[PATCH] obexd/bip: Fix uninitialized memory and malformed XML in GetImage request

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] obexd/bip: Fix uninitialized memory and malformed XML in GetImage request
@ 2026-03-23  0:48 maxing
  2026-03-23  1:49 ` bluez.test.bot
  2026-03-24  8:41 ` [PATCH] " Bastien Nocera
  0 siblings, 2 replies; 3+ messages in thread
From: maxing @ 2026-03-23  0:48 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: maxing

This commit addresses several defects in the AVRCP BIP GetImage
implementation that caused strict OBEX servers (e.g., Android)
to reject image transfers with "Precondition Failed (0x4C)".

1. Fix uninitialized memory read:
   In `get_image()`, the `maxsize` variable was not initialized. If the
   client omitted the "maxsize" key in the D-Bus dictionary, `maxsize`
   retained garbage data from the stack, leading to anomalous log entries.

2. Fix malformed XML image descriptor:
   When D-Bus clients omitted the `pixel` or `encoding` parameters,
   `parse_get_image_dict()` improperly forced them to empty strings ("").
   This resulted in `get_image()` generating an invalid XML tag:
   `<image encoding="" pixel=""/>`.
   The XML construction logic has been rewritten to dynamically append
   only the provided attributes, and the previously parsed but ignored
   `maxsize` attribute is now properly included if specified.

3. Fix D-Bus iterator advancement:
   Removed a redundant D-Bus type check in `parse_get_image_dict()`
   where the iterator was evaluated twice before calling
   `dbus_message_iter_next()`.

Signed-off-by: maxing <2965346066@qq.com>
---
 obexd/client/bip.c | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/obexd/client/bip.c b/obexd/client/bip.c
index ec75fdd67..7c724b4b4 100644
--- a/obexd/client/bip.c
+++ b/obexd/client/bip.c
@@ -38,9 +38,6 @@
 
 #define EOL_CHARS "\n"
 #define IMG_DESC_BEGIN "<image-descriptor version=\"1.0\">" EOL_CHARS
-#define IMG_BEGIN "<image encoding=\"%s\" pixel=\"%s\""
-#define IMG_TRANSFORM " transformation=\"%s\""
-#define IMG_END "/>" EOL_CHARS
 #define IMG_DESC_END "</image-descriptor>" EOL_CHARS
 
 static DBusConnection *conn;
@@ -206,9 +203,9 @@ static gboolean parse_get_image_dict(DBusMessage *msg, char **path,
 		goto failed;
 	dbus_message_iter_get_basic(&iter, path);
 	*path = g_strdup(*path);
+	dbus_message_iter_next(&iter);
 	if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_STRING)
 		goto failed;
-	dbus_message_iter_next(&iter);
 	dbus_message_iter_get_basic(&iter, handle);
 	*handle = g_strdup(*handle);
 	dbus_message_iter_next(&iter);
@@ -258,13 +255,11 @@ static gboolean parse_get_image_dict(DBusMessage *msg, char **path,
 		dbus_message_iter_next(&array);
 	}
 
-	if (*pixel == NULL)
-		*pixel = strdup("");
-	if (*encoding == NULL)
-		*encoding = strdup("");
-
-	DBG("pixel: '%s' encoding: '%s' maxsize: '%lu' transform: '%s'",
-			*pixel, *encoding, *maxsize, *transform
+	DBG("pixel: '%s' encoding: '%s' maxsize: '%llu' transform: '%s'",
+			*pixel ? *pixel : "",
+			*encoding ? *encoding : "",
+			(unsigned long long)*maxsize,
+			*transform ? *transform : ""
 	);
 
 	return TRUE;
@@ -283,7 +278,7 @@ static DBusMessage *get_image(DBusConnection *connection,
 	struct bip_avrcp_data *bip_avrcp = user_data;
 	char *handle = NULL, *image_path = NULL, *transform = NULL,
 		*encoding = NULL, *pixel = NULL;
-	uint64_t maxsize;
+	uint64_t maxsize = 0;
 	struct obc_transfer *transfer;
 	GObexHeader *header;
 	DBusMessage *reply = NULL;
@@ -310,10 +305,16 @@ static DBusMessage *get_image(DBusConnection *connection,
 	obc_transfer_add_header(transfer, header);
 
