[PATCH BlueZ v1 2/2] shared/bap: Fix parsing of BT_ASCS_METADATA for multiple ASE IDs

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH BlueZ v1 2/2] shared/bap: Fix parsing of BT_ASCS_METADATA for multiple ASE IDs
Date: Thu,  4 Dec 2025 13:31:15 -0500	[thread overview]
Message-ID: <20251204183115.2533504-2-luiz.dentz@gmail.com> (raw)
In-Reply-To: <20251204183115.2533504-1-luiz.dentz@gmail.com>

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

bt_ascs_metadata is variable length so when there are multiple ASE IDs
each item needs to be parsed according to its length otherwise it would
cause issues such as bellow where the ASE IDs is incorrectly parse:

> ACL Data RX: Handle 2048 flags 0x02 dlen 25
      ATT: Write Command (0x52) len 20
        Handle: 0x009b Type: ASE Control Point (0x2bc6)
          Data[18]: 070201060302040001050206030204000105
            Opcode: Update Metadata (0x07)
            Number of ASE(s): 2
            ASE: #0
            ASE ID: 0x01
            Metadata: #0: len 0x03 type 0x02
              Context: 0x0004
                Media (0x0004)
            Metadata: #1: len 0x01 type 0x05
            ASE: #1
            ASE ID: 0x02
            Metadata: #0: len 0x03 type 0x02
              Context: 0x0004
                Media (0x0004)
            Metadata: #1: len 0x01 type 0x05

= first LTV in the metadata is incorrectly used as ASE ID (0x03)
src/shared/bap.c:ep_metadata() ep 0x55b1f428d490 id 0x03 dir 0x02
src/shared/bap.c:ep_metadata() Invalid state config

< ACL Data TX: Handle 2048 [1/6] flags 0x00 dlen 15
      ATT: Handle Value Notification (0x1b) len 10
        Handle: 0x009b Type: ASE Control Point (0x2bc6)
          Data[8]: 0702010000030400
            Opcode: Update Metadata (0x07)
            Number of ASE(s): 2
            ASE: #0
            ASE ID: 0x01
            ASE Response Code: Success (0x00)
            ASE Response Reason: None (0x00)
            ASE: #1
            ASE ID: 0x03
            ASE Response Code: Invalid ASE State (0x04)
            ASE Response Reason: None (0x00)
---
 src/shared/bap.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 27321a3d1e3d..b5840d18a820 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -3508,10 +3508,12 @@ static uint8_t ascs_stop(struct bt_ascs *ascs, struct bt_bap *bap,
 	return ep_stop(ep, rsp);
 }
 
-static uint8_t ep_metadata(struct bt_bap_endpoint *ep, struct iovec *meta,
-						struct iovec *rsp)
+static uint8_t ep_metadata(struct bt_bap_endpoint *ep,
+				struct bt_ascs_metadata *req,
+				struct iovec *iov, struct iovec *rsp)
 {
 	struct bt_bap_stream *stream = ep->stream;
+	struct iovec meta;
 
 	DBG(stream->bap, "ep %p id 0x%02x dir 0x%02x", ep, ep->id, ep->dir);
 
@@ -3530,7 +3532,13 @@ static uint8_t ep_metadata(struct bt_bap_endpoint *ep, struct iovec *meta,
 		return 0;
 	}
 
-	return stream_metadata(ep->stream, meta, rsp);
+	if (iov->iov_len < req->len)
+		return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+
+	meta.iov_base = util_iov_pull_mem(iov, req->len);
+	meta.iov_len = req->len;
+
+	return stream_metadata(ep->stream, &meta, rsp);
 }
 
 static uint8_t ascs_metadata(struct bt_ascs *ascs, struct bt_bap *bap,
@@ -3557,7 +3565,7 @@ static uint8_t ascs_metadata(struct bt_ascs *ascs, struct bt_bap *bap,
 		return 0;
 	}
 
-	return ep_metadata(ep, iov, rsp);
+	return ep_metadata(ep, req, iov, rsp);
 }
 
 static uint8_t ascs_release(struct bt_ascs *ascs, struct bt_bap *bap,
-- 
2.52.0

next prev parent reply	other threads:[~2025-12-04 18:31 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-04 18:31 [PATCH BlueZ v1 1/2] bass: Fix attaching to unicast session Luiz Augusto von Dentz
2025-12-04 18:31 ` Luiz Augusto von Dentz [this message]
2025-12-04 19:49 ` [BlueZ,v1,1/2] " bluez.test.bot
2025-12-05 20:10 ` [PATCH BlueZ v1 1/2] " patchwork-bot+bluetooth

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:27321a3d1e3 dfblob:b5840d18a82 )
 OR (
bs:"[PATCH BlueZ v1 2/2] shared/bap: Fix parsing of BT_ASCS_METADATA for multiple ASE IDs" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251204183115.2533504-2-luiz.dentz@gmail.com \
    --to=luiz.dentz@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox