix unnecessary extra tabs
---
 profiles/audio/avctp.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/profiles/audio/avctp.c b/profiles/audio/avctp.c
index 314dbfb..46c5485 100644
--- a/profiles/audio/avctp.c
+++ b/profiles/audio/avctp.c
@@ -812,9 +812,8 @@ static void browsing_response(struct avctp_channel *browsing,
 		if (p->transaction != avctp->transaction)
 			continue;
 
-		if (req->func && req->func(browsing->session,
-						operands, operand_count,
-						req->user_data))
+		if (req->func && req->func(browsing->session, operands,
+						operand_count, req->user_data))
 			return;
 
 		browsing->processed = g_slist_remove(browsing->processed, p);
-- 
1.8.1.4

[PATCH BlueZ 03/15] AVCTP: Call callback in case the request timeout

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

---
 profiles/audio/avctp.c | 19 +++++++++++++++++++
 profiles/audio/avrcp.c | 29 +++++++++++++++++++++--------
 2 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/profiles/audio/avctp.c b/profiles/audio/avctp.c
index 46c5485..a4d0153 100644
--- a/profiles/audio/avctp.c
+++ b/profiles/audio/avctp.c
@@ -155,6 +155,7 @@ struct avctp_pending_req {
 	struct avctp_channel *chan;
 	uint8_t transaction;
 	guint timeout;
+	int err;
 	avctp_process_cb process;
 	void *data;
 	GDestroyNotify destroy;
@@ -658,7 +659,16 @@ static int avctp_browsing_send(struct avctp_channel *browsing,
 static void control_req_destroy(void *data)
 {
 	struct avctp_control_req *req = data;
+	struct avctp_pending_req *p = req->p;
+	struct avctp *session = p->chan->session;
+
+	if (p->err == 0 || req->func == NULL)
+		goto done;
 
+	req->func(session, AVC_CTYPE_REJECTED, req->subunit, NULL, 0,
+							req->user_data);
+
+done:
 	g_free(req->operands);
 	g_free(req);
 }
@@ -666,7 +676,15 @@ static void control_req_destroy(void *data)
 static void browsing_req_destroy(void *data)
 {
 	struct avctp_browsing_req *req = data;
+	struct avctp_pending_req *p = req->p;
+	struct avctp *session = p->chan->session;
+
+	if (p->err == 0 || req->func == NULL)
+		goto done;
 
+	req->func(session, NULL, 0, req->user_data);
+
+done:
 	g_free(req->operands);
 	g_free(req);
 }
@@ -679,6 +697,7 @@ static gboolean req_timeout(gpointer user_data)
 	DBG("transaction %u", p->transaction);
 
 	p->timeout = 0;
+	p->err = -ETIMEDOUT;
 
 	pending_destroy(p, NULL);
 	chan->p = NULL;
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 5bddd08..491bb92 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -1723,7 +1723,8 @@ static gboolean avrcp_get_play_status_rsp(struct avctp *conn,
 	uint32_t position;
 	uint8_t status;
 
-	if (code == AVC_CTYPE_REJECTED || ntohs(pdu->params_len) != 9)
+	if (pdu == NULL || code == AVC_CTYPE_REJECTED ||
+						ntohs(pdu->params_len) != 9)
 		return FALSE;
 
 	memcpy(&duration, pdu->params, sizeof(uint32_t));
@@ -1786,8 +1787,11 @@ static gboolean avrcp_player_value_rsp(struct avctp *conn,
 	int i;
 
 	if (code == AVC_CTYPE_REJECTED) {
-		media_player_set_setting(mp, "Error",
-					status_to_str(pdu->params[0]));
+		const char *msg;
+
+		msg = pdu != NULL ? status_to_str(pdu->params[0]) : "Timedout";
+
+		media_player_set_setting(mp, "Error", msg);
 		return FALSE;
 	}
 
@@ -2026,7 +2030,8 @@ static gboolean avrcp_set_browsed_player_rsp(struct avctp *conn,
 	uint8_t depth, count;
 	size_t i;
 
-	if (pdu->params[0] != AVRCP_STATUS_SUCCESS || operand_count < 13)
+	if (pdu == NULL || pdu->params[0] != AVRCP_STATUS_SUCCESS ||
+							operand_count < 13)
 		return FALSE;
 
 	player->uid_counter = bt_get_be16(&pdu->params[1]);
@@ -2091,6 +2096,11 @@ static gboolean avrcp_get_item_attributes_rsp(struct avctp *conn,
 	struct avrcp_browsing_header *pdu = (void *) operands;
 	uint8_t count;
 
+	if (pdu == NULL) {
+		avrcp_get_element_attributes(session);
+		return FALSE;
+	}
+
 	if (pdu->params[0] != AVRCP_STATUS_SUCCESS || operand_count < 4) {
 		if (pdu->params[0] == AVRCP_STATUS_PLAYER_NOT_BROWSABLE)
 			avrcp_get_element_attributes(session);
@@ -2404,7 +2414,8 @@ static gboolean avrcp_get_media_player_list_rsp(struct avctp *conn,
 	size_t i;
 	GSList *removed;
 
-	if (pdu->params[0] != AVRCP_STATUS_SUCCESS || operand_count < 5)
+	if (pdu == NULL || pdu->params[0] != AVRCP_STATUS_SUCCESS ||
+							operand_count < 5)
 		return FALSE;
 
 	removed = g_slist_copy(session->players);
@@ -2570,7 +2581,8 @@ static gboolean avrcp_handle_event(struct avctp *conn,
 	struct avrcp_header *pdu = (void *) operands;
 	uint8_t event;
 
-	if (code != AVC_CTYPE_INTERIM && code != AVC_CTYPE_CHANGED)
+	if ((code != AVC_CTYPE_INTERIM && code != AVC_CTYPE_CHANGED) ||
+								pdu == NULL)
 		return FALSE;
 
 	event = pdu->params[0];
@@ -2641,7 +2653,7 @@ static gboolean avrcp_get_capabilities_resp(struct avctp *conn,
 	uint16_t events = 0;
 	uint8_t count;
 
-	if (pdu->params[0] != CAP_EVENTS_SUPPORTED)
+	if (pdu == NULL || pdu->params[0] != CAP_EVENTS_SUPPORTED)
 		return FALSE;
 
 	count = pdu->params[1];
@@ -3187,7 +3199,8 @@ static gboolean avrcp_handle_set_volume(struct avctp *conn,
 	struct avrcp_header *pdu = (void *) operands;
 	uint8_t volume;
 
-	if (code == AVC_CTYPE_REJECTED || code == AVC_CTYPE_NOT_IMPLEMENTED)
+	if (code == AVC_CTYPE_REJECTED || code == AVC_CTYPE_NOT_IMPLEMENTED ||
+								pdu == NULL)
 		return FALSE;
 
 	volume = pdu->params[0] & 0x7F;
-- 
1.8.1.4

[PATCH BlueZ 04/15] AVRCP: Fix crash while listing available settings in TG role

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Invalid read of size 1
   at 0x41AFD0: attrval_to_val (avrcp.c:492)
   by 0x41B0E1: avrcp_handle_list_player_attributes (avrcp.c:931)
   by 0x41D606: handle_vendordep_pdu (avrcp.c:1620)
   by 0x4185F8: session_cb (avctp.c:985)
   by 0x3F31A47A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x3F31A47D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x3F31A48181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x40A2E5: main (main.c:595)
 Address 0x0 is not stack'd, malloc'd or (recently) free'd
---
 profiles/audio/avrcp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 491bb92..092639f 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -471,6 +471,9 @@ static int attrval_to_val(uint8_t attr, const char *value)
 {
 	int ret;
 
+	if (value == NULL)
+		return -EINVAL;
+
 	switch (attr) {
 	case AVRCP_ATTRIBUTE_EQUALIZER:
 		if (!strcmp(value, "off"))
-- 
1.8.1.4

[PATCH BlueZ 05/15] AVRCP: Add additional protocol discriptor list for Browsing channel

