[BlueZ 00/14] Fix a number of static analysis issues

[BlueZ 00/14] Fix a number of static analysis issues

[Bastien Nocera]

Hello,

This is the first batch of bug fixes for issues found by Red Hat's
internal static analysis tools.

The best course of action would probably be to merge the one that
are ready for upstream inclusion after review, and mark the others as
needing work, so I can include a new version of the patch in following
batches.

Cheers

Bastien Nocera (14):
  adapter: Use false instead of 0 for bool
  attrib/gatt: Guard against possible integer overflow
  client/gatt: Don't pass negative fd on error
  client/gatt: Check write_value() retval
  client/main: Fix array access
  client/main: Fix mismatched free
  monitor/att: Fix memory leak
  bap: Fix memory leaks
  media: Fix memory leak
  main: Fix memory leaks
  isotest: Consider "0" fd to be valid
  isotest: Fix error check after opening file
  client/player: Fix copy/paste error
  shared/vcp: Fix copy/paste error

 attrib/gatt.c          |  8 ++++---
 client/gatt.c          | 21 +++++++++++++++----
 client/main.c          |  7 ++++++-
 client/player.c        |  2 +-
 monitor/att.c          | 19 +++++++++++++++++
 profiles/audio/bap.c   | 47 +++++++++++++++++++++++++++++-------------
 profiles/audio/media.c |  1 +
 src/adapter.c          |  2 +-
 src/main.c             |  4 ++++
 src/shared/vcp.c       |  2 +-
 tools/isotest.c        |  4 ++--
 11 files changed, 90 insertions(+), 27 deletions(-)

-- 
2.44.0

[BlueZ 01/14] adapter: Use false instead of 0 for bool

[Bastien Nocera]

---
 src/adapter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/adapter.c b/src/adapter.c
index 5505edbb29c1..8b478e213cb5 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -2413,7 +2413,7 @@ static int update_discovery_filter(struct btd_adapter *adapter)
 	 * starting discovery.
 	 */
 	if (filters_equal(adapter->current_discovery_filter, sd_cp) &&
-	    adapter->discovering != 0) {
+	    adapter->discovering != false) {
 		DBG("filters were equal, deciding to not restart the scan.");
 		g_free(sd_cp);
 		return 0;
-- 
2.44.0

[BlueZ 02/14] attrib/gatt: Guard against possible integer overflow

[Bastien Nocera]

Error: INTEGER_OVERFLOW (CWE-190): [#def30]
bluez-5.75/attrib/gatt.c:1016:2: known_value_assign: "last" = "65535", its value is now 65535.
bluez-5.75/attrib/gatt.c:1087:2: overflow_const: Expression "dd->start", which is equal to 65536, where "last + 1" is known to be equal to 65536, overflows the type that receives it, an unsigned integer 16 bits wide.
1085|		}
1086|
1087|->		dd->start = last + 1;
1088|
1089|		if (last < dd->end && !uuid_found) {
---
 attrib/gatt.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/attrib/gatt.c b/attrib/gatt.c
index b496dd1ebd95..3cedae9d167a 100644
--- a/attrib/gatt.c
+++ b/attrib/gatt.c
@@ -1076,10 +1076,12 @@ static void desc_discovered_cb(guint8 status, const guint8 *ipdu,
 	att_data_list_free(list);
 
 	/*
-	 * If last handle is lower from previous start handle then it is smth
-	 * wrong. Let's stop search, otherwise we might enter infinite loop.
+	 * If last handle is lower from previous start handle or if iterating
+	 * to the next handle from the last possible offset would overflow, then
+	 * something is wrong. Let's stop search, otherwise we might enter
+	 * infinite loop.
 	 */
-	if (last < dd->start) {
+	if (last < dd->start || last == G_MAXUINT16) {
 		err = ATT_ECODE_UNLIKELY;
 		goto done;
 	}
-- 
2.44.0

[BlueZ 03/14] client/gatt: Don't pass negative fd on error

[Bastien Nocera]

Error: NEGATIVE_RETURNS (CWE-394): [#def33]
bluez-5.75/client/gatt.c:973:2: negative_return_fn: Function "io_get_fd(io)" returns a negative number.
bluez-5.75/client/gatt.c:973:2: negative_returns: "io_get_fd(io)" is passed to a parameter that cannot be negative.
971|	msg.msg_iovlen = iovlen;
972|
973|->	ret = sendmsg(io_get_fd(io), &msg, MSG_NOSIGNAL);
974|	if (ret < 0) {
975|		ret = -errno;

Error: NEGATIVE_RETURNS (CWE-394): [#def34]
bluez-5.75/client/gatt.c:1049:2: negative_return_fn: Function "io_get_fd(io)" returns a negative number.
bluez-5.75/client/gatt.c:1049:2: assign: Assigning: "fd" = "io_get_fd(io)".
bluez-5.75/client/gatt.c:1062:2: negative_returns: "fd" is passed to a parameter that cannot be negative.
1060|		msg.msg_iovlen = 1;
1061|
1062|->		bytes_read = recvmsg(fd, &msg, MSG_DONTWAIT);
1063|		if (bytes_read < 0) {
1064|			bt_shell_printf("recvmsg: %s", strerror(errno));
---
 client/gatt.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/client/gatt.c b/client/gatt.c
index 3aaa7a9361b9..6c7603985172 100644
--- a/client/gatt.c
+++ b/client/gatt.c
@@ -966,11 +966,15 @@ static int sock_send(struct io *io, struct iovec *iov, size_t iovlen)
 	struct msghdr msg;
 	int ret;
 
+	ret = io_get_fd(io);
+	if (ret < 0)
+		return ret;
+
 	memset(&msg, 0, sizeof(msg));
 	msg.msg_iov = iov;
 	msg.msg_iovlen = iovlen;
 
-	ret = sendmsg(io_get_fd(io), &msg, MSG_NOSIGNAL);
+	ret = sendmsg(ret, &msg, MSG_NOSIGNAL);
 	if (ret < 0) {
 		ret = -errno;
 		bt_shell_printf("sendmsg: %s", strerror(-ret));
@@ -1052,6 +1056,11 @@ static bool sock_read(struct io *io, void *user_data)
 	if (io != notify_io.io && !chrc)
 		return true;
 
+	if (fd < 0) {
+		bt_shell_printf("recvmsg: %s", strerror(-fd));
+		return false;
+	}
+
 	iov.iov_base = buf;
 	iov.iov_len = sizeof(buf);
 
-- 
2.44.0

[BlueZ 04/14] client/gatt: Check write_value() retval

[Bastien Nocera]

Error: CHECKED_RETURN (CWE-252): [#def35]
bluez-5.75/client/gatt.c:3191:3: check_return: Calling "write_value" without checking return value (as is done elsewhere 5 out of 6 times).
bluez-5.75/client/gatt.c:2371:2: example_checked: Example 1: "write_value(&chrc->value_len, &chrc->value, value, value_len, aad->offset, chrc->max_val_len)" has its value checked in "write_value(&chrc->value_len, &chrc->value, value, value_len, aad->offset, chrc->max_val_len)".
bluez-5.75/client/gatt.c:2502:2: example_checked: Example 2: "write_value(&chrc->value_len, &chrc->value, value, value_len, offset, chrc->max_val_len)" has its value checked in "write_value(&chrc->value_len, &chrc->value, value, value_len, offset, chrc->max_val_len)".
bluez-5.75/client/gatt.c:2919:2: example_checked: Example 3: "write_value(&desc->value_len, &desc->value, value, value_len, offset, desc->max_val_len)" has its value checked in "write_value(&desc->value_len, &desc->value, value, value_len, offset, desc->max_val_len)".
bluez-5.75/client/gatt.c:759:3: example_checked: Example 4: "write_value(&c->value_len, &c->value, value, value_len, offset, c->max_val_len)" has its value checked in "write_value(&c->value_len, &c->value, value, value_len, offset, c->max_val_len)".
bluez-5.75/client/gatt.c:775:3: example_checked: Example 5: "write_value(&d->value_len, &d->value, value, value_len, offset, d->max_val_len)" has its value checked in "write_value(&d->value_len, &d->value, value, value_len, offset, d->max_val_len)".
3189|			}
3190|
3191|->			write_value(&chrc->value_len, &chrc->value, value, len,
3192|					0, chrc->max_val_len);
---
 client/gatt.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/client/gatt.c b/client/gatt.c
index 6c7603985172..51fa8ba8553c 100644
--- a/client/gatt.c
+++ b/client/gatt.c
@@ -3197,9 +3197,13 @@ static void proxy_property_changed(GDBusProxy *proxy, const char *name,
 			dbus_message_iter_get_fixed_array(&array, &value, &len);
 		}
 
-		write_value(&chrc->value_len, &chrc->value, value, len,
-				0, chrc->max_val_len);
-		bt_shell_hexdump(value, len);
+		if (write_value(&chrc->value_len, &chrc->value, value, len,
+				0, chrc->max_val_len)) {
+			bt_shell_printf("Unable to update property value for %s\n",
+					name)
+		} else {
+			bt_shell_hexdump(value, len);
+		}
 	}
 
 	g_dbus_emit_property_changed(conn, chrc->path, CHRC_INTERFACE, name);
-- 
2.44.0

[BlueZ 05/14] client/main: Fix array access

[Bastien Nocera]

Error: CPPCHECK_WARNING (CWE-788): [#def36]
bluez-5.75/client/main.c:833: error[ctuArrayIndex]: Array index out of bounds; 'argv' buffer size is 0 and it is accessed at offset 1.
831|	const char **opt;
832|
833|->	if (!strcmp(argv[1], "help")) {
834|		for (opt = arg_table; opt && *opt; opt++)
835|			bt_shell_printf("%s\n", *opt);
---
 client/main.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/client/main.c b/client/main.c
index 51d08a67aa1a..f703cc91b24a 100644
--- a/client/main.c
+++ b/client/main.c
@@ -830,6 +830,11 @@ static gboolean parse_argument(int argc, char *argv[], const char **arg_table,
 {
 	const char **opt;
 
+	if (argc < 2) {
+		bt_shell_printf("Missing argument to %s\n", argv[0]);
+		return FALSE;
+	}
+
 	if (!strcmp(argv[1], "help")) {
 		for (opt = arg_table; opt && *opt; opt++)
 			bt_shell_printf("%s\n", *opt);
-- 
2.44.0

[BlueZ 06/14] client/main: Fix mismatched free

[Bastien Nocera]

Error: ALLOC_FREE_MISMATCH (CWE-762): [#def37]
bluez-5.75/client/main.c:2108:2: alloc: Allocation of memory which must be freed using "g_free".
bluez-5.75/client/main.c:2108:2: assign: Assigning: "desc" = "g_strdup_printf("\x1b[0;94m[%s]\x1b[0m# ", attr)".
bluez-5.75/client/main.c:2111:2: free: Calling "free" frees "desc" using "free" but it should have been freed using "g_free".
2109|
2110|		bt_shell_set_prompt(desc);
2111|->		free(desc);
2112|   }
2113|
---
 client/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/main.c b/client/main.c
index f703cc91b24a..f967c149e7bd 100644
--- a/client/main.c
+++ b/client/main.c
@@ -2113,7 +2113,7 @@ static void set_default_local_attribute(char *attr)
 	desc = g_strdup_printf(COLOR_BLUE "[%s]" COLOR_OFF "# ", attr);
 
 	bt_shell_set_prompt(desc);
-	free(desc);
+	g_free(desc);
 }
 
 static void cmd_select_attribute(int argc, char *argv[])
-- 
2.44.0

[BlueZ 07/14] monitor/att: Fix memory leak

[Bastien Nocera]

name2utf8() returns newly allocated memory which needs to be freed.

