* [PATCH BlueZ v2] a2dp: Fix handling of codec capability storage
@ 2026-06-22 15:56 Luiz Augusto von Dentz
2026-06-22 18:14 ` [BlueZ,v2] " bluez.test.bot
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-06-22 15:56 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Codec capability is one byte long (max 255) the storage format is
02hhx which means each byte ends up as 2 characters so the buffer
needs to be doubled in order to handle capabilities of that size.
Reported-by: p0her (_@p0her_) in TeamH4C working with TrendAI Zero Day Initiative
Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
---
profiles/audio/a2dp.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index a5e002784c02..c8adc3122563 100644
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -971,7 +971,7 @@ static void store_remote_sep(void *data, void *user_data)
{
struct a2dp_remote_sep *sep = data;
GKeyFile *key_file = user_data;
- char seid[4], value[256];
+ char seid[4], value[9 + 512];
struct avdtp_service_capability *service = avdtp_get_codec(sep->sep);
struct avdtp_media_codec_capability *codec;
unsigned int i;
@@ -2373,7 +2373,7 @@ static void load_remote_sep(struct a2dp_channel *chan, GKeyFile *key_file,
uint8_t codec;
uint8_t delay_reporting;
GSList *l = NULL;
- char caps[256];
+ char caps[513];
uint8_t data[128];
int i, size;
@@ -2386,10 +2386,10 @@ static void load_remote_sep(struct a2dp_channel *chan, GKeyFile *key_file,
continue;
/* Try loading with delay_reporting first */
- if (sscanf(value, "%02hhx:%02hhx:%02hhx:%s", &type, &codec,
+ if (sscanf(value, "%02hhx:%02hhx:%02hhx:%512s", &type, &codec,
&delay_reporting, caps) != 4) {
/* Try old format */
- if (sscanf(value, "%02hhx:%02hhx:%s", &type, &codec,
+ if (sscanf(value, "%02hhx:%02hhx:%512s", &type, &codec,
caps) != 3) {
warn("Unable to load Endpoint: seid %u", rseid);
g_free(value);
@@ -2398,7 +2398,7 @@ static void load_remote_sep(struct a2dp_channel *chan, GKeyFile *key_file,
delay_reporting = false;
}
- for (i = 0, size = strlen(caps); i < size; i += 2) {
+ for (i = 0, size = strlen(caps); i < size && i >= 2; i += 2) {
uint8_t *tmp = data + i / 2;
if (sscanf(caps + i, "%02hhx", tmp) != 1) {
--
2.54.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* RE: [BlueZ,v2] a2dp: Fix handling of codec capability storage
2026-06-22 15:56 [PATCH BlueZ v2] a2dp: Fix handling of codec capability storage Luiz Augusto von Dentz
@ 2026-06-22 18:14 ` bluez.test.bot
2026-06-23 12:18 ` [PATCH BlueZ v2] " Bastien Nocera
2026-06-23 19:30 ` patchwork-bot+bluetooth
2 siblings, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2026-06-22 18:14 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 2377 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1114843
---Test result---
Test Summary:
CheckPatch FAIL 0.92 seconds
GitLint FAIL 0.67 seconds
BuildEll PASS 20.21 seconds
BluezMake PASS 619.69 seconds
MakeCheck PASS 3.14 seconds
MakeDistcheck PASS 237.22 seconds
CheckValgrind PASS 206.49 seconds
CheckSmatch PASS 328.16 seconds
bluezmakeextell PASS 166.29 seconds
IncrementalBuild PASS 623.46 seconds
ScanBuild PASS 931.40 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,v2] a2dp: Fix handling of codec capability storage
WARNING:BAD_SIGN_OFF: Use a single space after Reported-by:
#101:
Reported-by: p0her (_@p0her_) in TeamH4C working with TrendAI Zero Day Initiative
ERROR:BAD_SIGN_OFF: Unrecognized email address: 'p0her (_@p0her_) in TeamH4C working with TrendAI Zero Day Initiative'
#101:
Reported-by: p0her (_@p0her_) in TeamH4C working with TrendAI Zero Day Initiative
/github/workspace/src/patch/14639629.patch total: 1 errors, 1 warnings, 36 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14639629.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[BlueZ,v2] a2dp: Fix handling of codec capability storage
9: B1 Line exceeds max length (82>80): "Reported-by: p0her (_@p0her_) in TeamH4C working with TrendAI Zero Day Initiative"
https://github.com/bluez/bluez/pull/2251
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH BlueZ v2] a2dp: Fix handling of codec capability storage
2026-06-22 15:56 [PATCH BlueZ v2] a2dp: Fix handling of codec capability storage Luiz Augusto von Dentz
2026-06-22 18:14 ` [BlueZ,v2] " bluez.test.bot
@ 2026-06-23 12:18 ` Bastien Nocera
2026-06-23 14:30 ` Luiz Augusto von Dentz
2026-06-23 19:30 ` patchwork-bot+bluetooth
2 siblings, 1 reply; 6+ messages in thread
From: Bastien Nocera @ 2026-06-23 12:18 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth
On Mon, 2026-06-22 at 11:56 -0400, Luiz Augusto von Dentz wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> Codec capability is one byte long (max 255) the storage format is
> 02hhx which means each byte ends up as 2 characters so the buffer
> needs to be doubled in order to handle capabilities of that size.
>
> Reported-by: p0her (_@p0her_) in TeamH4C working with TrendAI Zero
> Day Initiative
> Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
> ---
> profiles/audio/a2dp.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
> index a5e002784c02..c8adc3122563 100644
> --- a/profiles/audio/a2dp.c
> +++ b/profiles/audio/a2dp.c
> @@ -971,7 +971,7 @@ static void store_remote_sep(void *data, void
> *user_data)
> {
> struct a2dp_remote_sep *sep = data;
> GKeyFile *key_file = user_data;
> - char seid[4], value[256];
> + char seid[4], value[9 + 512];
What's the "9" value from? Shouldn't it be 11 for the length of:
"%02hhx:%02hhx:%02hhx:"
The "Try loading with delay_reporting first" variant?
> struct avdtp_service_capability *service =
> avdtp_get_codec(sep->sep);
> struct avdtp_media_codec_capability *codec;
> unsigned int i;
> @@ -2373,7 +2373,7 @@ static void load_remote_sep(struct a2dp_channel
> *chan, GKeyFile *key_file,
> uint8_t codec;
> uint8_t delay_reporting;
> GSList *l = NULL;
> - char caps[256];
> + char caps[513];
> uint8_t data[128];
> int i, size;
>
> @@ -2386,10 +2386,10 @@ static void load_remote_sep(struct
> a2dp_channel *chan, GKeyFile *key_file,
> continue;
>
> /* Try loading with delay_reporting first */
> - if (sscanf(value, "%02hhx:%02hhx:%02hhx:%s", &type,
> &codec,
> + if (sscanf(value, "%02hhx:%02hhx:%02hhx:%512s",
> &type, &codec,
> &delay_reporting, caps) !=
> 4) {
> /* Try old format */
> - if (sscanf(value, "%02hhx:%02hhx:%s", &type,
> &codec,
> + if (sscanf(value, "%02hhx:%02hhx:%512s",
> &type, &codec,
> caps
> ) != 3) {
> warn("Unable to load Endpoint: seid
> %u", rseid);
> g_free(value);
> @@ -2398,7 +2398,7 @@ static void load_remote_sep(struct a2dp_channel
> *chan, GKeyFile *key_file,
> delay_reporting = false;
> }
>
> - for (i = 0, size = strlen(caps); i < size; i += 2) {
> + for (i = 0, size = strlen(caps); i < size && i >= 2;
> i += 2) {
> uint8_t *tmp = data + i / 2;
>
> if (sscanf(caps + i, "%02hhx", tmp) != 1) {
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH BlueZ v2] a2dp: Fix handling of codec capability storage
2026-06-23 12:18 ` [PATCH BlueZ v2] " Bastien Nocera
@ 2026-06-23 14:30 ` Luiz Augusto von Dentz
2026-06-23 16:49 ` Bastien Nocera
0 siblings, 1 reply; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-06-23 14:30 UTC (permalink / raw)
To: Bastien Nocera; +Cc: linux-bluetooth
Hi Bastien,
On Tue, Jun 23, 2026 at 8:18 AM Bastien Nocera <hadess@hadess.net> wrote:
>
> On Mon, 2026-06-22 at 11:56 -0400, Luiz Augusto von Dentz wrote:
> > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> >
> > Codec capability is one byte long (max 255) the storage format is
> > 02hhx which means each byte ends up as 2 characters so the buffer
> > needs to be doubled in order to handle capabilities of that size.