 	descriptor = g_string_new(IMG_DESC_BEGIN);
-	g_string_append_printf(descriptor, IMG_BEGIN, encoding, pixel);
+	g_string_append(descriptor, "<image");
+	if (encoding != NULL)
+		g_string_append_printf(descriptor, " encoding=\"%s\"", encoding);
+	if (pixel != NULL)
+		g_string_append_printf(descriptor, " pixel=\"%s\"", pixel);
+	if (maxsize > 0)
+		g_string_append_printf(descriptor, " maxsize=\"%llu\"", (unsigned long long)maxsize);
 	if (transform != NULL)
-		g_string_append_printf(descriptor, IMG_TRANSFORM, transform);
-	g_string_append(descriptor, IMG_END);
+		g_string_append_printf(descriptor, " transformation=\"%s\"", transform);
+	g_string_append(descriptor, "/>" EOL_CHARS);
 	descriptor = g_string_append(descriptor, IMG_DESC_END);
 	header = g_obex_header_new_bytes(IMG_DESC_TAG, descriptor->str,
 						descriptor->len);
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: obexd/bip: Fix uninitialized memory and malformed XML in GetImage request
  2026-03-23  0:48 [PATCH] obexd/bip: Fix uninitialized memory and malformed XML in GetImage request maxing
@ 2026-03-23  1:49 ` bluez.test.bot
  2026-03-24  8:41 ` [PATCH] " Bastien Nocera
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-03-23  1:49 UTC (permalink / raw)
  To: linux-bluetooth, 2965346066

[-- Attachment #1: Type: text/plain, Size: 1311 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1070581

---Test result---

Test Summary:
CheckPatch                    PENDING   0.32 seconds
GitLint                       PENDING   0.34 seconds
BuildEll                      PASS      21.48 seconds
BluezMake                     PASS      647.72 seconds
MakeCheck                     PASS      19.02 seconds
MakeDistcheck                 PASS      255.04 seconds
CheckValgrind                 PASS      302.62 seconds
CheckSmatch                   PASS      364.95 seconds
bluezmakeextell               PASS      186.61 seconds
IncrementalBuild              PENDING   0.32 seconds
ScanBuild                     PASS      1043.65 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



https://github.com/bluez/bluez/pull/1983/checks

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] obexd/bip: Fix uninitialized memory and malformed XML in GetImage request
  2026-03-23  0:48 [PATCH] obexd/bip: Fix uninitialized memory and malformed XML in GetImage request maxing
  2026-03-23  1:49 ` bluez.test.bot
@ 2026-03-24  8:41 ` Bastien Nocera
  1 sibling, 0 replies; 3+ messages in thread
From: Bastien Nocera @ 2026-03-24  8:41 UTC (permalink / raw)
  To: maxing, linux-bluetooth

On Mon, 2026-03-23 at 08:48 +0800, maxing wrote:
> This commit addresses several defects in the AVRCP BIP GetImage
> implementation that caused strict OBEX servers (e.g., Android)
> to reject image transfers with "Precondition Failed (0x4C)".
> 
> 1. Fix uninitialized memory read:
>    In `get_image()`, the `maxsize` variable was not initialized. If
> the
>    client omitted the "maxsize" key in the D-Bus dictionary,
> `maxsize`
>    retained garbage data from the stack, leading to anomalous log
> entries.
> 
> 2. Fix malformed XML image descriptor:
>    When D-Bus clients omitted the `pixel` or `encoding` parameters,
>    `parse_get_image_dict()` improperly forced them to empty strings
> ("").
>    This resulted in `get_image()` generating an invalid XML tag:
>    `<image encoding="" pixel=""/>`.
>    The XML construction logic has been rewritten to dynamically
> append
>    only the provided attributes, and the previously parsed but
> ignored
>    `maxsize` attribute is now properly included if specified.
> 
> 3. Fix D-Bus iterator advancement:
>    Removed a redundant D-Bus type check in `parse_get_image_dict()`
>    where the iterator was evaluated twice before calling
>    `dbus_message_iter_next()`.

I think that it would be useful for you to split those 3 fixes into 3
separate commits in a single patchset, which would make it easier to
review individually.

Regards

> 
> Signed-off-by: maxing <2965346066@qq.com>
> ---
>  obexd/client/bip.c | 31 ++++++++++++++++---------------
>  1 file changed, 16 insertions(+), 15 deletions(-)
> 
> diff --git a/obexd/client/bip.c b/obexd/client/bip.c
> index ec75fdd67..7c724b4b4 100644
> --- a/obexd/client/bip.c
> +++ b/obexd/client/bip.c
> @@ -38,9 +38,6 @@
>  
>  #define EOL_CHARS "\n"
>  #define IMG_DESC_BEGIN "<image-descriptor version=\"1.0\">"
> EOL_CHARS
> -#define IMG_BEGIN "<image encoding=\"%s\" pixel=\"%s\""
> -#define IMG_TRANSFORM " transformation=\"%s\""
> -#define IMG_END "/>" EOL_CHARS
>  #define IMG_DESC_END "</image-descriptor>" EOL_CHARS
>  
>  static DBusConnection *conn;
> @@ -206,9 +203,9 @@ static gboolean parse_get_image_dict(DBusMessage
> *msg, char **path,
>  		goto failed;
>  	dbus_message_iter_get_basic(&iter, path);
>  	*path = g_strdup(*path);
> +	dbus_message_iter_next(&iter);
>  	if (dbus_message_iter_get_arg_type(&iter) !=
> DBUS_TYPE_STRING)
>  		goto failed;
> -	dbus_message_iter_next(&iter);
>  	dbus_message_iter_get_basic(&iter, handle);
>  	*handle = g_strdup(*handle);
>  	dbus_message_iter_next(&iter);
> @@ -258,13 +255,11 @@ static gboolean
> parse_get_image_dict(DBusMessage *msg, char **path,
>  		dbus_message_iter_next(&array);
>  	}
>  
> -	if (*pixel == NULL)
> -		*pixel = strdup("");
> -	if (*encoding == NULL)
> -		*encoding = strdup("");
> -
> -	DBG("pixel: '%s' encoding: '%s' maxsize: '%lu' transform:
> '%s'",
> -			*pixel, *encoding, *maxsize, *transform
> +	DBG("pixel: '%s' encoding: '%s' maxsize: '%llu' transform:
> '%s'",
> +			*pixel ? *pixel : "",
> +			*encoding ? *encoding : "",
> +			(unsigned long long)*maxsize,
> +			*transform ? *transform : ""
>  	);
>  
>  	return TRUE;
> @@ -283,7 +278,7 @@ static DBusMessage *get_image(DBusConnection
> *connection,
>  	struct bip_avrcp_data *bip_avrcp = user_data;
>  	char *handle = NULL, *image_path = NULL, *transform = NULL,
>  		*encoding = NULL, *pixel = NULL;
> -	uint64_t maxsize;
> +	uint64_t maxsize = 0;
>  	struct obc_transfer *transfer;
>  	GObexHeader *header;
>  	DBusMessage *reply = NULL;
> @@ -310,10 +305,16 @@ static DBusMessage *get_image(DBusConnection
> *connection,
>  	obc_transfer_add_header(transfer, header);
>  
>  	descriptor = g_string_new(IMG_DESC_BEGIN);
> -	g_string_append_printf(descriptor, IMG_BEGIN, encoding,
> pixel);
> +	g_string_append(descriptor, "<image");
> +	if (encoding != NULL)
> +		g_string_append_printf(descriptor, "
> encoding=\"%s\"", encoding);
> +	if (pixel != NULL)
> +		g_string_append_printf(descriptor, " pixel=\"%s\"",
> pixel);
> +	if (maxsize > 0)
> +		g_string_append_printf(descriptor, "
> maxsize=\"%llu\"", (unsigned long long)maxsize);
>  	if (transform != NULL)
> -		g_string_append_printf(descriptor, IMG_TRANSFORM,
> transform);
> -	g_string_append(descriptor, IMG_END);
> +		g_string_append_printf(descriptor, "
> transformation=\"%s\"", transform);
> +	g_string_append(descriptor, "/>" EOL_CHARS);
>  	descriptor = g_string_append(descriptor, IMG_DESC_END);
>  	header = g_obex_header_new_bytes(IMG_DESC_TAG, descriptor-
> >str,
>  						descriptor->len);

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-03-24  8:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-23  0:48 [PATCH] obexd/bip: Fix uninitialized memory and malformed XML in GetImage request maxing
2026-03-23  1:49 ` bluez.test.bot
2026-03-24  8:41 ` [PATCH] " Bastien Nocera

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox