[PATCH BlueZ v4 0/4] Fix bugs found by static analysis

[PATCH BlueZ v4 0/4] Fix bugs found by static analysis

[Ismagil Iskakov]

btio: fix range validation of security level
Expression is used as an index for accessing
an array's element in function 'l2cap_set_lm'.
This expression can have value 4, which is out
of range, as indicated by a preceding
conditional expression.

profiles/audio: add nullity checks
Return value of a function 'btd_device_get_service'
is dereferenced without checking for NULL, but it
is usually checked for this function (28/35).
Return value of a function 'queue_find' is
dereferenced without checking for NULL, but it
is usually checked for this function (182/183).

src/shared: add nullity checks
Return value of a function 'util_iov_pull_mem'
is dereferenced without checking for NULL, but it
is usually checked for this function (64/80).
Return value of a function 'vcp_get_vcs' is
dereferenced without checking for NULL, but it is
usually checked for this function (4/5).

obexd/client: fix err condition causing memleak
Dynamic memory, referenced by 'err', is allocated
by calling function 'obc_transfer_get' and lost
at bip.c:139.

Ismagil Iskakov (4):
  btio: fix range validation of security level
  profiles/audio: add nullity checks
  src/shared: add nullity checks
  obexd/client: fix err condition causing memleak

 btio/btio.c             |  6 ++++++
 obexd/client/transfer.c |  2 +-
 profiles/audio/a2dp.c   | 34 ++++++++++++++++++++++++----------
 profiles/audio/avrcp.c  | 24 +++++++++++++++++++++---
 profiles/audio/bass.c   |  3 +++
 src/shared/bap.c        | 23 +++++++++++++++++++++++
 src/shared/vcp.c        |  3 +++
 7 files changed, 81 insertions(+), 14 deletions(-)

-- 
2.34.1

[PATCH BlueZ v4 1/4] btio: fix range validation of security level

[Ismagil Iskakov]

Arrays inside l2cap_set_lm/rfcomm_set_lm functions are of size 4,
but the bounds check allows the value 4 for 'level'.
---
 btio/btio.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/btio/btio.c b/btio/btio.c
index b8afe0580..bc14199f2 100644
--- a/btio/btio.c
+++ b/btio/btio.c
@@ -474,6 +474,12 @@ static gboolean set_sec_level(int sock, BtIOType type, int level, GError **err)
 		return FALSE;
 	}
 
+	if (level == BT_SECURITY_FIPS) {
+		g_set_error(err, BT_IO_ERROR, EINVAL,
+				"FIPS security level is not supported for L2CAP_LM/RFCOMM_LM");
+		return FALSE;
+	}
+
 	if (type == BT_IO_L2CAP)
 		ret = l2cap_set_lm(sock, level);
 	else
-- 
2.34.1

RE: Fix bugs found by static analysis

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1864 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=980540

---Test result---

Test Summary:
CheckPatch                    PENDING   0.27 seconds
GitLint                       PENDING   0.29 seconds
BuildEll                      PASS      22.59 seconds
BluezMake                     PASS      2749.28 seconds
MakeCheck                     PASS      20.24 seconds
MakeDistcheck                 PASS      189.54 seconds
CheckValgrind                 PASS      241.91 seconds
CheckSmatch                   WARNING   315.40 seconds
bluezmakeextell               PASS      130.05 seconds
IncrementalBuild              PENDING   0.32 seconds
ScanBuild                     PASS      909.24 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structures
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

[PATCH BlueZ v4 2/4] profiles/audio: add nullity checks

[Ismagil Iskakov]

Cover bass_setup unsuccessful search and btd_device_get_service.
This change is motivated by the other usages where checks for
NULL exist.
---
 profiles/audio/a2dp.c  | 34 ++++++++++++++++++++++++----------
 profiles/audio/avrcp.c | 24 +++++++++++++++++++++---
 profiles/audio/bass.c  |  3 +++
 3 files changed, 48 insertions(+), 13 deletions(-)

diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index d2c2bec65..8b0b16ff1 100644
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -646,6 +646,18 @@ static gboolean auto_config(gpointer data)
 	struct btd_service *service;
 	struct a2dp_stream *stream;
 
+	dev = avdtp_get_device(setup->session);
+
+	if (setup->sep->type == AVDTP_SEP_TYPE_SOURCE)
+		service = btd_device_get_service(dev, A2DP_SINK_UUID);
+	else
+		service = btd_device_get_service(dev, A2DP_SOURCE_UUID);
+
+	if (service == NULL) {
+		error("Unable to find btd service");
+		return FALSE;
+	}
+
 	/* Check if configuration was aborted */
 	stream = queue_find(setup->sep->streams, match_stream, setup->stream);
 	if (!stream)
@@ -654,16 +666,12 @@ static gboolean auto_config(gpointer data)
 	if (setup->err != NULL)
 		goto done;
 
-	dev = avdtp_get_device(setup->session);
-
 	avdtp_stream_add_cb(setup->session, setup->stream,
 				stream_state_changed, setup->sep);
 
 	if (setup->sep->type == AVDTP_SEP_TYPE_SOURCE) {
-		service = btd_device_get_service(dev, A2DP_SINK_UUID);
 		sink_new_stream(service, setup->session, setup->stream);
 	} else {
-		service = btd_device_get_service(dev, A2DP_SOURCE_UUID);
 		source_new_stream(service, setup->session, setup->stream);
 	}
 
@@ -995,10 +1003,20 @@ static void setconf_cfm(struct avdtp *session, struct avdtp_local_sep *sep,
 	struct btd_service *service;
 	int ret;
 
-	if (a2dp_sep->type == AVDTP_SEP_TYPE_SINK)
+	dev = avdtp_get_device(session);
+
+	if (a2dp_sep->type == AVDTP_SEP_TYPE_SINK) {
 		DBG("Sink %p: Set_Configuration_Cfm", sep);
-	else
+		service = btd_device_get_service(dev, A2DP_SOURCE_UUID);
+	} else {
 		DBG("Source %p: Set_Configuration_Cfm", sep);
+		service = btd_device_get_service(dev, A2DP_SINK_UUID);
+	}
+
+	if (service == NULL) {
+		error("Unable to find btd service");
+		return;
+	}
 
 	setup = find_setup_by_session(session);
 
@@ -1024,14 +1042,10 @@ static void setconf_cfm(struct avdtp *session, struct avdtp_local_sep *sep,
 	if (!setup)
 		return;
 
-	dev = avdtp_get_device(session);
-
 	/* Notify D-Bus interface of the new stream */
 	if (a2dp_sep->type == AVDTP_SEP_TYPE_SOURCE) {
-		service = btd_device_get_service(dev, A2DP_SINK_UUID);
 		sink_new_stream(service, session, setup->stream);
 	} else {
-		service = btd_device_get_service(dev, A2DP_SOURCE_UUID);
 		source_new_stream(service, session, setup->stream);
 	}
 
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index b3e69874d..e2797112f 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -3062,8 +3062,14 @@ static void set_ct_player(struct avrcp *session, struct avrcp_player *player)
 	if (session->controller->player == player)
 		goto done;
 
-	session->controller->player = player;
 	service = btd_device_get_service(session->dev, AVRCP_TARGET_UUID);
+
+	if (service == NULL) {
+		error("Unable to find btd service");
+		return;
+	}
+
+	session->controller->player = player;
 	control_set_player(service, player ?
 			media_player_get_path(player->user_data) : NULL);
 
@@ -4258,12 +4264,18 @@ static void target_init(struct avrcp *session)
 	if (session->target != NULL)
 		return;
 
+	service = btd_device_get_service(session->dev, AVRCP_REMOTE_UUID);
+
+	if (service == NULL) {
+		error("Unable to find btd service");
+		return;
+	}
+
 	target = data_init(session, AVRCP_REMOTE_UUID);
 	session->target = target;
 
 	DBG("%p version 0x%04x", target, target->version);
 
-	service = btd_device_get_service(session->dev, AVRCP_REMOTE_UUID);
 	btd_service_connecting_complete(service, 0);
 
 	player = g_slist_nth_data(server->players, 0);
@@ -4312,6 +4324,13 @@ static void controller_init(struct avrcp *session)
 	if (session->controller != NULL)
 		return;
 
+	service = btd_device_get_service(session->dev, AVRCP_TARGET_UUID);
+
+	if (service == NULL) {
+		error("Unable to find btd service");
+		return;
+	}
+
 	controller = data_init(session, AVRCP_TARGET_UUID);
 	session->controller = controller;
 
@@ -4319,7 +4338,6 @@ static void controller_init(struct avrcp *session)
 	if (controller->obex_port)
 		DBG("%p OBEX PSM 0x%04x", controller, controller->obex_port);
 
-	service = btd_device_get_service(session->dev, AVRCP_TARGET_UUID);
 	btd_service_connecting_complete(service, 0);
 
 	/* Only create player if category 1 is supported */
diff --git a/profiles/audio/bass.c b/profiles/audio/bass.c
index c853fbc4a..87db130da 100644
--- a/profiles/audio/bass.c
+++ b/profiles/audio/bass.c
@@ -349,6 +349,9 @@ static void bap_state_changed(struct bt_bap_stream *stream, uint8_t old_state,
 	struct bass_setup *setup = queue_find(dg->setups,
 				match_setup_stream, stream);
 