Error: RESOURCE_LEAK (CWE-772): [#def27] [important]
bluez-5.75/monitor/att.c:2291:2: alloc_fn: Storage is returned from allocation function "name2utf8".
bluez-5.75/monitor/att.c:2291:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
bluez-5.75/monitor/att.c:2293:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/monitor/att.c:2294:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2292|
2293|		print_field("  Media Player Name: %s", name);
2294|-> }
2295|
2296|   static void mp_name_read(const struct l2cap_frame *frame)

Error: RESOURCE_LEAK (CWE-772): [#def28] [important]
bluez-5.75/monitor/att.c:2320:2: alloc_fn: Storage is returned from allocation function "name2utf8".
bluez-5.75/monitor/att.c:2320:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
bluez-5.75/monitor/att.c:2322:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/monitor/att.c:2323:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2321|
2322|		print_field("  Track Title: %s", name);
2323|-> }
2324|
2325|   static void track_title_read(const struct l2cap_frame *frame)

Error: RESOURCE_LEAK (CWE-772): [#def29] [important]
bluez-5.75/monitor/att.c:2453:2: alloc_fn: Storage is returned from allocation function "name2utf8".
bluez-5.75/monitor/att.c:2453:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
bluez-5.75/monitor/att.c:2455:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/monitor/att.c:2456:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2454|
2455|		print_field("  Bearer Name: %s", name);
2456|-> }
2457|
2458|   static void bearer_name_read(const struct l2cap_frame *frame)

Error: RESOURCE_LEAK (CWE-772): [#def30] [important]
bluez-5.75/monitor/att.c:2472:2: alloc_fn: Storage is returned from allocation function "name2utf8".
bluez-5.75/monitor/att.c:2472:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
bluez-5.75/monitor/att.c:2474:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/monitor/att.c:2475:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2473|
2474|		print_field("  Bearer Uci Name: %s", name);
2475|-> }
2476|
2477|   static void print_technology_name(const struct l2cap_frame *frame)

Error: RESOURCE_LEAK (CWE-772): [#def31] [important]
bluez-5.75/monitor/att.c:2541:2: alloc_fn: Storage is returned from allocation function "name2utf8".
bluez-5.75/monitor/att.c:2541:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
bluez-5.75/monitor/att.c:2543:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/monitor/att.c:2544:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2542|
2543|		print_field("  Uri scheme Name: %s", name);
2544|-> }
2545|
2546|   static void bearer_uri_schemes_list_read(const struct l2cap_frame *frame)

Error: RESOURCE_LEAK (CWE-772): [#def32] [important]
bluez-5.75/monitor/att.c:2653:2: alloc_fn: Storage is returned from allocation function "name2utf8".
bluez-5.75/monitor/att.c:2653:2: var_assign: Assigning: "call_uri" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
bluez-5.75/monitor/att.c:2655:2: noescape: Resource "call_uri" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/monitor/att.c:2660:1: leaked_storage: Variable "call_uri" going out of scope leaks the storage it points to.
2658|		if (frame->size)
2659|			print_hex_field("  call_list Data", frame->data, frame->size);
2660|-> }
2661|
2662|   static void bearer_current_call_list_read(const struct l2cap_frame *frame)

Error: RESOURCE_LEAK (CWE-772): [#def33] [important]
bluez-5.75/monitor/att.c:2741:2: alloc_fn: Storage is returned from allocation function "name2utf8".
bluez-5.75/monitor/att.c:2741:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
bluez-5.75/monitor/att.c:2743:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/monitor/att.c:2748:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2746|		if (frame->size)
2747|			print_hex_field("  Data", frame->data, frame->size);
2748|-> }
2749|
2750|   static void incom_target_bearer_uri_read(const struct l2cap_frame *frame)

Error: RESOURCE_LEAK (CWE-772): [#def34] [important]
bluez-5.75/monitor/att.c:2851:3: alloc_fn: Storage is returned from allocation function "name2utf8".
bluez-5.75/monitor/att.c:2851:3: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
bluez-5.75/monitor/att.c:2852:3: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/monitor/att.c:2871:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
2869|		if (frame->size)
2870|			print_hex_field("call_cp Data", frame->data, frame->size);
2871|-> }
2872|
2873|   static void print_call_cp_notification(const struct l2cap_frame *frame)

Error: RESOURCE_LEAK (CWE-772): [#def35] [important]
bluez-5.75/monitor/att.c:3046:2: alloc_fn: Storage is returned from allocation function "name2utf8".
bluez-5.75/monitor/att.c:3046:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
bluez-5.75/monitor/att.c:3048:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/monitor/att.c:3053:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
3051|		if (frame->size)
3052|			print_hex_field(" Data", frame->data, frame->size);
3053|-> }
3054|
3055|   static void incoming_call_read(const struct l2cap_frame *frame)

Error: RESOURCE_LEAK (CWE-772): [#def36] [important]
bluez-5.75/monitor/att.c:3077:2: alloc_fn: Storage is returned from allocation function "name2utf8".
bluez-5.75/monitor/att.c:3077:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)".
bluez-5.75/monitor/att.c:3079:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/monitor/att.c:3084:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
3082|		if (frame->size)
3083|			print_hex_field(" Data", frame->data, frame->size);
3084|-> }
3085|
3086|   static void call_friendly_name_read(const struct l2cap_frame *frame)
---
 monitor/att.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/monitor/att.c b/monitor/att.c
index b3fb3ba6a0ad..a23347ef7ede 100644
--- a/monitor/att.c
+++ b/monitor/att.c
@@ -2291,6 +2291,8 @@ static void print_mp_name(const struct l2cap_frame *frame)
 	name = name2utf8((uint8_t *)frame->data, frame->size);
 
 	print_field("  Media Player Name: %s", name);
+
+	g_free(name);
 }
 
 static void mp_name_read(const struct l2cap_frame *frame)
@@ -2320,6 +2322,8 @@ static void print_track_title(const struct l2cap_frame *frame)
 	name = name2utf8((uint8_t *)frame->data, frame->size);
 
 	print_field("  Track Title: %s", name);
+
+	g_free(name);
 }
 
 static void track_title_read(const struct l2cap_frame *frame)
@@ -2453,6 +2457,8 @@ static void print_bearer_name(const struct l2cap_frame *frame)
 	name = name2utf8((uint8_t *)frame->data, frame->size);
 
 	print_field("  Bearer Name: %s", name);
+
+	g_free(name);
 }
 
 static void bearer_name_read(const struct l2cap_frame *frame)
@@ -2472,6 +2478,8 @@ static void bearer_uci_read(const struct l2cap_frame *frame)
 	name = name2utf8((uint8_t *)frame->data, frame->size);
 
 	print_field("  Bearer Uci Name: %s", name);
+
+	g_free(name);
 }
 
 static void print_technology_name(const struct l2cap_frame *frame)
@@ -2541,6 +2549,8 @@ static void print_uri_scheme_list(const struct l2cap_frame *frame)
 	name = name2utf8((uint8_t *)frame->data, frame->size);
 
 	print_field("  Uri scheme Name: %s", name);
+
+	g_free(name);
 }
 
 static void bearer_uri_schemes_list_read(const struct l2cap_frame *frame)
@@ -2654,6 +2664,8 @@ static void print_call_list(const struct l2cap_frame *frame)
 
 	print_field("  call_uri: %s", call_uri);
 
+	g_free(call_uri);
+
 done:
 	if (frame->size)
 		print_hex_field("  call_list Data", frame->data, frame->size);
@@ -2742,6 +2754,8 @@ static void print_target_uri(const struct l2cap_frame *frame)
 
 	print_field("  Uri: %s", name);
 
+	g_free(name);
+
 done:
 	if (frame->size)
 		print_hex_field("  Data", frame->data, frame->size);
@@ -2850,6 +2864,7 @@ static void print_call_cp(const struct l2cap_frame *frame)
 		str = "Originate";
 		name = name2utf8((uint8_t *)frame->data, frame->size);
 		print_field("  Operation: %s  Uri: %s", str, name);
+		g_free(name);
 		break;
 	case 0x05:
 		str = "Join";
@@ -3047,6 +3062,8 @@ static void print_incom_call(const struct l2cap_frame *frame)
 
 	print_field("  call_string: %s", name);
 
+	g_free(name);
+
 done:
 	if (frame->size)
 		print_hex_field(" Data", frame->data, frame->size);
@@ -3078,6 +3095,8 @@ static void print_call_friendly_name(const struct l2cap_frame *frame)
 
 	print_field("  Friendly Name: %s", name);
 
+	g_free(name);
+
 done:
 	if (frame->size)
 		print_hex_field(" Data", frame->data, frame->size);
-- 
2.44.0

[BlueZ 08/14] bap: Fix memory leaks

[Bastien Nocera]

Error: RESOURCE_LEAK (CWE-772): [#def37] [important]
bluez-5.75/profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc".
bluez-5.75/profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
bluez-5.75/profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
bluez-5.75/profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})".
bluez-5.75/profiles/audio/bap.c:1066:4: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to.
1064|			l2_caps = new0(struct iovec, 1);
1065|			if (!util_iov_pull_u8(&iov, (void *)&l2_caps->iov_len))
1066|->				goto fail;
1067|
1068|			util_iov_memcpy(l2_caps, util_iov_pull_mem(&iov,

Error: RESOURCE_LEAK (CWE-772): [#def38] [important]
bluez-5.75/profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc".
bluez-5.75/profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
bluez-5.75/profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
bluez-5.75/profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})".
bluez-5.75/profiles/audio/bap.c:1068:3: noescape: Resource "l2_caps" is not freed or pointed-to in "util_iov_memcpy".
bluez-5.75/profiles/audio/bap.c:1080:4: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to.
1078|			meta = new0(struct iovec, 1);
1079|			if (!util_iov_pull_u8(&iov, (void *)&meta->iov_len))
1080|->				goto fail;
1081|
1082|			util_iov_memcpy(meta,

Error: RESOURCE_LEAK (CWE-772): [#def39] [important]
bluez-5.75/profiles/audio/bap.c:1078:10: alloc_fn: Storage is returned from allocation function "util_malloc".
bluez-5.75/profiles/audio/bap.c:1078:10: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
bluez-5.75/profiles/audio/bap.c:1078:10: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/profiles/audio/bap.c:1078:10: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
bluez-5.75/profiles/audio/bap.c:1078:3: var_assign: Assigning: "meta" = "({...; __p;})".
bluez-5.75/profiles/audio/bap.c:1080:4: leaked_storage: Variable "meta" going out of scope leaks the storage it points to.
1078|			meta = new0(struct iovec, 1);
1079|			if (!util_iov_pull_u8(&iov, (void *)&meta->iov_len))
1080|->				goto fail;
1081|
1082|			util_iov_memcpy(meta,

Error: RESOURCE_LEAK (CWE-772): [#def40] [important]
bluez-5.75/profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc".
bluez-5.75/profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
bluez-5.75/profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
bluez-5.75/profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})".
bluez-5.75/profiles/audio/bap.c:1068:3: noescape: Resource "l2_caps" is not freed or pointed-to in "util_iov_memcpy".
bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "l2_caps" is not freed or pointed-to in "bt_bap_add_bis".
bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "l2_caps" is not freed or pointed-to in "bt_bap_add_bis".
bluez-5.75/profiles/audio/bap.c:1097:5: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to.
1095|
1096|				if (!util_iov_pull_u8(&iov, &bis_index))
1097|->					goto fail;
1098|
1099|				util_debug(func, NULL, "BIS #%d", bis_index);

Error: RESOURCE_LEAK (CWE-772): [#def41] [important]
bluez-5.75/profiles/audio/bap.c:1078:10: alloc_fn: Storage is returned from allocation function "util_malloc".
bluez-5.75/profiles/audio/bap.c:1078:10: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
bluez-5.75/profiles/audio/bap.c:1078:10: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/profiles/audio/bap.c:1078:10: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
bluez-5.75/profiles/audio/bap.c:1078:3: var_assign: Assigning: "meta" = "({...; __p;})".
bluez-5.75/profiles/audio/bap.c:1082:3: noescape: Resource "meta" is not freed or pointed-to in "util_iov_memcpy".
bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "meta" is not freed or pointed-to in "bt_bap_add_bis".
bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "meta" is not freed or pointed-to in "bt_bap_add_bis".
bluez-5.75/profiles/audio/bap.c:1097:5: leaked_storage: Variable "meta" going out of scope leaks the storage it points to.
1095|
1096|				if (!util_iov_pull_u8(&iov, &bis_index))
1097|->					goto fail;
1098|
1099|				util_debug(func, NULL, "BIS #%d", bis_index);

Error: RESOURCE_LEAK (CWE-772): [#def42] [important]
bluez-5.75/profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc".
bluez-5.75/profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
bluez-5.75/profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
bluez-5.75/profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})".
bluez-5.75/profiles/audio/bap.c:1068:3: noescape: Resource "l2_caps" is not freed or pointed-to in "util_iov_memcpy".
bluez-5.75/profiles/audio/bap.c:1104:5: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to.
1102|				l3_caps = new0(struct iovec, 1);
1103|				if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len))
1104|->					goto fail;
1105|
1106|				util_iov_memcpy(l3_caps,

Error: RESOURCE_LEAK (CWE-772): [#def43] [important]
bluez-5.75/profiles/audio/bap.c:1102:14: alloc_fn: Storage is returned from allocation function "util_malloc".
bluez-5.75/profiles/audio/bap.c:1102:14: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
bluez-5.75/profiles/audio/bap.c:1102:14: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/profiles/audio/bap.c:1102:14: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
bluez-5.75/profiles/audio/bap.c:1102:4: var_assign: Assigning: "l3_caps" = "({...; __p;})".
bluez-5.75/profiles/audio/bap.c:1104:5: leaked_storage: Variable "l3_caps" going out of scope leaks the storage it points to.
1102|				l3_caps = new0(struct iovec, 1);
1103|				if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len))
1104|->					goto fail;
1105|
1106|				util_iov_memcpy(l3_caps,

Error: RESOURCE_LEAK (CWE-772): [#def44] [important]
bluez-5.75/profiles/audio/bap.c:1078:10: alloc_fn: Storage is returned from allocation function "util_malloc".
bluez-5.75/profiles/audio/bap.c:1078:10: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
bluez-5.75/profiles/audio/bap.c:1078:10: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/profiles/audio/bap.c:1078:10: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
bluez-5.75/profiles/audio/bap.c:1078:3: var_assign: Assigning: "meta" = "({...; __p;})".
bluez-5.75/profiles/audio/bap.c:1082:3: noescape: Resource "meta" is not freed or pointed-to in "util_iov_memcpy".
bluez-5.75/profiles/audio/bap.c:1104:5: leaked_storage: Variable "meta" going out of scope leaks the storage it points to.
1102|				l3_caps = new0(struct iovec, 1);
1103|				if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len))
1104|->					goto fail;
1105|
1106|				util_iov_memcpy(l3_caps,

Error: RESOURCE_LEAK (CWE-772): [#def45] [important]
bluez-5.75/profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc".
bluez-5.75/profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
bluez-5.75/profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
bluez-5.75/profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})".
bluez-5.75/profiles/audio/bap.c:1068:3: noescape: Resource "l2_caps" is not freed or pointed-to in "util_iov_memcpy".
bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "l2_caps" is not freed or pointed-to in "bt_bap_add_bis".
bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "l2_caps" is not freed or pointed-to in "bt_bap_add_bis".
bluez-5.75/profiles/audio/bap.c:1123:2: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to.
1121|			}
1122|
1123|->		}
1124|		return true;
1125|

Error: RESOURCE_LEAK (CWE-772): [#def46] [important]
bluez-5.75/profiles/audio/bap.c:1078:10: alloc_fn: Storage is returned from allocation function "util_malloc".
bluez-5.75/profiles/audio/bap.c:1078:10: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)".
bluez-5.75/profiles/audio/bap.c:1078:10: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/profiles/audio/bap.c:1078:10: leaked_storage: Variable "__p" going out of scope leaks the storage it points to.
bluez-5.75/profiles/audio/bap.c:1078:3: var_assign: Assigning: "meta" = "({...; __p;})".
bluez-5.75/profiles/audio/bap.c:1082:3: noescape: Resource "meta" is not freed or pointed-to in "util_iov_memcpy".
bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "meta" is not freed or pointed-to in "bt_bap_add_bis".
bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "meta" is not freed or pointed-to in "bt_bap_add_bis".
bluez-5.75/profiles/audio/bap.c:1123:2: leaked_storage: Variable "meta" going out of scope leaks the storage it points to.
1121|			}
1122|
1123|->		}
1124|		return true;
1125|
---
 profiles/audio/bap.c | 47 +++++++++++++++++++++++++++++++-------------
 1 file changed, 33 insertions(+), 14 deletions(-)

diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index 8e4f4b311fba..15024e26f843 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -1028,6 +1028,7 @@ static bool parse_base(struct bt_bap *bap, struct bt_iso_base *base,
 	};
 	uint32_t pres_delay;
 	uint8_t num_subgroups;
+	bool ret = true;
 
 	util_debug(func, NULL, "BASE len: %ld", iov.iov_len);
 
@@ -1043,13 +1044,15 @@ static bool parse_base(struct bt_bap *bap, struct bt_iso_base *base,
 	for (int idx = 0; idx < num_subgroups; idx++) {
 		uint8_t num_bis;
 		struct bt_bap_codec codec;
-		struct iovec *l2_caps;
-		struct iovec *meta;
+		struct iovec *l2_caps = NULL;
+		struct iovec *meta = NULL;
 
 		util_debug(func, NULL, "Subgroup #%d", idx);
 
-		if (!util_iov_pull_u8(&iov, &num_bis))
+		if (!util_iov_pull_u8(&iov, &num_bis)) {
+			ret = false;
 			goto fail;
+		}
 		util_debug(func, NULL, "Number of BISes: %d", num_bis);
 
 		memcpy(&codec,
@@ -1062,8 +1065,10 @@ static bool parse_base(struct bt_bap *bap, struct bt_iso_base *base,
 		/* Level 2 */
 		/* Read Codec Specific Configuration */
 		l2_caps = new0(struct iovec, 1);
-		if (!util_iov_pull_u8(&iov, (void *)&l2_caps->iov_len))
-			goto fail;
+		if (!util_iov_pull_u8(&iov, (void *)&l2_caps->iov_len)) {
+			ret = false;
+			goto group_fail;
+		}
 
 		util_iov_memcpy(l2_caps, util_iov_pull_mem(&iov,
 				l2_caps->iov_len),
@@ -1076,8 +1081,10 @@ static bool parse_base(struct bt_bap *bap, struct bt_iso_base *base,
 
 		/* Read Metadata */
 		meta = new0(struct iovec, 1);
-		if (!util_iov_pull_u8(&iov, (void *)&meta->iov_len))
-			goto fail;
+		if (!util_iov_pull_u8(&iov, (void *)&meta->iov_len)) {
+			ret = false;
+			goto group_fail;
+		}
 
 		util_iov_memcpy(meta,
 				util_iov_pull_mem(&iov, meta->iov_len),
@@ -1093,15 +1100,20 @@ static bool parse_base(struct bt_bap *bap, struct bt_iso_base *base,
 			uint8_t bis_index;
 			struct iovec *l3_caps;
 
-			if (!util_iov_pull_u8(&iov, &bis_index))
-				goto fail;
+			if (!util_iov_pull_u8(&iov, &bis_index)) {
+				ret = false;
+				goto group_fail;
+			}
 
 			util_debug(func, NULL, "BIS #%d", bis_index);
 
 			/* Read Codec Specific Configuration */
 			l3_caps = new0(struct iovec, 1);
-			if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len))
-				goto fail;
+			if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len)) {
+				free(l3_caps);
+				ret = false;
+				goto group_fail;
+			}
 
 			util_iov_memcpy(l3_caps,
 					util_iov_pull_mem(&iov,
@@ -1120,13 +1132,20 @@ static bool parse_base(struct bt_bap *bap, struct bt_iso_base *base,
 					meta);
 		}
 
+group_fail:
+		if (l2_caps != NULL)
+			free(l2_caps);
+		if (meta != NULL)
+			free(meta);
+		if (!ret)
+			break;
 	}
-	return true;
 
 fail:
-	util_debug(func, NULL, "Unable to parse Base");
+	if (!ret)
+		util_debug(func, NULL, "Unable to parse Base");
 
-	return false;
+	return ret;
 }
 
 static void iso_pa_sync_confirm_cb(GIOChannel *io, void *user_data)
-- 
2.44.0

[BlueZ 09/14] media: Fix memory leak

[Bastien Nocera]

Error: RESOURCE_LEAK (CWE-772): [#def47] [important]
bluez-5.75/profiles/audio/media.c:1278:2: alloc_arg: "asprintf" allocates memory that is stored into "name". [Note: The source code implementation of the function has been overridden by a builtin model.]
bluez-5.75/profiles/audio/media.c:1291:2: noescape: Resource "name" is not freed or pointed-to in "bt_bap_add_vendor_pac".
bluez-5.75/profiles/audio/media.c:1297:3: leaked_storage: Variable "name" going out of scope leaks the storage it points to.
1295|			error("Unable to create PAC");
1296|			free(metadata);
1297|->			return false;
1298|		}
1299|
---
 profiles/audio/media.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/profiles/audio/media.c b/profiles/audio/media.c
index 07147a25d532..4bbd584deaba 100644
--- a/profiles/audio/media.c
+++ b/profiles/audio/media.c
@@ -1293,6 +1293,7 @@ static bool endpoint_init_pac(struct media_endpoint *endpoint, uint8_t type,
 				&data, metadata);
 	if (!endpoint->pac) {
 		error("Unable to create PAC");
+		free(name);
 		free(metadata);
 		return false;
 	}
-- 
2.44.0

[BlueZ 10/14] main: Fix memory leaks

[Bastien Nocera]

Error: RESOURCE_LEAK (CWE-772): [#def51] [important]
bluez-5.75/src/main.c:451:2: alloc_arg: "parse_config_string" allocates memory that is stored into "str".
bluez-5.75/src/main.c:454:2: identity_transfer: Passing "str" as argument 1 to function "strtol", which sets "endptr" to that argument.
bluez-5.75/src/main.c:456:3: noescape: Assuming resource "str" is not freed or pointed-to as ellipsis argument to "btd_error".
bluez-5.75/src/main.c:457:3: leaked_storage: Variable "endptr" going out of scope leaks the storage it points to.
bluez-5.75/src/main.c:457:3: leaked_storage: Variable "str" going out of scope leaks the storage it points to.
455|	if (!endptr || *endptr != '\0') {
456|		error("%s.%s = %s is not integer", group, key, str);
457|->		return false;
458|	}
459|

Error: RESOURCE_LEAK (CWE-772): [#def52] [important]
bluez-5.75/src/main.c:451:2: alloc_arg: "parse_config_string" allocates memory that is stored into "str".
bluez-5.75/src/main.c:454:2: identity_transfer: Passing "str" as argument 1 to function "strtol", which sets "endptr" to that argument.
bluez-5.75/src/main.c:463:3: leaked_storage: Variable "endptr" going out of scope leaks the storage it points to.
bluez-5.75/src/main.c:463:3: leaked_storage: Variable "str" going out of scope leaks the storage it points to.
461|		warn("%s.%s = %zu is out of range (< %zu)", group, key, tmp,
462|									min);
463|->		return false;
464|	}
465|

Error: RESOURCE_LEAK (CWE-772): [#def53] [important]
bluez-5.75/src/main.c:451:2: alloc_arg: "parse_config_string" allocates memory that is stored into "str".
bluez-5.75/src/main.c:454:2: identity_transfer: Passing "str" as argument 1 to function "strtol", which sets "endptr" to that argument.
bluez-5.75/src/main.c:475:2: leaked_storage: Variable "endptr" going out of scope leaks the storage it points to.
bluez-5.75/src/main.c:475:2: leaked_storage: Variable "str" going out of scope leaks the storage it points to.
473|		*val = tmp;
474|
475|->	return true;
476|   }
477|
---
 src/main.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/main.c b/src/main.c
index 23af6781d931..ac840d684f6d 100644
--- a/src/main.c
+++ b/src/main.c
@@ -454,21 +454,25 @@ static bool parse_config_int(GKeyFile *config, const char *group,
 	tmp = strtol(str, &endptr, 0);
 	if (!endptr || *endptr != '\0') {
 		error("%s.%s = %s is not integer", group, key, str);
+		g_free(str);
 		return false;
 	}
 
 	if (tmp < min) {
+		g_free(str);
 		warn("%s.%s = %zu is out of range (< %zu)", group, key, tmp,
 									min);
 		return false;
 	}
 
 	if (tmp > max) {
+		g_free(str);
 		warn("%s.%s = %zu is out of range (> %zu)", group, key, tmp,
 									max);
 		return false;
 	}
 
+	g_free(str);
 	if (val)
 		*val = tmp;
 
-- 
2.44.0

[BlueZ 11/14] isotest: Consider "0" fd to be valid

[Bastien Nocera]

Error: RESOURCE_LEAK (CWE-772): [#def79] [important]
bluez-5.75/tools/isotest.c:923:4: open_fn: Returning handle opened by "open_file".
bluez-5.75/tools/isotest.c:923:4: var_assign: Assigning: "fd" = handle returned from "open_file(altername)".
bluez-5.75/tools/isotest.c:925:3: off_by_one: Testing whether handle "fd" is strictly greater than zero is suspicious.  "fd" leaks when it is zero.
bluez-5.75/tools/isotest.c:925:3: remediation: Did you intend to include equality with zero?
bluez-5.75/tools/isotest.c:926:4: overwrite_var: Overwriting handle "fd" in "fd = open_file(filename)" leaks the handle.
924|
925|		if (fd <= 0)
926|->			fd = open_file(filename);
927|	}
928|
---
 tools/isotest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/isotest.c b/tools/isotest.c
index 7e875fa58b15..810d15d2df2a 100644
--- a/tools/isotest.c
+++ b/tools/isotest.c
@@ -922,7 +922,7 @@ static void send_mode(char *filename, char *peer, int i, bool repeat)
 		if (!err)
 			fd = open_file(altername);
 
-		if (fd <= 0)
+		if (fd < 0)
 			fd = open_file(filename);
 	}
 
-- 
2.44.0

[BlueZ 12/14] isotest: Fix error check after opening file

[Bastien Nocera]

Consider "0" to be a valid fd.
---
 tools/isotest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/isotest.c b/tools/isotest.c
index 810d15d2df2a..ddace0da3044 100644
--- a/tools/isotest.c
+++ b/tools/isotest.c
@@ -720,7 +720,7 @@ static int open_file(const char *filename)
 	syslog(LOG_INFO, "Opening %s ...", filename);
 
 	fd = open(filename, O_RDONLY);
-	if (fd <= 0) {
+	if (fd < 0) {
 		syslog(LOG_ERR, "Can't open file %s: %s\n",
 						filename, strerror(errno));
 	}
-- 
2.44.0

[BlueZ 13/14] client/player: Fix copy/paste error

[Bastien Nocera]

Error: COPY_PASTE_ERROR (CWE-398): [#def95] [important]
bluez-5.75/client/player.c:1846:6: original: "qos->sync_cte_type" looks like the original copy.
bluez-5.75/client/player.c:1852:6: copy_paste_error: "sync_cte_type" in "qos->sync_cte_type" looks like a copy-paste error.
bluez-5.75/client/player.c:1852:6: remediation: Should it say "mse" instead?
1850|		}
1851|
1852|->		if (qos->sync_cte_type) {
1853|			bt_shell_printf("MSE %u\n", qos->mse);
1854|			g_dbus_dict_append_entry(iter, "MSE", DBUS_TYPE_BYTE,
---
 client/player.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/player.c b/client/player.c
index 6b70e9ed3f9d..7f67425aaf8f 100644
--- a/client/player.c
+++ b/client/player.c
@@ -1849,7 +1849,7 @@ static void append_bcast_qos(DBusMessageIter *iter, struct endpoint_config *cfg)
 					&qos->sync_cte_type);
 	}
 
-	if (qos->sync_cte_type) {
+	if (qos->mse) {
 		bt_shell_printf("MSE %u\n", qos->mse);
 		g_dbus_dict_append_entry(iter, "MSE", DBUS_TYPE_BYTE,
 						&qos->mse);
-- 
2.44.0

[BlueZ 14/14] shared/vcp: Fix copy/paste error

[Bastien Nocera]

Error: COPY_PASTE_ERROR (CWE-398): [#def97] [important]
bluez-5.75/src/shared/vcp.c:2610:16: original: "aics->gain_stting_prop" looks like the original copy.
bluez-5.75/src/shared/vcp.c:2625:16: copy_paste_error: "gain_stting_prop" in "aics->gain_stting_prop" looks like a copy-paste error.
bluez-5.75/src/shared/vcp.c:2625:16: remediation: Should it say "aud_ip_type" instead?
2623|
2624|			aics = vcp_get_aics(vcp);
2625|->			if (!aics || aics->gain_stting_prop)
2626|				return;
2627|
---
 src/shared/vcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/shared/vcp.c b/src/shared/vcp.c
index 7ba54e64adc0..b7e17e448b74 100644
--- a/src/shared/vcp.c
+++ b/src/shared/vcp.c
@@ -2622,7 +2622,7 @@ static void foreach_aics_char(struct gatt_db_attribute *attr, void *user_data)
 			value_handle);
 
 		aics = vcp_get_aics(vcp);
-		if (!aics || aics->gain_stting_prop)
+		if (!aics || aics->aud_ip_type)
 			return;
 
 		aics->aud_ip_type = attr;
-- 
2.44.0

RE: Fix a number of static analysis issues

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 77993 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=852187

---Test result---

Test Summary:
CheckPatch                    FAIL      7.80 seconds
GitLint                       FAIL      4.85 seconds
BuildEll                      PASS      24.67 seconds
BluezMake                     FAIL      120.50 seconds
MakeCheck                     FAIL      0.47 seconds
MakeDistcheck                 FAIL      77.47 seconds
CheckValgrind                 FAIL      89.85 seconds
CheckSmatch                   FAIL      207.12 seconds
bluezmakeextell               FAIL      80.97 seconds
IncrementalBuild              FAIL      6460.04 seconds
ScanBuild                     FAIL      748.56 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,04/14] client/gatt: Check write_value() retval
WARNING:LONG_LINE_STRING: line length of 83 exceeds 80 columns
#77: FILE: client/gatt.c:3202:
+			bt_shell_printf("Unable to update property value for %s\n",

/github/workspace/src/src/13661168.patch total: 0 errors, 1 warnings, 16 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/src/13661168.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


[BlueZ,07/14] monitor/att: Fix memory leak
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#104: 
2546|   static void bearer_uri_schemes_list_read(const struct l2cap_frame *frame)

/github/workspace/src/src/13661172.patch total: 0 errors, 1 warnings, 79 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/src/13661172.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


[BlueZ,08/14] bap: Fix memory leaks
WARNING:LONG_LINE: line length of 81 exceeds 80 columns
#271: FILE: profiles/audio/bap.c:1112:
+			if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len)) {

/github/workspace/src/src/13661173.patch total: 0 errors, 1 warnings, 96 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/src/13661173.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[BlueZ,02/14] attrib/gatt: Guard against possible integer overflow

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (94>80): "bluez-5.75/attrib/gatt.c:1016:2: known_value_assign: "last" = "65535", its value is now 65535."
5: B1 Line exceeds max length (216>80): "bluez-5.75/attrib/gatt.c:1087:2: overflow_const: Expression "dd->start", which is equal to 65536, where "last + 1" is known to be equal to 65536, overflows the type that receives it, an unsigned integer 16 bits wide."
6: B3 Line contains hard tab characters (\t): "1085|		}"
8: B3 Line contains hard tab characters (\t): "1087|->		dd->start = last + 1;"
10: B3 Line contains hard tab characters (\t): "1089|		if (last < dd->end && !uuid_found) {"
[BlueZ,03/14] client/gatt: Don't pass negative fd on error

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (103>80): "bluez-5.75/client/gatt.c:973:2: negative_return_fn: Function "io_get_fd(io)" returns a negative number."
5: B1 Line exceeds max length (115>80): "bluez-5.75/client/gatt.c:973:2: negative_returns: "io_get_fd(io)" is passed to a parameter that cannot be negative."
6: B3 Line contains hard tab characters (\t): "971|	msg.msg_iovlen = iovlen;"
8: B3 Line contains hard tab characters (\t): "973|->	ret = sendmsg(io_get_fd(io), &msg, MSG_NOSIGNAL);"
9: B3 Line contains hard tab characters (\t): "974|	if (ret < 0) {"
10: B3 Line contains hard tab characters (\t): "975|		ret = -errno;"
13: B1 Line exceeds max length (104>80): "bluez-5.75/client/gatt.c:1049:2: negative_return_fn: Function "io_get_fd(io)" returns a negative number."
15: B1 Line exceeds max length (105>80): "bluez-5.75/client/gatt.c:1062:2: negative_returns: "fd" is passed to a parameter that cannot be negative."
16: B3 Line contains hard tab characters (\t): "1060|		msg.msg_iovlen = 1;"
18: B3 Line contains hard tab characters (\t): "1062|->		bytes_read = recvmsg(fd, &msg, MSG_DONTWAIT);"
19: B3 Line contains hard tab characters (\t): "1063|		if (bytes_read < 0) {"
20: B3 Line contains hard tab characters (\t): "1064|			bt_shell_printf("recvmsg: %s", strerror(errno));"
[BlueZ,04/14] client/gatt: Check write_value() retval

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (139>80): "bluez-5.75/client/gatt.c:3191:3: check_return: Calling "write_value" without checking return value (as is done elsewhere 5 out of 6 times)."
5: B1 Line exceeds max length (278>80): "bluez-5.75/client/gatt.c:2371:2: example_checked: Example 1: "write_value(&chrc->value_len, &chrc->value, value, value_len, aad->offset, chrc->max_val_len)" has its value checked in "write_value(&chrc->value_len, &chrc->value, value, value_len, aad->offset, chrc->max_val_len)"."
6: B1 Line exceeds max length (268>80): "bluez-5.75/client/gatt.c:2502:2: example_checked: Example 2: "write_value(&chrc->value_len, &chrc->value, value, value_len, offset, chrc->max_val_len)" has its value checked in "write_value(&chrc->value_len, &chrc->value, value, value_len, offset, chrc->max_val_len)"."
7: B1 Line exceeds max length (268>80): "bluez-5.75/client/gatt.c:2919:2: example_checked: Example 3: "write_value(&desc->value_len, &desc->value, value, value_len, offset, desc->max_val_len)" has its value checked in "write_value(&desc->value_len, &desc->value, value, value_len, offset, desc->max_val_len)"."
8: B1 Line exceeds max length (249>80): "bluez-5.75/client/gatt.c:759:3: example_checked: Example 4: "write_value(&c->value_len, &c->value, value, value_len, offset, c->max_val_len)" has its value checked in "write_value(&c->value_len, &c->value, value, value_len, offset, c->max_val_len)"."
9: B1 Line exceeds max length (249>80): "bluez-5.75/client/gatt.c:775:3: example_checked: Example 5: "write_value(&d->value_len, &d->value, value, value_len, offset, d->max_val_len)" has its value checked in "write_value(&d->value_len, &d->value, value, value_len, offset, d->max_val_len)"."
10: B3 Line contains hard tab characters (\t): "3189|			}"
12: B3 Line contains hard tab characters (\t): "3191|->			write_value(&chrc->value_len, &chrc->value, value, len,"
13: B3 Line contains hard tab characters (\t): "3192|					0, chrc->max_val_len);"
[BlueZ,05/14] client/main: Fix array access

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (134>80): "bluez-5.75/client/main.c:833: error[ctuArrayIndex]: Array index out of bounds; 'argv' buffer size is 0 and it is accessed at offset 1."
5: B3 Line contains hard tab characters (\t): "831|	const char **opt;"
7: B3 Line contains hard tab characters (\t): "833|->	if (!strcmp(argv[1], "help")) {"
8: B3 Line contains hard tab characters (\t): "834|		for (opt = arg_table; opt && *opt; opt++)"
9: B3 Line contains hard tab characters (\t): "835|			bt_shell_printf("%s\n", *opt);"
[BlueZ,06/14] client/main: Fix mismatched free

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (96>80): "bluez-5.75/client/main.c:2108:2: alloc: Allocation of memory which must be freed using "g_free"."
5: B1 Line exceeds max length (112>80): "bluez-5.75/client/main.c:2108:2: assign: Assigning: "desc" = "g_strdup_printf("\x1b[0;94m[%s]\x1b[0m# ", attr)"."
6: B1 Line exceeds max length (125>80): "bluez-5.75/client/main.c:2111:2: free: Calling "free" frees "desc" using "free" but it should have been freed using "g_free"."
8: B3 Line contains hard tab characters (\t): "2110|		bt_shell_set_prompt(desc);"
9: B3 Line contains hard tab characters (\t): "2111|->		free(desc);"
[BlueZ,07/14] monitor/att: Fix memory leak

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
6: B1 Line exceeds max length (100>80): "bluez-5.75/monitor/att.c:2291:2: alloc_fn: Storage is returned from allocation function "name2utf8"."
7: B1 Line exceeds max length (136>80): "bluez-5.75/monitor/att.c:2291:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)"."
8: B1 Line exceeds max length (193>80): "bluez-5.75/monitor/att.c:2293:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]"
9: B1 Line exceeds max length (115>80): "bluez-5.75/monitor/att.c:2294:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to."
11: B3 Line contains hard tab characters (\t): "2293|		print_field("  Media Player Name: %s", name);"
17: B1 Line exceeds max length (100>80): "bluez-5.75/monitor/att.c:2320:2: alloc_fn: Storage is returned from allocation function "name2utf8"."
18: B1 Line exceeds max length (136>80): "bluez-5.75/monitor/att.c:2320:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)"."
19: B1 Line exceeds max length (193>80): "bluez-5.75/monitor/att.c:2322:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]"
20: B1 Line exceeds max length (115>80): "bluez-5.75/monitor/att.c:2323:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to."
22: B3 Line contains hard tab characters (\t): "2322|		print_field("  Track Title: %s", name);"
28: B1 Line exceeds max length (100>80): "bluez-5.75/monitor/att.c:2453:2: alloc_fn: Storage is returned from allocation function "name2utf8"."
29: B1 Line exceeds max length (136>80): "bluez-5.75/monitor/att.c:2453:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)"."
30: B1 Line exceeds max length (193>80): "bluez-5.75/monitor/att.c:2455:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]"
31: B1 Line exceeds max length (115>80): "bluez-5.75/monitor/att.c:2456:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to."
33: B3 Line contains hard tab characters (\t): "2455|		print_field("  Bearer Name: %s", name);"
39: B1 Line exceeds max length (100>80): "bluez-5.75/monitor/att.c:2472:2: alloc_fn: Storage is returned from allocation function "name2utf8"."
40: B1 Line exceeds max length (136>80): "bluez-5.75/monitor/att.c:2472:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)"."
41: B1 Line exceeds max length (193>80): "bluez-5.75/monitor/att.c:2474:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]"
42: B1 Line exceeds max length (115>80): "bluez-5.75/monitor/att.c:2475:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to."
44: B3 Line contains hard tab characters (\t): "2474|		print_field("  Bearer Uci Name: %s", name);"
50: B1 Line exceeds max length (100>80): "bluez-5.75/monitor/att.c:2541:2: alloc_fn: Storage is returned from allocation function "name2utf8"."
51: B1 Line exceeds max length (136>80): "bluez-5.75/monitor/att.c:2541:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)"."
52: B1 Line exceeds max length (193>80): "bluez-5.75/monitor/att.c:2543:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]"
53: B1 Line exceeds max length (115>80): "bluez-5.75/monitor/att.c:2544:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to."
55: B3 Line contains hard tab characters (\t): "2543|		print_field("  Uri scheme Name: %s", name);"
58: B1 Line exceeds max length (81>80): "2546|   static void bearer_uri_schemes_list_read(const struct l2cap_frame *frame)"
61: B1 Line exceeds max length (100>80): "bluez-5.75/monitor/att.c:2653:2: alloc_fn: Storage is returned from allocation function "name2utf8"."
62: B1 Line exceeds max length (140>80): "bluez-5.75/monitor/att.c:2653:2: var_assign: Assigning: "call_uri" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)"."
63: B1 Line exceeds max length (197>80): "bluez-5.75/monitor/att.c:2655:2: noescape: Resource "call_uri" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]"
64: B1 Line exceeds max length (119>80): "bluez-5.75/monitor/att.c:2660:1: leaked_storage: Variable "call_uri" going out of scope leaks the storage it points to."
65: B3 Line contains hard tab characters (\t): "2658|		if (frame->size)"
66: B3 Line contains hard tab characters (\t): "2659|			print_hex_field("  call_list Data", frame->data, frame->size);"
69: B1 Line exceeds max length (82>80): "2662|   static void bearer_current_call_list_read(const struct l2cap_frame *frame)"
72: B1 Line exceeds max length (100>80): "bluez-5.75/monitor/att.c:2741:2: alloc_fn: Storage is returned from allocation function "name2utf8"."
73: B1 Line exceeds max length (136>80): "bluez-5.75/monitor/att.c:2741:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)"."
74: B1 Line exceeds max length (193>80): "bluez-5.75/monitor/att.c:2743:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]"
75: B1 Line exceeds max length (115>80): "bluez-5.75/monitor/att.c:2748:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to."
76: B3 Line contains hard tab characters (\t): "2746|		if (frame->size)"
77: B3 Line contains hard tab characters (\t): "2747|			print_hex_field("  Data", frame->data, frame->size);"
80: B1 Line exceeds max length (81>80): "2750|   static void incom_target_bearer_uri_read(const struct l2cap_frame *frame)"
83: B1 Line exceeds max length (100>80): "bluez-5.75/monitor/att.c:2851:3: alloc_fn: Storage is returned from allocation function "name2utf8"."
84: B1 Line exceeds max length (136>80): "bluez-5.75/monitor/att.c:2851:3: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)"."
85: B1 Line exceeds max length (193>80): "bluez-5.75/monitor/att.c:2852:3: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]"
86: B1 Line exceeds max length (115>80): "bluez-5.75/monitor/att.c:2871:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to."
87: B3 Line contains hard tab characters (\t): "2869|		if (frame->size)"
88: B3 Line contains hard tab characters (\t): "2870|			print_hex_field("call_cp Data", frame->data, frame->size);"
94: B1 Line exceeds max length (100>80): "bluez-5.75/monitor/att.c:3046:2: alloc_fn: Storage is returned from allocation function "name2utf8"."
95: B1 Line exceeds max length (136>80): "bluez-5.75/monitor/att.c:3046:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)"."
96: B1 Line exceeds max length (193>80): "bluez-5.75/monitor/att.c:3048:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]"
97: B1 Line exceeds max length (115>80): "bluez-5.75/monitor/att.c:3053:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to."
98: B3 Line contains hard tab characters (\t): "3051|		if (frame->size)"
99: B3 Line contains hard tab characters (\t): "3052|			print_hex_field(" Data", frame->data, frame->size);"
105: B1 Line exceeds max length (100>80): "bluez-5.75/monitor/att.c:3077:2: alloc_fn: Storage is returned from allocation function "name2utf8"."
106: B1 Line exceeds max length (136>80): "bluez-5.75/monitor/att.c:3077:2: var_assign: Assigning: "name" = storage returned from "name2utf8((uint8_t *)frame->data, frame->size)"."
107: B1 Line exceeds max length (193>80): "bluez-5.75/monitor/att.c:3079:2: noescape: Resource "name" is not freed or pointed-to in "printf". [Note: The source code implementation of the function has been overridden by a builtin model.]"
108: B1 Line exceeds max length (115>80): "bluez-5.75/monitor/att.c:3084:1: leaked_storage: Variable "name" going out of scope leaks the storage it points to."
109: B3 Line contains hard tab characters (\t): "3082|		if (frame->size)"
110: B3 Line contains hard tab characters (\t): "3083|			print_hex_field(" Data", frame->data, frame->size);"
[BlueZ,08/14] bap: Fix memory leaks

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (110>80): "bluez-5.75/profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc"."
5: B1 Line exceeds max length (119>80): "bluez-5.75/profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)"."
6: B1 Line exceeds max length (200>80): "bluez-5.75/profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]"
7: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to."
8: B1 Line exceeds max length (91>80): "bluez-5.75/profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})"."
9: B1 Line exceeds max length (125>80): "bluez-5.75/profiles/audio/bap.c:1066:4: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to."
10: B3 Line contains hard tab characters (\t): "1064|			l2_caps = new0(struct iovec, 1);"
11: B3 Line contains hard tab characters (\t): "1065|			if (!util_iov_pull_u8(&iov, (void *)&l2_caps->iov_len))"
12: B3 Line contains hard tab characters (\t): "1066|->				goto fail;"
14: B3 Line contains hard tab characters (\t): "1068|			util_iov_memcpy(l2_caps, util_iov_pull_mem(&iov,"
17: B1 Line exceeds max length (110>80): "bluez-5.75/profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc"."
18: B1 Line exceeds max length (119>80): "bluez-5.75/profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)"."
19: B1 Line exceeds max length (200>80): "bluez-5.75/profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]"
20: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to."
21: B1 Line exceeds max length (91>80): "bluez-5.75/profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})"."
22: B1 Line exceeds max length (117>80): "bluez-5.75/profiles/audio/bap.c:1068:3: noescape: Resource "l2_caps" is not freed or pointed-to in "util_iov_memcpy"."
23: B1 Line exceeds max length (125>80): "bluez-5.75/profiles/audio/bap.c:1080:4: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to."
24: B3 Line contains hard tab characters (\t): "1078|			meta = new0(struct iovec, 1);"
25: B3 Line contains hard tab characters (\t): "1079|			if (!util_iov_pull_u8(&iov, (void *)&meta->iov_len))"
26: B3 Line contains hard tab characters (\t): "1080|->				goto fail;"
28: B3 Line contains hard tab characters (\t): "1082|			util_iov_memcpy(meta,"
31: B1 Line exceeds max length (110>80): "bluez-5.75/profiles/audio/bap.c:1078:10: alloc_fn: Storage is returned from allocation function "util_malloc"."
32: B1 Line exceeds max length (119>80): "bluez-5.75/profiles/audio/bap.c:1078:10: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)"."
33: B1 Line exceeds max length (200>80): "bluez-5.75/profiles/audio/bap.c:1078:10: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]"
34: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1078:10: leaked_storage: Variable "__p" going out of scope leaks the storage it points to."
35: B1 Line exceeds max length (88>80): "bluez-5.75/profiles/audio/bap.c:1078:3: var_assign: Assigning: "meta" = "({...; __p;})"."
36: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1080:4: leaked_storage: Variable "meta" going out of scope leaks the storage it points to."
37: B3 Line contains hard tab characters (\t): "1078|			meta = new0(struct iovec, 1);"
38: B3 Line contains hard tab characters (\t): "1079|			if (!util_iov_pull_u8(&iov, (void *)&meta->iov_len))"
39: B3 Line contains hard tab characters (\t): "1080|->				goto fail;"
41: B3 Line contains hard tab characters (\t): "1082|			util_iov_memcpy(meta,"
44: B1 Line exceeds max length (110>80): "bluez-5.75/profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc"."
45: B1 Line exceeds max length (119>80): "bluez-5.75/profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)"."
46: B1 Line exceeds max length (200>80): "bluez-5.75/profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]"
47: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to."
48: B1 Line exceeds max length (91>80): "bluez-5.75/profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})"."
49: B1 Line exceeds max length (117>80): "bluez-5.75/profiles/audio/bap.c:1068:3: noescape: Resource "l2_caps" is not freed or pointed-to in "util_iov_memcpy"."
50: B1 Line exceeds max length (116>80): "bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "l2_caps" is not freed or pointed-to in "bt_bap_add_bis"."
51: B1 Line exceeds max length (116>80): "bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "l2_caps" is not freed or pointed-to in "bt_bap_add_bis"."
52: B1 Line exceeds max length (125>80): "bluez-5.75/profiles/audio/bap.c:1097:5: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to."
54: B3 Line contains hard tab characters (\t): "1096|				if (!util_iov_pull_u8(&iov, &bis_index))"
55: B3 Line contains hard tab characters (\t): "1097|->					goto fail;"
57: B3 Line contains hard tab characters (\t): "1099|				util_debug(func, NULL, "BIS #%d", bis_index);"
60: B1 Line exceeds max length (110>80): "bluez-5.75/profiles/audio/bap.c:1078:10: alloc_fn: Storage is returned from allocation function "util_malloc"."
61: B1 Line exceeds max length (119>80): "bluez-5.75/profiles/audio/bap.c:1078:10: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)"."
62: B1 Line exceeds max length (200>80): "bluez-5.75/profiles/audio/bap.c:1078:10: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]"
63: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1078:10: leaked_storage: Variable "__p" going out of scope leaks the storage it points to."
64: B1 Line exceeds max length (88>80): "bluez-5.75/profiles/audio/bap.c:1078:3: var_assign: Assigning: "meta" = "({...; __p;})"."
65: B1 Line exceeds max length (114>80): "bluez-5.75/profiles/audio/bap.c:1082:3: noescape: Resource "meta" is not freed or pointed-to in "util_iov_memcpy"."
66: B1 Line exceeds max length (113>80): "bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "meta" is not freed or pointed-to in "bt_bap_add_bis"."
67: B1 Line exceeds max length (113>80): "bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "meta" is not freed or pointed-to in "bt_bap_add_bis"."
68: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1097:5: leaked_storage: Variable "meta" going out of scope leaks the storage it points to."
70: B3 Line contains hard tab characters (\t): "1096|				if (!util_iov_pull_u8(&iov, &bis_index))"
71: B3 Line contains hard tab characters (\t): "1097|->					goto fail;"
73: B3 Line contains hard tab characters (\t): "1099|				util_debug(func, NULL, "BIS #%d", bis_index);"
76: B1 Line exceeds max length (110>80): "bluez-5.75/profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc"."
77: B1 Line exceeds max length (119>80): "bluez-5.75/profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)"."
78: B1 Line exceeds max length (200>80): "bluez-5.75/profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]"
79: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to."
80: B1 Line exceeds max length (91>80): "bluez-5.75/profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})"."
81: B1 Line exceeds max length (117>80): "bluez-5.75/profiles/audio/bap.c:1068:3: noescape: Resource "l2_caps" is not freed or pointed-to in "util_iov_memcpy"."
82: B1 Line exceeds max length (125>80): "bluez-5.75/profiles/audio/bap.c:1104:5: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to."
83: B3 Line contains hard tab characters (\t): "1102|				l3_caps = new0(struct iovec, 1);"
84: B3 Line contains hard tab characters (\t): "1103|				if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len))"
85: B3 Line contains hard tab characters (\t): "1104|->					goto fail;"
87: B3 Line contains hard tab characters (\t): "1106|				util_iov_memcpy(l3_caps,"
90: B1 Line exceeds max length (110>80): "bluez-5.75/profiles/audio/bap.c:1102:14: alloc_fn: Storage is returned from allocation function "util_malloc"."
91: B1 Line exceeds max length (119>80): "bluez-5.75/profiles/audio/bap.c:1102:14: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)"."
92: B1 Line exceeds max length (200>80): "bluez-5.75/profiles/audio/bap.c:1102:14: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]"
93: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1102:14: leaked_storage: Variable "__p" going out of scope leaks the storage it points to."
94: B1 Line exceeds max length (91>80): "bluez-5.75/profiles/audio/bap.c:1102:4: var_assign: Assigning: "l3_caps" = "({...; __p;})"."
95: B1 Line exceeds max length (125>80): "bluez-5.75/profiles/audio/bap.c:1104:5: leaked_storage: Variable "l3_caps" going out of scope leaks the storage it points to."
96: B3 Line contains hard tab characters (\t): "1102|				l3_caps = new0(struct iovec, 1);"
97: B3 Line contains hard tab characters (\t): "1103|				if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len))"
98: B3 Line contains hard tab characters (\t): "1104|->					goto fail;"
100: B3 Line contains hard tab characters (\t): "1106|				util_iov_memcpy(l3_caps,"
103: B1 Line exceeds max length (110>80): "bluez-5.75/profiles/audio/bap.c:1078:10: alloc_fn: Storage is returned from allocation function "util_malloc"."
104: B1 Line exceeds max length (119>80): "bluez-5.75/profiles/audio/bap.c:1078:10: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)"."
105: B1 Line exceeds max length (200>80): "bluez-5.75/profiles/audio/bap.c:1078:10: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]"
106: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1078:10: leaked_storage: Variable "__p" going out of scope leaks the storage it points to."
107: B1 Line exceeds max length (88>80): "bluez-5.75/profiles/audio/bap.c:1078:3: var_assign: Assigning: "meta" = "({...; __p;})"."
108: B1 Line exceeds max length (114>80): "bluez-5.75/profiles/audio/bap.c:1082:3: noescape: Resource "meta" is not freed or pointed-to in "util_iov_memcpy"."
109: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1104:5: leaked_storage: Variable "meta" going out of scope leaks the storage it points to."
110: B3 Line contains hard tab characters (\t): "1102|				l3_caps = new0(struct iovec, 1);"
111: B3 Line contains hard tab characters (\t): "1103|				if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len))"
112: B3 Line contains hard tab characters (\t): "1104|->					goto fail;"
114: B3 Line contains hard tab characters (\t): "1106|				util_iov_memcpy(l3_caps,"
117: B1 Line exceeds max length (110>80): "bluez-5.75/profiles/audio/bap.c:1064:13: alloc_fn: Storage is returned from allocation function "util_malloc"."
118: B1 Line exceeds max length (119>80): "bluez-5.75/profiles/audio/bap.c:1064:13: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)"."
119: B1 Line exceeds max length (200>80): "bluez-5.75/profiles/audio/bap.c:1064:13: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]"
120: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1064:13: leaked_storage: Variable "__p" going out of scope leaks the storage it points to."
121: B1 Line exceeds max length (91>80): "bluez-5.75/profiles/audio/bap.c:1064:3: var_assign: Assigning: "l2_caps" = "({...; __p;})"."
122: B1 Line exceeds max length (117>80): "bluez-5.75/profiles/audio/bap.c:1068:3: noescape: Resource "l2_caps" is not freed or pointed-to in "util_iov_memcpy"."
123: B1 Line exceeds max length (116>80): "bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "l2_caps" is not freed or pointed-to in "bt_bap_add_bis"."
124: B1 Line exceeds max length (116>80): "bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "l2_caps" is not freed or pointed-to in "bt_bap_add_bis"."
125: B1 Line exceeds max length (125>80): "bluez-5.75/profiles/audio/bap.c:1123:2: leaked_storage: Variable "l2_caps" going out of scope leaks the storage it points to."
126: B3 Line contains hard tab characters (\t): "1121|			}"
128: B3 Line contains hard tab characters (\t): "1123|->		}"
129: B3 Line contains hard tab characters (\t): "1124|		return true;"
133: B1 Line exceeds max length (110>80): "bluez-5.75/profiles/audio/bap.c:1078:10: alloc_fn: Storage is returned from allocation function "util_malloc"."
134: B1 Line exceeds max length (119>80): "bluez-5.75/profiles/audio/bap.c:1078:10: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)"."
135: B1 Line exceeds max length (200>80): "bluez-5.75/profiles/audio/bap.c:1078:10: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]"
136: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1078:10: leaked_storage: Variable "__p" going out of scope leaks the storage it points to."
137: B1 Line exceeds max length (88>80): "bluez-5.75/profiles/audio/bap.c:1078:3: var_assign: Assigning: "meta" = "({...; __p;})"."
138: B1 Line exceeds max length (114>80): "bluez-5.75/profiles/audio/bap.c:1082:3: noescape: Resource "meta" is not freed or pointed-to in "util_iov_memcpy"."
139: B1 Line exceeds max length (113>80): "bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "meta" is not freed or pointed-to in "bt_bap_add_bis"."
140: B1 Line exceeds max length (113>80): "bluez-5.75/profiles/audio/bap.c:1119:4: noescape: Resource "meta" is not freed or pointed-to in "bt_bap_add_bis"."
141: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/bap.c:1123:2: leaked_storage: Variable "meta" going out of scope leaks the storage it points to."
142: B3 Line contains hard tab characters (\t): "1121|			}"
144: B3 Line contains hard tab characters (\t): "1123|->		}"
145: B3 Line contains hard tab characters (\t): "1124|		return true;"
[BlueZ,09/14] media: Fix memory leak

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (203>80): "bluez-5.75/profiles/audio/media.c:1278:2: alloc_arg: "asprintf" allocates memory that is stored into "name". [Note: The source code implementation of the function has been overridden by a builtin model.]"
5: B1 Line exceeds max length (122>80): "bluez-5.75/profiles/audio/media.c:1291:2: noescape: Resource "name" is not freed or pointed-to in "bt_bap_add_vendor_pac"."
6: B1 Line exceeds max length (124>80): "bluez-5.75/profiles/audio/media.c:1297:3: leaked_storage: Variable "name" going out of scope leaks the storage it points to."
7: B3 Line contains hard tab characters (\t): "1295|			error("Unable to create PAC");"
8: B3 Line contains hard tab characters (\t): "1296|			free(metadata);"
9: B3 Line contains hard tab characters (\t): "1297|->			return false;"
10: B3 Line contains hard tab characters (\t): "1298|		}"
[BlueZ,10/14] main: Fix memory leaks

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (105>80): "bluez-5.75/src/main.c:451:2: alloc_arg: "parse_config_string" allocates memory that is stored into "str"."
5: B1 Line exceeds max length (135>80): "bluez-5.75/src/main.c:454:2: identity_transfer: Passing "str" as argument 1 to function "strtol", which sets "endptr" to that argument."
6: B1 Line exceeds max length (126>80): "bluez-5.75/src/main.c:456:3: noescape: Assuming resource "str" is not freed or pointed-to as ellipsis argument to "btd_error"."
7: B1 Line exceeds max length (113>80): "bluez-5.75/src/main.c:457:3: leaked_storage: Variable "endptr" going out of scope leaks the storage it points to."
8: B1 Line exceeds max length (110>80): "bluez-5.75/src/main.c:457:3: leaked_storage: Variable "str" going out of scope leaks the storage it points to."
9: B3 Line contains hard tab characters (\t): "455|	if (!endptr || *endptr != '\0') {"
10: B3 Line contains hard tab characters (\t): "456|		error("%s.%s = %s is not integer", group, key, str);"
11: B3 Line contains hard tab characters (\t): "457|->		return false;"
12: B3 Line contains hard tab characters (\t): "458|	}"
16: B1 Line exceeds max length (105>80): "bluez-5.75/src/main.c:451:2: alloc_arg: "parse_config_string" allocates memory that is stored into "str"."
17: B1 Line exceeds max length (135>80): "bluez-5.75/src/main.c:454:2: identity_transfer: Passing "str" as argument 1 to function "strtol", which sets "endptr" to that argument."
18: B1 Line exceeds max length (113>80): "bluez-5.75/src/main.c:463:3: leaked_storage: Variable "endptr" going out of scope leaks the storage it points to."
19: B1 Line exceeds max length (110>80): "bluez-5.75/src/main.c:463:3: leaked_storage: Variable "str" going out of scope leaks the storage it points to."
20: B3 Line contains hard tab characters (\t): "461|		warn("%s.%s = %zu is out of range (< %zu)", group, key, tmp,"
21: B3 Line contains hard tab characters (\t): "462|									min);"
22: B3 Line contains hard tab characters (\t): "463|->		return false;"
23: B3 Line contains hard tab characters (\t): "464|	}"
27: B1 Line exceeds max length (105>80): "bluez-5.75/src/main.c:451:2: alloc_arg: "parse_config_string" allocates memory that is stored into "str"."
28: B1 Line exceeds max length (135>80): "bluez-5.75/src/main.c:454:2: identity_transfer: Passing "str" as argument 1 to function "strtol", which sets "endptr" to that argument."
29: B1 Line exceeds max length (113>80): "bluez-5.75/src/main.c:475:2: leaked_storage: Variable "endptr" going out of scope leaks the storage it points to."
30: B1 Line exceeds max length (110>80): "bluez-5.75/src/main.c:475:2: leaked_storage: Variable "str" going out of scope leaks the storage it points to."
31: B3 Line contains hard tab characters (\t): "473|		*val = tmp;"
33: B3 Line contains hard tab characters (\t): "475|->	return true;"
[BlueZ,11/14] isotest: Consider "0" fd to be valid

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (82>80): "bluez-5.75/tools/isotest.c:923:4: open_fn: Returning handle opened by "open_file"."
5: B1 Line exceeds max length (108>80): "bluez-5.75/tools/isotest.c:923:4: var_assign: Assigning: "fd" = handle returned from "open_file(altername)"."
6: B1 Line exceeds max length (147>80): "bluez-5.75/tools/isotest.c:925:3: off_by_one: Testing whether handle "fd" is strictly greater than zero is suspicious.  "fd" leaks when it is zero."
7: B1 Line exceeds max length (92>80): "bluez-5.75/tools/isotest.c:925:3: remediation: Did you intend to include equality with zero?"
8: B1 Line exceeds max length (120>80): "bluez-5.75/tools/isotest.c:926:4: overwrite_var: Overwriting handle "fd" in "fd = open_file(filename)" leaks the handle."
10: B3 Line contains hard tab characters (\t): "925|		if (fd <= 0)"
11: B3 Line contains hard tab characters (\t): "926|->			fd = open_file(filename);"
12: B3 Line contains hard tab characters (\t): "927|	}"
[BlueZ,13/14] client/player: Fix copy/paste error

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (95>80): "bluez-5.75/client/player.c:1846:6: original: "qos->sync_cte_type" looks like the original copy."
5: B1 Line exceeds max length (123>80): "bluez-5.75/client/player.c:1852:6: copy_paste_error: "sync_cte_type" in "qos->sync_cte_type" looks like a copy-paste error."
7: B3 Line contains hard tab characters (\t): "1850|		}"
9: B3 Line contains hard tab characters (\t): "1852|->		if (qos->sync_cte_type) {"
10: B3 Line contains hard tab characters (\t): "1853|			bt_shell_printf("MSE %u\n", qos->mse);"
11: B3 Line contains hard tab characters (\t): "1854|			g_dbus_dict_append_entry(iter, "MSE", DBUS_TYPE_BYTE,"
[BlueZ,14/14] shared/vcp: Fix copy/paste error

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (101>80): "bluez-5.75/src/shared/vcp.c:2610:16: original: "aics->gain_stting_prop" looks like the original copy."
5: B1 Line exceeds max length (132>80): "bluez-5.75/src/shared/vcp.c:2625:16: copy_paste_error: "gain_stting_prop" in "aics->gain_stting_prop" looks like a copy-paste error."
6: B1 Line exceeds max length (86>80): "bluez-5.75/src/shared/vcp.c:2625:16: remediation: Should it say "aud_ip_type" instead?"
8: B3 Line contains hard tab characters (\t): "2624|			aics = vcp_get_aics(vcp);"
9: B3 Line contains hard tab characters (\t): "2625|->			if (!aics || aics->gain_stting_prop)"
10: B3 Line contains hard tab characters (\t): "2626|				return;"
##############################
Test: BluezMake - FAIL
Desc: Build BlueZ
Output:

tools/mgmt-tester.c: In function ‘main’:
tools/mgmt-tester.c:12725:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
12725 | int main(int argc, char *argv[])
      |     ^~~~
client/gatt.c: In function ‘proxy_property_changed’:
client/gatt.c:3203:11: error: expected ‘;’ before ‘}’ token
 3203 |      name)
      |           ^
      |           ;
 3204 |   } else {
      |   ~        
make[1]: *** [Makefile:7809: client/gatt.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4651: all] Error 2
##############################
Test: MakeCheck - FAIL
Desc: Run Bluez Make Check
Output:

client/gatt.c: In function ‘proxy_property_changed’:
client/gatt.c:3203:11: error: expected ‘;’ before ‘}’ token
 3203 |      name)
      |           ^
      |           ;
 3204 |   } else {
      |   ~        
make[1]: *** [Makefile:7809: client/gatt.o] Error 1
make: *** [Makefile:12186: check] Error 2
##############################
Test: MakeDistcheck - FAIL
Desc: Run Bluez Make Distcheck
Output:

Package cups was not found in the pkg-config search path.
Perhaps you should add the directory containing `cups.pc'
to the PKG_CONFIG_PATH environment variable
No package 'cups' found
../../client/gatt.c: In function ‘proxy_property_changed’:
../../client/gatt.c:3203:11: error: expected ‘;’ before ‘}’ token
 3203 |      name)
      |           ^
      |           ;
 3204 |   } else {
      |   ~        
make[2]: *** [Makefile:7809: client/gatt.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:4651: all] Error 2
make: *** [Makefile:12107: distcheck] Error 1
##############################
Test: CheckValgrind - FAIL
Desc: Run Bluez Make Check with Valgrind
Output:

tools/mgmt-tester.c: In function ‘main’:
tools/mgmt-tester.c:12725:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
12725 | int main(int argc, char *argv[])
      |     ^~~~
client/gatt.c: In function ‘proxy_property_changed’:
client/gatt.c:3203:11: error: expected ‘;’ before ‘}’ token
 3203 |      name)
      |           ^
      |           ;
 3204 |   } else {
      |   ~        
make[1]: *** [Makefile:7809: client/gatt.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:12186: check] Error 2
##############################
Test: CheckSmatch - FAIL
Desc: Run smatch tool with source
Output:

src/shared/crypto.c:271:21: warning: Variable length array is used.
src/shared/crypto.c:272:23: warning: Variable length array is used.
src/shared/gatt-helpers.c:768:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:830:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:1323:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:1354:23: warning: Variable length array is used.
src/shared/gatt-server.c:278:25: warning: Variable length array is used.
src/shared/gatt-server.c:621:25: warning: Variable length array is used.
src/shared/gatt-server.c:720:25: warning: Variable length array is used.
src/shared/bap.c:282:25: warning: array of flexible structures
src/shared/bap.c: note: in included file:
./src/shared/ascs.h:88:25: warning: array of flexible structures
src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):
/usr/include/readline/rltypedefs.h:35:23: warning: non-ANSI function declaration of function 'Function'
/usr/include/readline/rltypedefs.h:36:25: warning: non-ANSI function declaration of function 'VFunction'
/usr/include/readline/rltypedefs.h:37:27: warning: non-ANSI function declaration of function 'CPFunction'
/usr/include/readline/rltypedefs.h:38:29: warning: non-ANSI function declaration of function 'CPPFunction'
src/shared/crypto.c:271:21: warning: Variable length array is used.
src/shared/crypto.c:272:23: warning: Variable length array is used.
src/shared/gatt-helpers.c:768:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:830:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:1323:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:1354:23: warning: Variable length array is used.
src/shared/gatt-server.c:278:25: warning: Variable length array is used.
src/shared/gatt-server.c:621:25: warning: Variable length array is used.
src/shared/gatt-server.c:720:25: warning: Variable length array is used.
src/shared/bap.c:282:25: warning: array of flexible structures
src/shared/bap.c: note: in included file:
./src/shared/ascs.h:88:25: warning: array of flexible structures
src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):
/usr/include/readline/rltypedefs.h:35:23: warning: non-ANSI function declaration of function 'Function'
/usr/include/readline/rltypedefs.h:36:25: warning: non-ANSI function declaration of function 'VFunction'
/usr/include/readline/rltypedefs.h:37:27: warning: non-ANSI function declaration of function 'CPFunction'
/usr/include/readline/rltypedefs.h:38:29: warning: non-ANSI function declaration of function 'CPPFunction'
tools/mesh-cfgtest.c:1453:17: warning: unknown escape sequence: '\%'
tools/sco-tester.c: note: in included file:
./lib/bluetooth.h:219:15: warning: array of flexible structures
./lib/bluetooth.h:224:31: warning: array of flexible structures
tools/bneptest.c:634:39: warning: unknown escape sequence: '\%'
tools/seq2bseq.c:57:26: warning: Variable length array is used.
tools/obex-client-tool.c: note: in included file (through /usr/include/readline/readline.h):
/usr/include/readline/rltypedefs.h:35:23: warning: non-ANSI function declaration of function 'Function'
/usr/include/readline/rltypedefs.h:36:25: warning: non-ANSI function declaration of function 'VFunction'
/usr/include/readline/rltypedefs.h:37:27: warning: non-ANSI function declaration of function 'CPFunction'
/usr/include/readline/rltypedefs.h:38:29: warning: non-ANSI function declaration of function 'CPPFunction'
android/avctp.c:505:34: warning: Variable length array is used.
android/avctp.c:556:34: warning: Variable length array is used.
unit/test-avrcp.c:373:26: warning: Variable length array is used.
unit/test-avrcp.c:398:26: warning: Variable length array is used.
unit/test-avrcp.c:414:24: warning: Variable length array is used.
android/avrcp-lib.c:1085:34: warning: Variable length array is used.
android/avrcp-lib.c:1583:34: warning: Variable length array is used.
android/avrcp-lib.c:1612:34: warning: Variable length array is used.
android/avrcp-lib.c:1638:34: warning: Variable length array is used.
mesh/mesh-io-mgmt.c:523:67: warning: Variable length array is used.
client/display.c: note: in included file (through /usr/include/readline/readline.h):
/usr/include/readline/rltypedefs.h:35:23: warning: non-ANSI function declaration of function 'Function'
/usr/include/readline/rltypedefs.h:36:25: warning: non-ANSI function declaration of function 'VFunction'
/usr/include/readline/rltypedefs.h:37:27: warning: non-ANSI function declaration of function 'CPFunction'
/usr/include/readline/rltypedefs.h:38:29: warning: non-ANSI function declaration of function 'CPPFunction'
client/gatt.c:3204:17: error: Expected ; at end of statement
client/gatt.c:3204:17: error: got }
client/gatt.c: In function ‘proxy_property_changed’:
client/gatt.c:3203:11: error: expected ‘;’ before ‘}’ token
 3203 |      name)
      |           ^
      |           ;
 3204 |   } else {
      |   ~        
make[1]: *** [Makefile:7809: client/gatt.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4651: all] Error 2
##############################
Test: bluezmakeextell - FAIL
Desc: Build Bluez with External ELL
Output:

client/gatt.c: In function ‘proxy_property_changed’:
client/gatt.c:3203:11: error: expected ‘;’ before ‘}’ token
 3203 |      name)
      |           ^
      |           ;
 3204 |   } else {
      |   ~        
make[1]: *** [Makefile:7809: client/gatt.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4651: all] Error 2
##############################
Test: IncrementalBuild - FAIL
Desc: Incremental build with the patches in the series
Output:
[BlueZ,04/14] client/gatt: Check write_value() retval

tools/mgmt-tester.c: In function ‘main’:
tools/mgmt-tester.c:12725:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
12725 | int main(int argc, char *argv[])
      |     ^~~~
unit/test-avdtp.c: In function ‘main’:
unit/test-avdtp.c:766:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
  766 | int main(int argc, char *argv[])
      |     ^~~~
unit/test-avrcp.c: In function ‘main’:
unit/test-avrcp.c:989:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
  989 | int main(int argc, char *argv[])
      |     ^~~~
client/gatt.c: In function ‘proxy_property_changed’:
client/gatt.c:3203:11: error: expected ‘;’ before ‘}’ token
 3203 |      name)
      |           ^
      |           ;
 3204 |   } else {
      |   ~        
make[1]: *** [Makefile:7809: client/gatt.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4651: all] Error 2
##############################
Test: ScanBuild - FAIL
Desc: Run Scan Build
Output:

src/shared/gatt-client.c:451:21: warning: Use of memory after it is freed
        gatt_db_unregister(op->client->db, op->db_id);
                           ^~~~~~~~~~
src/shared/gatt-client.c:696:2: warning: Use of memory after it is freed
        discovery_op_complete(op, false, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:996:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1102:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1294:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1359:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1634:6: warning: Use of memory after it is freed
        if (read_db_hash(op)) {
            ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1639:2: warning: Use of memory after it is freed
        discover_all(op);
        ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2143:6: warning: Use of memory after it is freed
        if (read_db_hash(op)) {
            ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2151:8: warning: Use of memory after it is freed
                                                        discovery_op_ref(op),
                                                        ^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3240:2: warning: Use of memory after it is freed
        complete_write_long_op(req, success, 0, false);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3262:2: warning: Use of memory after it is freed
        request_unref(req);
        ^~~~~~~~~~~~~~~~~~
12 warnings generated.
src/shared/shell.c:1331:13: warning: Access to field 'options' results in a dereference of a null pointer (loaded from variable 'opt')
                        if (c != opt->options[index - offset].val) {
                                 ^~~~~~~~~~~~
1 warning generated.
src/shared/gatt-client.c:451:21: warning: Use of memory after it is freed
        gatt_db_unregister(op->client->db, op->db_id);
                           ^~~~~~~~~~
src/shared/gatt-client.c:696:2: warning: Use of memory after it is freed
        discovery_op_complete(op, false, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:996:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1102:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1294:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1359:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1634:6: warning: Use of memory after it is freed
        if (read_db_hash(op)) {
            ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1639:2: warning: Use of memory after it is freed
        discover_all(op);
        ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2143:6: warning: Use of memory after it is freed
        if (read_db_hash(op)) {
            ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2151:8: warning: Use of memory after it is freed
                                                        discovery_op_ref(op),
                                                        ^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3240:2: warning: Use of memory after it is freed
        complete_write_long_op(req, success, 0, false);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3262:2: warning: Use of memory after it is freed
        request_unref(req);
        ^~~~~~~~~~~~~~~~~~
12 warnings generated.
src/shared/shell.c:1331:13: warning: Access to field 'options' results in a dereference of a null pointer (loaded from variable 'opt')
                        if (c != opt->options[index - offset].val) {
                                 ^~~~~~~~~~~~
1 warning generated.
tools/hciattach.c:816:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
        if ((n = read_hci_event(fd, resp, 10)) < 0) {
             ^   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:864:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
        if ((n = read_hci_event(fd, resp, 4)) < 0) {
             ^   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:886:8: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
                if ((n = read_hci_event(fd, resp, 10)) < 0) {
                     ^   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:908:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
        if ((n = read_hci_event(fd, resp, 4)) < 0) {
             ^   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:929:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
        if ((n = read_hci_event(fd, resp, 4)) < 0) {
             ^   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:973:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
        if ((n = read_hci_event(fd, resp, 6)) < 0) {
             ^   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
6 warnings generated.
src/oui.c:50:2: warning: Value stored to 'hwdb' is never read
        hwdb = udev_hwdb_unref(hwdb);
        ^      ~~~~~~~~~~~~~~~~~~~~~
src/oui.c:53:2: warning: Value stored to 'udev' is never read
        udev = udev_unref(udev);
        ^      ~~~~~~~~~~~~~~~~
2 warnings generated.
tools/hcidump.c:180:9: warning: Potential leak of memory pointed to by 'dp'
                                if (fds[i].fd == sock)
                                    ^~~
tools/hcidump.c:248:17: warning: Assigned value is garbage or undefined
                                dh->ts_sec  = htobl(frm.ts.tv_sec);
                                            ^ ~~~~~~~~~~~~~~~~~~~~
tools/hcidump.c:326:9: warning: 1st function call argument is an uninitialized value
                                if (be32toh(dp.flags) & 0x02) {
                                    ^~~~~~~~~~~~~~~~~
/usr/include/endian.h:46:22: note: expanded from macro 'be32toh'
#  define be32toh(x) __bswap_32 (x)
                     ^~~~~~~~~~~~~~
tools/hcidump.c:341:20: warning: 1st function call argument is an uninitialized value
                                frm.data_len = be32toh(dp.len);
                                               ^~~~~~~~~~~~~~~
/usr/include/endian.h:46:22: note: expanded from macro 'be32toh'
#  define be32toh(x) __bswap_32 (x)
                     ^~~~~~~~~~~~~~
tools/hcidump.c:346:14: warning: 1st function call argument is an uninitialized value
                                opcode = be32toh(dp.flags) & 0xffff;
                                         ^~~~~~~~~~~~~~~~~
/usr/include/endian.h:46:22: note: expanded from macro 'be32toh'
#  define be32toh(x) __bswap_32 (x)
                     ^~~~~~~~~~~~~~
tools/hcidump.c:384:17: warning: Assigned value is garbage or undefined
                        frm.data_len = btohs(dh.len);
                                     ^ ~~~~~~~~~~~~~
tools/hcidump.c:394:11: warning: Assigned value is garbage or undefined
                frm.len = frm.data_len;
                        ^ ~~~~~~~~~~~~
tools/hcidump.c:398:9: warning: 1st function call argument is an uninitialized value
                        ts = be64toh(ph.ts);
                             ^~~~~~~~~~~~~~
/usr/include/endian.h:51:22: note: expanded from macro 'be64toh'
#  define be64toh(x) __bswap_64 (x)
                     ^~~~~~~~~~~~~~
tools/hcidump.c:403:13: warning: 1st function call argument is an uninitialized value
                        frm.in = be32toh(dp.flags) & 0x01;
                                 ^~~~~~~~~~~~~~~~~
/usr/include/endian.h:46:22: note: expanded from macro 'be32toh'
#  define be32toh(x) __bswap_32 (x)
                     ^~~~~~~~~~~~~~
tools/hcidump.c:408:11: warning: Assigned value is garbage or undefined
                        frm.in = dh.in;
                               ^ ~~~~~
tools/hcidump.c:437:7: warning: Null pointer passed to 1st parameter expecting 'nonnull'
        fd = open(file, open_flags, 0644);
             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
11 warnings generated.
tools/rfcomm.c:234:3: warning: Value stored to 'i' is never read
                i = execvp(cmdargv[0], cmdargv);
                ^   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/rfcomm.c:234:7: warning: Null pointer passed to 1st parameter expecting 'nonnull'
                i = execvp(cmdargv[0], cmdargv);
                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/rfcomm.c:354:8: warning: Although the value stored to 'fd' is used in the enclosing expression, the value is never actually read from 'fd'
                if ((fd = open(devname, O_RDONLY | O_NOCTTY)) < 0) {
                     ^    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/rfcomm.c:497:14: warning: Assigned value is garbage or undefined
        req.channel = raddr.rc_channel;
                    ^ ~~~~~~~~~~~~~~~~
tools/rfcomm.c:515:8: warning: Although the value stored to 'fd' is used in the enclosing expression, the value is never actually read from 'fd'
                if ((fd = open(devname, O_RDONLY | O_NOCTTY)) < 0) {
                     ^    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5 warnings generated.
src/sdp-xml.c:126:10: warning: Assigned value is garbage or undefined
                buf[1] = data[i + 1];
                       ^ ~~~~~~~~~~~
src/sdp-xml.c:300:11: warning: Assigned value is garbage or undefined
                        buf[1] = data[i + 1];
                               ^ ~~~~~~~~~~~
src/sdp-xml.c:338:11: warning: Assigned value is garbage or undefined
                        buf[1] = data[i + 1];
                               ^ ~~~~~~~~~~~
3 warnings generated.
tools/ciptool.c:350:7: warning: 5th function call argument is an uninitialized value
        sk = do_connect(ctl, dev_id, &src, &dst, psm, (1 << CMTP_LOOPBACK));
             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
tools/sdptool.c:941:26: warning: Result of 'malloc' is converted to a pointer of type 'uint32_t', which is incompatible with sizeof operand type 'int'
                        uint32_t *value_int = malloc(sizeof(int));
                        ~~~~~~~~~~            ^~~~~~ ~~~~~~~~~~~
tools/sdptool.c:980:4: warning: 1st function call argument is an uninitialized value
                        free(allocArray[i]);
                        ^~~~~~~~~~~~~~~~~~~
tools/sdptool.c:3777:2: warning: Potential leak of memory pointed to by 'si.name'
        return add_service(0, &si);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~
tools/sdptool.c:4112:4: warning: Potential leak of memory pointed to by 'context.svc'
                        return -1;
                        ^~~~~~~~~
4 warnings generated.
tools/avtest.c:225:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 3);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:235:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 4);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:244:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 3);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:258:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf,
                                ^     ~~~~~~~~~~~~~~
tools/avtest.c:265:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf,
                                ^     ~~~~~~~~~~~~~~
tools/avtest.c:272:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf,
                                ^     ~~~~~~~~~~~~~~
tools/avtest.c:279:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf,
                                ^     ~~~~~~~~~~~~~~
tools/avtest.c:291:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 4);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:295:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 2);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:304:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 3);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:308:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 2);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:317:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 3);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:324:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 2);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:346:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 4);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:350:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 2);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:359:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 3);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:363:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 2);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:376:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 4);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:380:5: warning: Value stored to 'len' is never read
                                len = write(sk, buf, 2);
                                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:387:4: warning: Value stored to 'len' is never read
                        len = write(sk, buf, 2);
                        ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:397:4: warning: Value stored to 'len' is never read
                        len = write(sk, buf, 2);
                        ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:562:3: warning: Value stored to 'len' is never read
                len = write(sk, buf, 2);
                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:570:3: warning: Value stored to 'len' is never read
                len = write(sk, buf, invalid ? 2 : 3);
                ^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/avtest.c:584:3: warning: Value stored to 'len' is never read
                len = write(sk, buf, 4 + sizeof(media_transport));
                ^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/avtest.c:597:3: warning: Value stored to 'len' is never read
                len = write(sk, buf, 3);
                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:607:3: warning: Value stored to 'len' is never read
                len = write(sk, buf, 3);
                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:619:3: warning: Value stored to 'len' is never read
                len = write(sk, buf, 3);
                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:634:3: warning: Value stored to 'len' is never read
                len = write(sk, buf, 3);
                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:646:3: warning: Value stored to 'len' is never read
                len = write(sk, buf, 3);
                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:655:3: warning: Value stored to 'len' is never read
                len = write(sk, buf, 3);
                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:662:3: warning: Value stored to 'len' is never read
                len = write(sk, buf, 2);
                ^     ~~~~~~~~~~~~~~~~~
tools/avtest.c:698:2: warning: Value stored to 'len' is never read
        len = write(sk, buf, AVCTP_HEADER_LENGTH + sizeof(play_pressed));
        ^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32 warnings generated.
tools/btproxy.c:836:15: warning: Null pointer passed to 1st parameter expecting 'nonnull'
                        tcp_port = atoi(optarg);
                                   ^~~~~~~~~~~~
tools/btproxy.c:839:8: warning: Null pointer passed to 1st parameter expecting 'nonnull'
                        if (strlen(optarg) > 3 && !strncmp(optarg, "hci", 3))
                            ^~~~~~~~~~~~~~
2 warnings generated.
tools/create-image.c:76:3: warning: Value stored to 'fd' is never read
                fd = -1;
                ^    ~~
tools/create-image.c:84:3: warning: Value stored to 'fd' is never read
                fd = -1;
                ^    ~~
tools/create-image.c:92:3: warning: Value stored to 'fd' is never read
                fd = -1;
                ^    ~~
tools/create-image.c:105:2: warning: Value stored to 'fd' is never read
        fd = -1;
        ^    ~~
4 warnings generated.
tools/btgatt-client.c:1824:2: warning: Value stored to 'argv' is never read
        argv += optind;
        ^       ~~~~~~
1 warning generated.
tools/btgatt-server.c:1212:2: warning: Value stored to 'argv' is never read
        argv -= optind;
        ^       ~~~~~~
1 warning generated.
tools/check-selftest.c:42:3: warning: Value stored to 'ptr' is never read
                ptr = fgets(result, sizeof(result), fp);
                ^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
tools/gatt-service.c:294:2: warning: 2nd function call argument is an uninitialized value
        chr_write(chr, value, len);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
tools/obex-server-tool.c:133:13: warning: Null pointer passed to 1st parameter expecting 'nonnull'
        data->fd = open(name, O_WRONLY | O_CREAT | O_NOCTTY, 0600);
                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/obex-server-tool.c:192:13: warning: Null pointer passed to 1st parameter expecting 'nonnull'
        data->fd = open(name, O_RDONLY | O_NOCTTY, 0);
                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
tools/test-runner.c:945:2: warning: 2nd function call argument is an uninitialized value
        printf("Running command %s\n", cmdname ? cmdname : argv[0]);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
tools/btpclientctl.c:402:3: warning: Value stored to 'bit' is never read
                bit = 0;
                ^     ~
tools/btpclientctl.c:1655:2: warning: Null pointer passed to 2nd parameter expecting 'nonnull'
        memcpy(cp->data, ad_data, ad_len);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
src/sdpd-request.c:211:13: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'uint16_t'
                                pElem = malloc(sizeof(uint16_t));
                                        ^~~~~~ ~~~~~~~~~~~~~~~~
src/sdpd-request.c:239:13: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'uint32_t'
                                pElem = malloc(sizeof(uint32_t));
                                        ^~~~~~ ~~~~~~~~~~~~~~~~
2 warnings generated.
android/avrcp-lib.c:1968:3: warning: 1st function call argument is an uninitialized value
                g_free(text[i]);
                ^~~~~~~~~~~~~~~
1 warning generated.
profiles/health/hdp.c:644:3: warning: Use of memory after it is freed
                hdp_tmp_dc_data_unref(dc_data);
                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
profiles/health/hdp.c:800:19: warning: Use of memory after it is freed
                path = g_strdup(chan->path);
                                ^~~~~~~~~~
profiles/health/hdp.c:1779:6: warning: Use of memory after it is freed
                                        hdp_tmp_dc_data_ref(hdp_conn),
                                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
profiles/health/hdp.c:1836:30: warning: Use of memory after it is freed
        reply = g_dbus_create_error(data->msg, ERROR_INTERFACE ".HealthError",
                                    ^~~~~~~~~
4 warnings generated.
profiles/health/hdp_util.c:1052:2: warning: Use of memory after it is freed
        conn_data->func(conn_data->data, gerr);
        ^~~~~~~~~~~~~~~
1 warning generated.
attrib/gatt.c:970:2: warning: Potential leak of memory pointed to by 'long_write'
        return prepare_write(long_write);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
src/sdpd-request.c:211:13: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'uint16_t'
                                pElem = malloc(sizeof(uint16_t));
                                        ^~~~~~ ~~~~~~~~~~~~~~~~
src/sdpd-request.c:239:13: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'uint32_t'
                                pElem = malloc(sizeof(uint32_t));
                                        ^~~~~~ ~~~~~~~~~~~~~~~~
2 warnings generated.
src/sdp-xml.c:126:10: warning: Assigned value is garbage or undefined
                buf[1] = data[i + 1];
                       ^ ~~~~~~~~~~~
src/sdp-xml.c:300:11: warning: Assigned value is garbage or undefined
                        buf[1] = data[i + 1];
                               ^ ~~~~~~~~~~~
src/sdp-xml.c:338:11: warning: Assigned value is garbage or undefined
                        buf[1] = data[i + 1];
                               ^ ~~~~~~~~~~~
3 warnings generated.
src/sdp-client.c:353:14: warning: Access to field 'cb' results in a dereference of a null pointer
        (*ctxt)->cb = cb;
        ~~~~~~~~~~~~^~~~
1 warning generated.
src/gatt-database.c:1155:10: warning: Value stored to 'bits' during its initialization is never read
        uint8_t bits[] = { BT_GATT_CHRC_CLI_FEAT_ROBUST_CACHING,
                ^~~~     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
gobex/gobex-header.c:67:2: warning: Null pointer passed to 2nd parameter expecting 'nonnull'
        memcpy(to, from, count);
        ^~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
gobex/gobex-transfer.c:423:7: warning: Use of memory after it is freed
        if (!g_slist_find(transfers, transfer))
             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
mesh/main.c:161:3: warning: Value stored to 'optarg' is never read
                optarg += strlen("auto");
                ^         ~~~~~~~~~~~~~~
1 warning generated.
client/gatt.c: In function ‘proxy_property_changed’:
client/gatt.c:3203:11: error: expected ‘;’ before ‘}’ token
 3203 |      name)
      |           ^
      |           ;
 3204 |   } else {
      |   ~        
make[1]: *** [Makefile:7809: client/gatt.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4651: all] Error 2


---
Regards,
Linux Bluetooth

Re: Fix a number of static analysis issues

[Bastien Nocera]

On Fri, 2024-05-10 at 04:47 -0700, bluez.test.bot@gmail.com wrote:
> This is automated email and please do not reply to this email!
> 
> Dear submitter,
> 
> Thank you for submitting the patches to the linux bluetooth mailing
> list.
> This is a CI test results with your patch series:
> PW
> Link:https://patchwork.kernel.org/project/bluetooth/list/?series=8521
> 87

Noticed a couple of bugs in those patches, will send a v2 with some
more patches ASAP.

Cheers