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This is documented in the spec and is checked by PTS when testing the
browsing channel.
---
 profiles/audio/avrcp.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 092639f..e7ce9b5 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -240,13 +240,13 @@ static void avrcp_register_notification(struct avrcp *session, uint8_t event);
 
 static sdp_record_t *avrcp_ct_record(void)
 {
-	sdp_list_t *svclass_id, *pfseq, *apseq, *root;
+	sdp_list_t *svclass_id, *pfseq, *apseq, *apseq1, *root;
 	uuid_t root_uuid, l2cap, avctp, avrct;
 	sdp_profile_desc_t profile[1];
-	sdp_list_t *aproto, *proto[2];
+	sdp_list_t *aproto, *aproto1, *proto[2], *proto1[2];
 	sdp_record_t *record;
 	sdp_data_t *psm, *version, *features;
-	uint16_t lp = AVCTP_CONTROL_PSM;
+	uint16_t lp = AVCTP_CONTROL_PSM, ap = AVCTP_BROWSING_PSM;
 	uint16_t avrcp_ver = 0x0105, avctp_ver = 0x0103;
 	uint16_t feat = ( AVRCP_FEATURE_CATEGORY_1 |
 						AVRCP_FEATURE_CATEGORY_2 |
@@ -282,6 +282,21 @@ static sdp_record_t *avrcp_ct_record(void)
 	aproto = sdp_list_append(0, apseq);
 	sdp_set_access_protos(record, aproto);
 
+	/* Additional Protocol Descriptor List */
+	sdp_uuid16_create(&l2cap, L2CAP_UUID);
+	proto1[0] = sdp_list_append(0, &l2cap);
+	psm = sdp_data_alloc(SDP_UINT16, &ap);
+	proto1[0] = sdp_list_append(proto1[0], psm);
+	apseq1 = sdp_list_append(0, proto1[0]);
+
+	sdp_uuid16_create(&avctp, AVCTP_UUID);
+	proto1[1] = sdp_list_append(0, &avctp);
+	proto1[1] = sdp_list_append(proto1[1], version);
+	apseq1 = sdp_list_append(apseq1, proto1[1]);
+
+	aproto1 = sdp_list_append(0, apseq1);
+	sdp_set_add_access_protos(record, aproto1);
+
 	/* Bluetooth Profile Descriptor List */
 	sdp_uuid16_create(&profile[0].uuid, AV_REMOTE_PROFILE_ID);
 	profile[0].version = avrcp_ver;
@@ -298,6 +313,9 @@ static sdp_record_t *avrcp_ct_record(void)
 	sdp_list_free(proto[0], 0);
 	sdp_list_free(proto[1], 0);
 	sdp_list_free(apseq, 0);
+	sdp_list_free(proto1[0], 0);
+	sdp_list_free(proto1[1], 0);
+	sdp_list_free(apseq1, 0);
 	sdp_list_free(pfseq, 0);
 	sdp_list_free(aproto, 0);
 	sdp_list_free(root, 0);
-- 
1.8.1.4

[PATCH BlueZ 06/15] AVRCP: Fix crash when current addressed player is removed

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

In some stacks e.g. iOS the addressed player is removed before a new
player is set which leaves the session poiting to invalid player.

Moreover there is a race where both GetFolderItems and
RegisterNotification are pending on browsing and control channel
repectively, if RegisterNotification completes before GetFolderItems it
might cause an unknown player id to be set which would be discarded.

To overcome the race the browsing channel now has higher priority for
both sending and receiving.
---
 profiles/audio/avctp.c | 15 ++++++++++-----
 profiles/audio/avrcp.c | 21 +++++++++++++++++++--
 2 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/profiles/audio/avctp.c b/profiles/audio/avctp.c
index a4d0153..33f344f 100644
--- a/profiles/audio/avctp.c
+++ b/profiles/audio/avctp.c
@@ -820,8 +820,10 @@ static void browsing_response(struct avctp_channel *browsing,
 		browsing->p = NULL;
 
 		if (browsing->process_id == 0)
-			browsing->process_id = g_idle_add(process_queue,
-								browsing);
+			browsing->process_id = g_idle_add_full(
+							G_PRIORITY_HIGH_IDLE,
+							process_queue,
+							browsing, NULL);
 	}
 
 	for (l = browsing->processed; l; l = l->next) {
@@ -1149,9 +1151,10 @@ static void avctp_connect_browsing_cb(GIOChannel *chan, GError *err,
 	session->browsing->imtu = imtu;
 	session->browsing->omtu = omtu;
 	session->browsing->buffer = g_malloc0(MAX(imtu, omtu));
-	session->browsing->watch = g_io_add_watch(session->browsing->io,
+	session->browsing->watch = g_io_add_watch_full(session->browsing->io,
+				G_PRIORITY_HIGH,
 				G_IO_IN | G_IO_ERR | G_IO_HUP | G_IO_NVAL,
-				(GIOFunc) session_browsing_cb, session);
+				(GIOFunc) session_browsing_cb, session, NULL);
 
 	avctp_set_state(session, AVCTP_STATE_BROWSING_CONNECTED);
 	return;
@@ -1566,7 +1569,9 @@ int avctp_send_browsing_req(struct avctp *session,
 	g_queue_push_tail(browsing->queue, p);
 
 	if (browsing->process_id == 0)
-		browsing->process_id = g_idle_add(process_queue, browsing);
+		browsing->process_id = g_idle_add_full(G_PRIORITY_HIGH_IDLE,
+							process_queue,
+							browsing, NULL);
 
 	return 0;
 }
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index e7ce9b5..66ab2b4 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2424,6 +2424,20 @@ static void player_destroy(gpointer data)
 	g_free(player);
 }
 
+static void player_remove(gpointer data)
+{
+	struct avrcp_player *player = data;
+	GSList *l;
+
+	for (l = player->sessions; l; l = l->next) {
+		struct avrcp *session = l->data;
+
+		session->players = g_slist_remove(session->players, player);
+	}
+
+	player_destroy(player);
+}
+
 static gboolean avrcp_get_media_player_list_rsp(struct avctp *conn,
 						uint8_t *operands,
 						size_t operand_count,
@@ -2469,7 +2483,10 @@ static gboolean avrcp_get_media_player_list_rsp(struct avctp *conn,
 		i += len;
 	}
 
-	g_slist_free_full(removed, player_destroy);
+	if (g_slist_find(removed, session->player))
+		session->player = NULL;
+
+	g_slist_free_full(removed, player_remove);
 
 	return FALSE;
 }
@@ -2570,7 +2587,7 @@ static void avrcp_addressed_player_changed(struct avrcp *session,
 	struct avrcp_player *player = session->player;
 	uint16_t id = bt_get_be16(&pdu->params[1]);
 
-	if (player->id == id)
+	if (player != NULL && player->id == id)
 		return;
 
 	player = find_ct_player(session, id);
-- 
1.8.1.4

[PATCH BlueZ 07/15] AVRCP: Fix crash if player status is NULL

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Assume status is 'stopped' in case the status is NULL.
---
 profiles/audio/avrcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 66ab2b4..45ca490 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -575,7 +575,7 @@ static int player_get_setting(struct avrcp_player *player, uint8_t id)
 
 static int play_status_to_val(const char *status)
 {
-	if (!strcasecmp(status, "stopped"))
+	if (status == NULL || !strcasecmp(status, "stopped"))
 		return AVRCP_PLAY_STATUS_STOPPED;
 	else if (!strcasecmp(status, "playing"))
 		return AVRCP_PLAY_STATUS_PLAYING;
-- 
1.8.1.4

[PATCH BlueZ 08/15] AVRCP: Fix setting reserved bit in GetCapabilities response

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

EventID 0x00 is reserved:

< ACL data: handle 12 flags 0x00 dlen 25
    L2CAP(d): cid 0x0541 len 21 [psm 23]
      AVCTP Control: Response : pt 0x00 transaction 2 pid 0x110e
        AV/C: Stable: address 0x48 opcode 0x00
          Subunit: Panel
          Opcode: Vendor Dependent
          Company ID: 0x001958
          AVRCP: GetCapabilities: pt Single len 0x0008
            CapabilityID: 0x03 (EventsID)
            CapabilityCount: 0x06
            EventsID: 0x00 (Reserved)
            EventsID: 0x01 (EVENT_PLAYBACK_STATUS_CHANGED)
            EventsID: 0x02 (EVENT_TRACK_CHANGED)
            EventsID: 0x03 (EVENT_TRACK_REACHED_END)
            EventsID: 0x04 (EVENT_TRACK_REACHED_START)
            EventsID: 0x08 (EVENT_PLAYER_APPLICATION_SETTING_CHANGED)
---
 profiles/audio/avrcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 45ca490..78d0fa2 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -897,7 +897,7 @@ static uint8_t avrcp_handle_get_capabilities(struct avrcp *session,
 
 		return AVC_CTYPE_STABLE;
 	case CAP_EVENTS_SUPPORTED:
-		for (i = 0; i <= AVRCP_EVENT_LAST; i++) {
+		for (i = 1; i <= AVRCP_EVENT_LAST; i++) {
 			if (session->supported_events & (1 << i)) {
 				pdu->params[1]++;
 				pdu->params[pdu->params[1] + 1] = i;
-- 
1.8.1.4

[PATCH BlueZ 09/15] AVRCP: Fix crash when connecting role without a record

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Invalid read of size 4
   at 0x469310: btd_service_connecting_complete (service.c:315)
   by 0x41B29F: session_ct_init_control (avrcp.c:3208)
   by 0x41AD70: state_changed (avrcp.c:3356)
   by 0x417B84: avctp_set_state (avctp.c:550)
   by 0x419E04: avctp_connect_cb (avctp.c:1222)
   by 0x450869: accept_cb (btio.c:202)
   by 0x3F31A47A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x3F31A47D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x3F31A48181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x40A335: main (main.c:595)
 Address 0x20 is not stack'd, malloc'd or (recently) free'd
---
 profiles/audio/avrcp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 78d0fa2..06bffca 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2931,12 +2931,17 @@ static struct avrcp *session_create(struct avrcp_server *server,
 		session->init_control = session_tg_init_control;
 		session->init_browsing = session_tg_init_browsing;
 		session->destroy = session_tg_destroy;
+
 		rec = btd_device_get_record(dev->btd_dev, AVRCP_REMOTE_UUID);
+		if (rec == NULL)
+			btd_device_add_uuid(dev->btd_dev, AVRCP_REMOTE_UUID);
 	} else {
 		session->init_control = session_ct_init_control;
 		session->init_browsing = session_ct_init_browsing;
 		session->destroy = session_ct_destroy;
 		rec = btd_device_get_record(dev->btd_dev, AVRCP_TARGET_UUID);
+		if (rec == NULL)
+			btd_device_add_uuid(dev->btd_dev, AVRCP_TARGET_UUID);
 	}
 
 	if (rec == NULL)
-- 
1.8.1.4

[PATCH BlueZ 10/15] AVRCP: Fix crash while setting player volume

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Invalid read of size 8
   at 0x41A4EA: avrcp_handle_set_volume (avrcp.c:3619)
   by 0x418598: session_cb (avctp.c:790)
   by 0x3F31A47A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x3F31A47D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x3F31A48181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x40A335: main (main.c:595)
 Address 0x48 is not stack'd, malloc'd or (recently) free'd
---
 profiles/audio/avrcp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 06bffca..f439ab3 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -3248,7 +3248,8 @@ static gboolean avrcp_handle_set_volume(struct avctp *conn,
 
 	volume = pdu->params[0] & 0x7F;
 
-	player->cb->set_volume(volume, session->dev, player->user_data);
+	if (player != NULL)
+		player->cb->set_volume(volume, session->dev, player->user_data);
 
 	return FALSE;
 }
-- 
1.8.1.4

[PATCH BlueZ 11/15] core: Fix not been able to cancel Device.Connect with Device.Disconnect

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Device.Disconnect should be able to interrupt the connection attempt
started by Device.Connect.
---
 src/device.c  | 18 ++++++++++++------
 src/service.c |  5 +++++
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/device.c b/src/device.c
index d4c1e23..5cb5460 100644
--- a/src/device.c
+++ b/src/device.c
@@ -1082,7 +1082,7 @@ void device_request_disconnect(struct btd_device *device, DBusMessage *msg)
 		device->connect = NULL;
 	}
 
-	if (msg)
+	if (device->connected && msg)
 		device->disconnects = g_slist_append(device->disconnects,
 						dbus_message_ref(msg));
 
@@ -1110,18 +1110,20 @@ void device_request_disconnect(struct btd_device *device, DBusMessage *msg)
 		g_free(data);
 	}
 
+	if (!device->connected) {
+		g_dbus_send_reply(dbus_conn, msg, DBUS_TYPE_INVALID);
+		return;
+	}
+
 	device->disconn_timer = g_timeout_add_seconds(DISCONNECT_TIMER,
 						do_disconnect, device);
 }
 
-static DBusMessage *disconnect(DBusConnection *conn, DBusMessage *msg,
+static DBusMessage *dev_disconnect(DBusConnection *conn, DBusMessage *msg,
 							void *user_data)
 {
 	struct btd_device *device = user_data;
 
-	if (!device->connected)
-		return btd_error_not_connected(msg);
-
 	/*
 	 * Disable connections through passive scanning until
 	 * Device1.Connect is called
@@ -1723,7 +1725,7 @@ static DBusMessage *cancel_pairing(DBusConnection *conn, DBusMessage *msg,
 }
 
 static const GDBusMethodTable device_methods[] = {
-	{ GDBUS_ASYNC_METHOD("Disconnect", NULL, NULL, disconnect) },
+	{ GDBUS_ASYNC_METHOD("Disconnect", NULL, NULL, dev_disconnect) },
 	{ GDBUS_ASYNC_METHOD("Connect", NULL, NULL, dev_connect) },
 	{ GDBUS_ASYNC_METHOD("ConnectProfile", GDBUS_ARGS({ "UUID", "s" }),
 						NULL, connect_profile) },
@@ -4508,6 +4510,10 @@ static void service_state_changed(struct btd_service *service,
 	struct btd_device *device = btd_service_get_device(service);
 	int err = btd_service_get_error(service);
 
+	if (new_state == BTD_SERVICE_STATE_CONNECTING ||
+				new_state == BTD_SERVICE_STATE_DISCONNECTING)
+		return;
+
 	if (old_state == BTD_SERVICE_STATE_CONNECTING)
 		device_profile_connected(device, profile, err);
 	else if (old_state == BTD_SERVICE_STATE_DISCONNECTING)
diff --git a/src/service.c b/src/service.c
index aef9502..83e1c1a 100644
--- a/src/service.c
+++ b/src/service.c
@@ -238,6 +238,11 @@ int btd_service_disconnect(struct btd_service *service)
 	if (err == 0)
 		return 0;
 
+	if (err == -ENOTCONN) {
+		btd_service_disconnecting_complete(service, 0);
+		return 0;
+	}
+
 	ba2str(device_get_address(service->device), addr);
 	error("%s profile disconnect failed for %s: %s", profile->name, addr,
 								strerror(-err));
-- 
1.8.1.4

[PATCH BlueZ 12/15] AVRCP: Fix sending invalid attributes when responding to GetElementAttributes

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The list returned by media.c contains the attributes in string format not
the binary format which cause us to send wrong/reserved attributes as can
be observed bellow:

> ACL data: handle 12 flags 0x02 dlen 58
    L2CAP(d): cid 0x0041 len 54 [psm 23]
      AVCTP Control: Response : pt 0x00 transaction 14 pid 0x110e
        AV/C: Stable: address 0x48 opcode 0x00
          Subunit: Panel
          Opcode: Vendor Dependent
          Company ID: 0x001958
          AVRCP: GetElementAttributes: pt Single len 0x0029
            AttributeCount: 0x05
            Attribute: 0x00df9490 (Reserved)
            CharsetID: 0x006a (UTF-8)
            AttributeValueLength: 0x0000
            AttributeValue:
            Attribute: 0x00e0e880 (Reserved)
            CharsetID: 0x006a (UTF-8)
            AttributeValueLength: 0x0000
            AttributeValue:
            Attribute: 0x00e07b00 (Reserved)
            CharsetID: 0x006a (UTF-8)
            AttributeValueLength: 0x0000
            AttributeValue:
            Attribute: 0x00e16bc0 (Reserved)
            CharsetID: 0x006a (UTF-8)
            AttributeValueLength: 0x0000
            AttributeValue:
            Attribute: 0x00e07bc0 (Reserved)
            CharsetID: 0x006a (UTF-8)
            AttributeValueLength: 0x0000
            AttributeValue:
---
 profiles/audio/avrcp.c | 39 ++++++++++++++++++++++++++++++++++-----
 1 file changed, 34 insertions(+), 5 deletions(-)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index f439ab3..7eaadf4 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -977,13 +977,43 @@ err:
 	return AVC_CTYPE_REJECTED;
 }
 
+static uint32_t str_to_metadata(const char *str)
+{
+	if (strcasecmp(str, "Title") == 0)
+		return AVRCP_MEDIA_ATTRIBUTE_TITLE;
+	else if (strcasecmp(str, "Artist") == 0)
+		return AVRCP_MEDIA_ATTRIBUTE_ARTIST;
+	else if (strcasecmp(str, "Album") == 0)
+		return AVRCP_MEDIA_ATTRIBUTE_ALBUM;
+	else if (strcasecmp(str, "Genre") == 0)
+		return AVRCP_MEDIA_ATTRIBUTE_GENRE;
+	else if (strcasecmp(str, "TrackNumber") == 0)
+		return AVRCP_MEDIA_ATTRIBUTE_TRACK;
+	else if (strcasecmp(str, "NumberOfTracks") == 0)
+		return AVRCP_MEDIA_ATTRIBUTE_N_TRACKS;
+	else if (strcasecmp(str, "Duration") == 0)
+		return AVRCP_MEDIA_ATTRIBUTE_DURATION;
+
+	return 0;
+}
+
 static GList *player_list_metadata(struct avrcp_player *player)
 {
-	if (player != NULL)
-		return player->cb->list_metadata(player->user_data);
+	GList *l, *attrs = NULL;
 
-	return g_list_prepend(NULL,
+	if (player == NULL)
+		return g_list_prepend(NULL,
 				GUINT_TO_POINTER(AVRCP_MEDIA_ATTRIBUTE_TITLE));
+
+	l = player->cb->list_metadata(player->user_data);
+	for (; l; l = l->next) {
+		const char *key = l->data;
+
+		attrs = g_list_append(attrs,
+					GUINT_TO_POINTER(str_to_metadata(key)));
+	}
+
+	return attrs;
 }
 
 static uint8_t avrcp_handle_get_element_attributes(struct avrcp *session,
@@ -2123,8 +2153,7 @@ static gboolean avrcp_get_item_attributes_rsp(struct avctp *conn,
 	}
 
 	if (pdu->params[0] != AVRCP_STATUS_SUCCESS || operand_count < 4) {
-		if (pdu->params[0] == AVRCP_STATUS_PLAYER_NOT_BROWSABLE)
-			avrcp_get_element_attributes(session);
+		avrcp_get_element_attributes(session);
 		return FALSE;
 	}
 
-- 
1.8.1.4

[PATCH BlueZ 13/15] AVRCP: Fix sending SetPlayerApplicationSettingValue using notify command type

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The command type for SetPlayerApplicationSettingValue is control
---
 profiles/audio/avrcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 7eaadf4..515303e 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2230,7 +2230,7 @@ static void avrcp_set_player_value(struct avrcp *session, uint8_t attr,
 
 	length = AVRCP_HEADER_LENGTH + ntohs(pdu->params_len);
 
-	avctp_send_vendordep_req(session->conn, AVC_CTYPE_NOTIFY,
+	avctp_send_vendordep_req(session->conn, AVC_CTYPE_CONTROL,
 					AVC_SUBUNIT_PANEL, buf, length,
 					avrcp_player_value_rsp, session);
 }
-- 
1.8.1.4

[PATCH BlueZ 14/15] obexd: Fix crash when resetting OPP session without a transfer

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Invalid read of size 8
   at 0x42A570: manager_emit_transfer_completed (manager.c:863)
   by 0x42A76A: os_reset_session (obex.c:206)
   by 0x42A8BB: disconn_func (obex.c:1085)
   by 0x419C55: incoming_data (gobex.c:1224)
   by 0x3F31A47A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x3F31A47D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x3F31A48181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x40DDB2: main (main.c:319)
 Address 0x10 is not stack'd, malloc'd or (recently) free'd

Invalid read of size 1
   at 0x42A231: manager_unregister_transfer (manager.c:672)
   by 0x420F8B: opp_disconnect (opp.c:158)
   by 0x42A8EC: disconn_func (obex.c:1088)
   by 0x419C55: incoming_data (gobex.c:1224)
   by 0x3F31A47A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x3F31A47D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x3F31A48181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x40DDB2: main (main.c:319)
 Address 0x0 is not stack'd, malloc'd or (recently) free'd
---
 obexd/src/manager.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/obexd/src/manager.c b/obexd/src/manager.c
index 6ddee2b..dbfbef8 100644
--- a/obexd/src/manager.c
+++ b/obexd/src/manager.c
@@ -667,7 +667,12 @@ struct obex_transfer *manager_register_transfer(struct obex_session *os)
 
 void manager_unregister_transfer(struct obex_transfer *transfer)
 {
-	struct obex_session *os = transfer->session;
+	struct obex_session *os;
+
+	if (transfer == NULL)
+		return;
+
+	os = transfer->session;
 
 	if (transfer->status == TRANSFER_STATUS_ACTIVE)
 		emit_transfer_completed(transfer, os->offset == os->size);
@@ -860,8 +865,17 @@ void manager_emit_transfer_progress(struct obex_transfer *transfer)
 
 void manager_emit_transfer_completed(struct obex_transfer *transfer)
 {
-	if (transfer->session->object)
-		emit_transfer_completed(transfer, !transfer->session->aborted);
+	struct obex_session *session;
+
+	if (transfer == NULL)
+		return;
+
+	session = transfer->session;
+
+	if (session == NULL || session->object == NULL)
+		return;
+
+	emit_transfer_completed(transfer, !session->aborted);
 }
 
 DBusConnection *manager_dbus_get_connection(void)
-- 
1.8.1.4

[PATCH BlueZ 15/15] obexd: Fix not checking for valid fd on NewConnection

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The fd needs to be checked as it may not be valid anymore which cause the
following warnings:

==8162== Warning: invalid file descriptor 1031 in syscall fcntl(DUPFD_CLOEXEC)()

(obexd:8162): GLib-WARNING **: giounix.c:412Error while getting flags for FD: Bad file descriptor (9)
---
 obexd/plugins/bluetooth.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/obexd/plugins/bluetooth.c b/obexd/plugins/bluetooth.c
index 07baf90..4e65923 100644
--- a/obexd/plugins/bluetooth.c
+++ b/obexd/plugins/bluetooth.c
@@ -30,6 +30,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <inttypes.h>
+#include <fcntl.h>
 #include <sys/socket.h>
 
 #include <glib.h>
@@ -132,6 +133,9 @@ static DBusMessage *profile_new_connection(DBusConnection *conn,
 
 	dbus_message_iter_get_basic(&args, &fd);
 
+	if (fcntl(fd, F_GETFD) < 0)
+		return invalid_args(msg);
+
 	io = g_io_channel_unix_new(fd);
 	if (io == NULL)
 		return invalid_args(msg);
-- 
1.8.1.4

Re: [PATCH BlueZ 01/15] AVRCP: Fix crash when registering unsupported notification

[Luiz Augusto von Dentz]

Hi,

On Mon, Jun 10, 2013 at 1:36 PM, Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> Reject command if notification is not supported otherwise this can
> cause crashes.
> ---
>  profiles/audio/avrcp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 4558407..5bddd08 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -1355,7 +1355,7 @@ static uint8_t avrcp_handle_register_notification(struct avrcp *session,
>          * one is applicable only for EVENT_PLAYBACK_POS_CHANGED. See AVRCP
>          * 1.3 spec, section 5.4.2.
>          */
> -       if (len != 5)
> +       if (len != 5 || !(session->supported_events & (1 << pdu->params[0])))
>                 goto err;
>
>         switch (pdu->params[0]) {
> --
> 1.8.1.4
>

This patch-set is now upstream.

--
Luiz Augusto von Dentz