+	if (setup == NULL)
+		return;
+
 	if (dg->bap != bap)
 		return;
 
-- 
2.34.1

[PATCH BlueZ v4 3/4] src/shared: add nullity checks

[Ismagil Iskakov]

Check util_iov_pull_mem where iov len is not verified
beforehand. Check vcp_get_vcs for NULL.
These changes are based on other usages where those
checks exist.
---
 src/shared/bap.c | 23 +++++++++++++++++++++++
 src/shared/vcp.c |  3 +++
 2 files changed, 26 insertions(+)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index ba6f75ff2..8c186e6f1 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -7568,6 +7568,11 @@ bool bt_bap_parse_base(uint8_t sid, struct iovec *iov,
 
 		codec = util_iov_pull_mem(iov, sizeof(*codec));
 
+		if (!codec) {
+			ret = false;
+			goto done;
+		}
+
 		util_debug(func, NULL, "Codec: ID %d CID 0x%2.2x VID 0x%2.2x",
 				codec->id, codec->cid, codec->vid);
 
@@ -7579,6 +7584,12 @@ bool bt_bap_parse_base(uint8_t sid, struct iovec *iov,
 		}
 
 		l2_cc.iov_base = util_iov_pull_mem(iov, l2_cc_len);
+
+		if (!l2_cc.iov_base) {
+			ret = false;
+			goto done;
+		}
+
 		l2_cc.iov_len = l2_cc_len;
 
 		/* Print Codec Specific Configuration */
@@ -7593,6 +7604,12 @@ bool bt_bap_parse_base(uint8_t sid, struct iovec *iov,
 		}
 
 		meta.iov_base = util_iov_pull_mem(iov, meta_len);
+
+		if (!meta.iov_base) {
+			ret = false;
+			goto done;
+		}
+
 		meta.iov_len = meta_len;
 
 		/* Print Metadata */
@@ -7623,6 +7640,12 @@ bool bt_bap_parse_base(uint8_t sid, struct iovec *iov,
 
 			l3_cc.iov_base = util_iov_pull_mem(iov,
 							l3_cc_len);
+
+			if (!l3_cc.iov_base) {
+				ret = false;
+				goto done;
+			}
+
 			l3_cc.iov_len = l3_cc_len;
 
 			/* Print Codec Specific Configuration */
diff --git a/src/shared/vcp.c b/src/shared/vcp.c
index e614ff61f..be002ad4c 100644
--- a/src/shared/vcp.c
+++ b/src/shared/vcp.c
@@ -2934,6 +2934,9 @@ static void foreach_vcs_service(struct gatt_db_attribute *attr,
 	struct bt_vcp *vcp = user_data;
 	struct bt_vcs *vcs = vcp_get_vcs(vcp);
 
+	if (!vcs)
+		return;
+
 	vcs->service = attr;
 
 	gatt_db_service_set_claimed(attr, true);
-- 
2.34.1

[PATCH BlueZ v4 4/4] obexd/client: fix err condition causing memleak

[Ismagil Iskakov]

transfer_open returns 0 if an error occurs, condition corrected.
---
 obexd/client/transfer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/obexd/client/transfer.c b/obexd/client/transfer.c
index a7d00896f..d8ecb60d3 100644
--- a/obexd/client/transfer.c
+++ b/obexd/client/transfer.c
@@ -556,7 +556,7 @@ struct obc_transfer *obc_transfer_get(const char *type, const char *name,
 	transfer = obc_transfer_create(G_OBEX_OP_GET, filename, name, type);
 
 	perr = transfer_open(transfer, O_WRONLY | O_CREAT | O_TRUNC, 0600, err);
-	if (perr < 0) {
+	if (!perr) {
 		obc_transfer_free(transfer);
 		return NULL;
 	}
-- 
2.34.1

Re: [PATCH BlueZ v4 0/4] Fix bugs found by static analysis

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed, 9 Jul 2025 16:36:18 +0300 you wrote:
> btio: fix range validation of security level
> Expression is used as an index for accessing
> an array's element in function 'l2cap_set_lm'.
> This expression can have value 4, which is out
> of range, as indicated by a preceding
> conditional expression.
> 
> [...]

Here is the summary with links:
  - [BlueZ,v4,1/4] btio: fix range validation of security level
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=80a6b91d758a
  - [BlueZ,v4,2/4] profiles/audio: add nullity checks
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=77932f2dac1a
  - [BlueZ,v4,3/4] src/shared: add nullity checks
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=9432bfe81afd
  - [BlueZ,v4,4/4] obexd/client: fix err condition causing memleak
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=09212f9d110e

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html