> >
> > Reported-by: p0her (_@p0her_) in TeamH4C working with TrendAI Zero
> > Day Initiative
> > Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
> > ---
> > profiles/audio/a2dp.c | 10 +++++-----
> > 1 file changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
> > index a5e002784c02..c8adc3122563 100644
> > --- a/profiles/audio/a2dp.c
> > +++ b/profiles/audio/a2dp.c
> > @@ -971,7 +971,7 @@ static void store_remote_sep(void *data, void
> > *user_data)
> > {
> > struct a2dp_remote_sep *sep = data;
> > GKeyFile *key_file = user_data;
> > - char seid[4], value[256];
> > + char seid[4], value[9 + 512];
>
> What's the "9" value from? Shouldn't it be 11 for the length of:
> "%02hhx:%02hhx:%02hhx:"
3 * 2 (%02hhx) + 3 (:) = 9
> The "Try loading with delay_reporting first" variant?
>
> > struct avdtp_service_capability *service =
> > avdtp_get_codec(sep->sep);
> > struct avdtp_media_codec_capability *codec;
> > unsigned int i;
> > @@ -2373,7 +2373,7 @@ static void load_remote_sep(struct a2dp_channel
> > *chan, GKeyFile *key_file,
> > uint8_t codec;
> > uint8_t delay_reporting;
> > GSList *l = NULL;
> > - char caps[256];
> > + char caps[513];
> > uint8_t data[128];
> > int i, size;
> >
> > @@ -2386,10 +2386,10 @@ static void load_remote_sep(struct
> > a2dp_channel *chan, GKeyFile *key_file,
> > continue;
> >
> > /* Try loading with delay_reporting first */
> > - if (sscanf(value, "%02hhx:%02hhx:%02hhx:%s", &type,
> > &codec,
> > + if (sscanf(value, "%02hhx:%02hhx:%02hhx:%512s",
> > &type, &codec,
> > &delay_reporting, caps) !=
> > 4) {
> > /* Try old format */
> > - if (sscanf(value, "%02hhx:%02hhx:%s", &type,
> > &codec,
> > + if (sscanf(value, "%02hhx:%02hhx:%512s",
> > &type, &codec,
> > caps
> > ) != 3) {
> > warn("Unable to load Endpoint: seid
> > %u", rseid);
> > g_free(value);
> > @@ -2398,7 +2398,7 @@ static void load_remote_sep(struct a2dp_channel
> > *chan, GKeyFile *key_file,
> > delay_reporting = false;
> > }
> >
> > - for (i = 0, size = strlen(caps); i < size; i += 2) {
> > + for (i = 0, size = strlen(caps); i < size && i >= 2;
> > i += 2) {
> > uint8_t *tmp = data + i / 2;
> >
> > if (sscanf(caps + i, "%02hhx", tmp) != 1) {
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH BlueZ v2] a2dp: Fix handling of codec capability storage
2026-06-23 14:30 ` Luiz Augusto von Dentz
@ 2026-06-23 16:49 ` Bastien Nocera
0 siblings, 0 replies; 6+ messages in thread
From: Bastien Nocera @ 2026-06-23 16:49 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
On Tue, 2026-06-23 at 10:30 -0400, Luiz Augusto von Dentz wrote:
> Hi Bastien,
>
> On Tue, Jun 23, 2026 at 8:18 AM Bastien Nocera <hadess@hadess.net>
> wrote:
> >
> > On Mon, 2026-06-22 at 11:56 -0400, Luiz Augusto von Dentz wrote:
> > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > >
> > > Codec capability is one byte long (max 255) the storage format is
> > > 02hhx which means each byte ends up as 2 characters so the buffer
> > > needs to be doubled in order to handle capabilities of that size.
> > >
> > > Reported-by: p0her (_@p0her_) in TeamH4C working with TrendAI
> > > Zero
> > > Day Initiative
> > > Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
> > > ---
> > > profiles/audio/a2dp.c | 10 +++++-----
> > > 1 file changed, 5 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
> > > index a5e002784c02..c8adc3122563 100644
> > > --- a/profiles/audio/a2dp.c
> > > +++ b/profiles/audio/a2dp.c
> > > @@ -971,7 +971,7 @@ static void store_remote_sep(void *data, void
> > > *user_data)
> > > {
> > > struct a2dp_remote_sep *sep = data;
> > > GKeyFile *key_file = user_data;
> > > - char seid[4], value[256];
> > > + char seid[4], value[9 + 512];
> >
> > What's the "9" value from? Shouldn't it be 11 for the length of:
> > "%02hhx:%02hhx:%02hhx:"
>
> 3 * 2 (%02hhx) + 3 (:) = 9
If you're doing a fixup, might be a good idea to add as a comment,
thanks!
>
> > The "Try loading with delay_reporting first" variant?
> >
> > > struct avdtp_service_capability *service =
> > > avdtp_get_codec(sep->sep);
> > > struct avdtp_media_codec_capability *codec;
> > > unsigned int i;
> > > @@ -2373,7 +2373,7 @@ static void load_remote_sep(struct
> > > a2dp_channel
> > > *chan, GKeyFile *key_file,
> > > uint8_t codec;
> > > uint8_t delay_reporting;
> > > GSList *l = NULL;
> > > - char caps[256];
> > > + char caps[513];
> > > uint8_t data[128];
> > > int i, size;
> > >
> > > @@ -2386,10 +2386,10 @@ static void load_remote_sep(struct
> > > a2dp_channel *chan, GKeyFile *key_file,
> > > continue;
> > >
> > > /* Try loading with delay_reporting first */
> > > - if (sscanf(value, "%02hhx:%02hhx:%02hhx:%s", &type,
> > > &codec,
> > > + if (sscanf(value, "%02hhx:%02hhx:%02hhx:%512s",
> > > &type, &codec,
> > > &delay_reporting, caps) !=
> > > 4) {
> > > /* Try old format */
> > > - if (sscanf(value, "%02hhx:%02hhx:%s",
> > > &type,
> > > &codec,
> > > + if (sscanf(value, "%02hhx:%02hhx:%512s",
> > > &type, &codec,
> > >
> > > caps
> > > ) != 3) {
> > > warn("Unable to load Endpoint: seid
> > > %u", rseid);
> > > g_free(value);
> > > @@ -2398,7 +2398,7 @@ static void load_remote_sep(struct
> > > a2dp_channel
> > > *chan, GKeyFile *key_file,
> > > delay_reporting = false;
> > > }
> > >
> > > - for (i = 0, size = strlen(caps); i < size; i += 2)
> > > {
> > > + for (i = 0, size = strlen(caps); i < size && i >=
> > > 2;
> > > i += 2) {
> > > uint8_t *tmp = data + i / 2;
> > >
> > > if (sscanf(caps + i, "%02hhx", tmp) != 1) {
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH BlueZ v2] a2dp: Fix handling of codec capability storage
2026-06-22 15:56 [PATCH BlueZ v2] a2dp: Fix handling of codec capability storage Luiz Augusto von Dentz
2026-06-22 18:14 ` [BlueZ,v2] " bluez.test.bot
2026-06-23 12:18 ` [PATCH BlueZ v2] " Bastien Nocera
@ 2026-06-23 19:30 ` patchwork-bot+bluetooth
2 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+bluetooth @ 2026-06-23 19:30 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 22 Jun 2026 11:56:21 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> Codec capability is one byte long (max 255) the storage format is
> 02hhx which means each byte ends up as 2 characters so the buffer
> needs to be doubled in order to handle capabilities of that size.
>
> Reported-by: p0her (_@p0her_) in TeamH4C working with TrendAI Zero Day Initiative
> Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
>
> [...]
Here is the summary with links:
- [BlueZ,v2] a2dp: Fix handling of codec capability storage
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=912f5efb0dd9
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-06-23 19:30 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-22 15:56 [PATCH BlueZ v2] a2dp: Fix handling of codec capability storage Luiz Augusto von Dentz
2026-06-22 18:14 ` [BlueZ,v2] " bluez.test.bot
2026-06-23 12:18 ` [PATCH BlueZ v2] " Bastien Nocera
2026-06-23 14:30 ` Luiz Augusto von Dentz
2026-06-23 16:49 ` Bastien Nocera
2026-06-23 19:30 ` patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox