[PATCH BlueZ] hog-lib: Don't restrict Report MAP size

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH BlueZ] hog-lib: Don't restrict Report MAP size
@ 2022-08-16 19:11 Luiz Augusto von Dentz
  2022-08-16 19:59 ` [BlueZ] " bluez.test.bot
  0 siblings, 1 reply; 2+ messages in thread
From: Luiz Augusto von Dentz @ 2022-08-16 19:11 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Although HIDS spec is quite clear the Report MAP shall be limited to
512 bytes it doesn't seem OS do enforce that on the profile/client side
and since there isn't any qualification test enforcing it either there
are quite many devices which uses Report MAP bigger that 512 bytes
(e.g.: Brydge W-Touch and Lenovo Duet 3 BT Folio).

https://github.com/bluez/bluez/issues/377
---
 profiles/input/hog-lib.c | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/profiles/input/hog-lib.c b/profiles/input/hog-lib.c
index 4a9c601853f1..0aec84775950 100644
--- a/profiles/input/hog-lib.c
+++ b/profiles/input/hog-lib.c
@@ -64,7 +64,6 @@
 #define HOG_PROTO_MODE_BOOT    0
 #define HOG_PROTO_MODE_REPORT  1
 
-#define HOG_REPORT_MAP_MAX_SIZE        512
 #define HID_INFO_SIZE			4
 #define ATT_NOTIFICATION_HEADER_SIZE	3
 
@@ -103,11 +102,6 @@ struct bt_hog {
 	struct queue		*input;
 };
 
-struct report_map {
-	uint8_t	value[HOG_REPORT_MAP_MAX_SIZE];
-	size_t	length;
-};
-
 struct report {
 	struct bt_hog		*hog;
 	bool			numbered;
@@ -1096,7 +1090,7 @@ static void report_map_read_cb(guint8 status, const guint8 *pdu, guint16 plen,
 {
 	struct gatt_request *req = user_data;
 	struct bt_hog *hog = req->user_data;
-	uint8_t value[HOG_REPORT_MAP_MAX_SIZE];
+	uint8_t *value;
 	ssize_t vlen;
 
 	remove_gatt_req(req, status);
@@ -1106,10 +1100,12 @@ static void report_map_read_cb(guint8 status, const guint8 *pdu, guint16 plen,
 		return;
 	}
 
-	vlen = dec_read_resp(pdu, plen, value, sizeof(value));
+	value = new0(uint8_t, plen);
+
+	vlen = dec_read_resp(pdu, plen, value, plen);
 	if (vlen < 0) {
 		error("ATT protocol error");
-		return;
+		goto done;
 	}
 
 	uhid_create(hog, value, vlen);
@@ -1120,6 +1116,9 @@ static void report_map_read_cb(guint8 status, const guint8 *pdu, guint16 plen,
 					NULL, db_report_map_write_value_cb,
 					NULL);
 	}
+
+done:
+	free(value);
 }
 
 static void read_report_map(struct bt_hog *hog)
@@ -1394,7 +1393,7 @@ static void db_report_map_read_value_cb(struct gatt_db_attribute *attrib,
 						int err, const uint8_t *value,
 						size_t length, void *user_data)
 {
-	struct report_map *map = user_data;
+	struct iovec *map = user_data;
 
 	if (err) {
 		error("Error reading report map from gatt db %s",
@@ -1405,8 +1404,9 @@ static void db_report_map_read_value_cb(struct gatt_db_attribute *attrib,
 	if (!length)
 		return;
 
-	map->length = length < sizeof(map->value) ? length : sizeof(map->value);
-	memcpy(map->value, value, map->length);
+
+	map->iov_len = length;
+	map->iov_base = (void *) value;
 }
 
 static void foreach_hog_chrc(struct gatt_db_attribute *attr, void *user_data)
@@ -1415,7 +1415,7 @@ static void foreach_hog_chrc(struct gatt_db_attribute *attr, void *user_data)
 	bt_uuid_t uuid, report_uuid, report_map_uuid, info_uuid;
 	bt_uuid_t proto_mode_uuid, ctrlpt_uuid;
 	uint16_t handle, value_handle;
-	struct report_map report_map = {0};
+	struct iovec map;
 
 	gatt_db_attribute_get_char_data(attr, &handle, &value_handle, NULL,
 					NULL, &uuid);
@@ -1438,14 +1438,14 @@ static void foreach_hog_chrc(struct gatt_db_attribute *attr, void *user_data)
 			gatt_db_attribute_read(hog->report_map_attr, 0,
 						BT_ATT_OP_READ_REQ, NULL,
 						db_report_map_read_value_cb,
-						&report_map);
+						&map);
 		}
 
-		if (report_map.length) {
+		if (map.iov_len) {
 			/* Report map found in the cache, straight to creating
 			 * UHID to optimize reconnection.
 			 */
-			uhid_create(hog, report_map.value, report_map.length);
+			uhid_create(hog, map.iov_base, map.iov_len);
 		}
 
 		gatt_db_service_foreach_desc(attr, foreach_hog_external, hog);
-- 
2.37.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* RE: [BlueZ] hog-lib: Don't restrict Report MAP size
  2022-08-16 19:11 [PATCH BlueZ] hog-lib: Don't restrict Report MAP size Luiz Augusto von Dentz
@ 2022-08-16 19:59 ` bluez.test.bot
  0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2022-08-16 19:59 UTC (permalink / raw)
  To: linux-bluetooth, luiz.dentz

[-- Attachment #1: Type: text/plain, Size: 2324 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=668191

---Test result---

Test Summary:
CheckPatch                    PASS      1.08 seconds
GitLint                       PASS      0.77 seconds
Prep - Setup ELL              PASS      30.64 seconds
Build - Prep                  PASS      0.81 seconds
Build - Configure             PASS      9.49 seconds
Build - Make                  PASS      898.07 seconds
Make Check                    PASS      11.97 seconds
Make Check w/Valgrind         PASS      304.89 seconds
Make Distcheck                PASS      253.90 seconds
Build w/ext ELL - Configure   PASS      8.99 seconds
Build w/ext ELL - Make        PASS      88.47 seconds
Incremental Build w/ patches  PASS      0.00 seconds
Scan Build                    WARNING   544.06 seconds

Details
##############################
Test: Scan Build - WARNING
Desc: Run Scan Build with patches
Output:
*****************************************************************************
The bugs reported by the scan-build may or may not be caused by your patches.
Please check the list and fix the bugs if they are caused by your patch.
*****************************************************************************
profiles/input/hog-lib.c:600:19: warning: Access to field 'handle' results in a dereference of a null pointer (loaded from variable 'chr')
        report->handle = chr->handle;
                         ^~~~~~~~~~~
profiles/input/hog-lib.c:637:11: warning: Access to field 'value_handle' results in a dereference of a null pointer (loaded from variable 'chr')
                start = chr->value_handle + 1;
                        ^~~~~~~~~~~~~~~~~
profiles/input/hog-lib.c:1240:11: warning: Access to field 'value_handle' results in a dereference of a null pointer (loaded from variable 'chr')
                start = chr->value_handle + 1;
                        ^~~~~~~~~~~~~~~~~
profiles/input/hog-lib.c:1444:7: warning: Branch condition evaluates to a garbage value
                if (map.iov_len) {
                    ^~~~~~~~~~~
4 warnings generated.




---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-08-16 19:59 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-16 19:11 [PATCH BlueZ] hog-lib: Don't restrict Report MAP size Luiz Augusto von Dentz
2022-08-16 19:59 ` [BlueZ] " bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox