[bluez/bluez] 4cedd8: monitor: Fix RAS CS step mode parsing issues

[fdanis-oss <noreply@github.com>]

  Branch: refs/heads/master
  Home:   https://github.com/bluez/bluez
  Commit: 4cedd8f9b886221f857c67295b1c1ed6b285ea3d
      https://github.com/bluez/bluez/commit/4cedd8f9b886221f857c67295b1c1ed6b285ea3d
  Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
  Date:   2026-05-12 (Tue, 12 May 2026)

  Changed paths:
    M monitor/att.c

  Log Message:
  -----------
  monitor: Fix RAS CS step mode parsing issues

Fix double space typo in print_ranging_steps signature.

Fix ToA_ToD sign extension using proper cast via (uint32_t)(int16_t)
instead of unconditionally OR-ing with 0xFFFF0000 which corrupts
positive values.

Refactor print_step_mode_3 to reuse print_step_mode_1 and
print_step_mode_2 eliminating ~90 lines of duplicated code.

Initialize first_segment to false so the error path via goto done
does not incorrectly print remaining data when the segmentation
header was never parsed.

Improve Mode 0 step data length heuristic with better alignment
check and clearer documentation of the limitation.

Assisted-by: OpenCode:claude-opus-4.6


  Commit: ca2b39b0c08e810643eb53fb3fa3f7a49ff24dcd
      https://github.com/bluez/bluez/commit/ca2b39b0c08e810643eb53fb3fa3f7a49ff24dcd
  Author: Bastien Nocera <hadess@hadess.net>
  Date:   2026-05-12 (Tue, 12 May 2026)

  Changed paths:
    M lib/bluetooth/hci.c
    M src/main.c
    M src/shared/gatt-server.c

  Log Message:
  -----------
  all: Remove more unneeded MIN/MAX macro definition


  Commit: 2e0533f977cc5f1c3a62270aedebbefd14fa7a5a
      https://github.com/bluez/bluez/commit/2e0533f977cc5f1c3a62270aedebbefd14fa7a5a
  Author: Bastien Nocera <hadess@hadess.net>
  Date:   2026-05-12 (Tue, 12 May 2026)

  Changed paths:
    M src/shared/util.h
    M unit/test-util.c

  Log Message:
  -----------
  shared/util: Add helper for "cleanup" variable attribute

Use the widespread "cleanup" variable attribute:
https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html#index-cleanup

It is implemented by both GCC and clang on platforms where bluez is
used, and can help reduce memory leaks, while improving readability.

This implements:
- generic cleanup (_cleanup_free_)
- cleanup with specific free function (_cleanup_())
- cleanup for specific types (_cleanup_type_(type))
- cleanup for file descriptors
- capturing a variable before it is freed (so it is only freed in error
  paths for example, _steal_() and _steal_fd())

This commit includes tests which should cover all those new helpers.

See also:
https://systemd.io/CODING_STYLE/#memory-allocation
https://docs.gtk.org/glib/auto-cleanup.html


  Commit: 9ba6c13df5fb461237e5f4e44f81eee3a21b415a
      https://github.com/bluez/bluez/commit/9ba6c13df5fb461237e5f4e44f81eee3a21b415a
  Author: Bastien Nocera <hadess@hadess.net>
  Date:   2026-05-12 (Tue, 12 May 2026)

  Changed paths:
    M doc/maintainer-guidelines.rst

  Log Message:
  -----------
  doc: Recommend using _cleanup_ and friends


  Commit: 140e3569295c662a8a9e12aec1cdc72c027361d6
      https://github.com/bluez/bluez/commit/140e3569295c662a8a9e12aec1cdc72c027361d6
  Author: Bastien Nocera <hadess@hadess.net>
  Date:   2026-05-12 (Tue, 12 May 2026)

  Changed paths:
    M src/main.c

  Log Message:
  -----------
  main: Use _cleanup_() to simplify configuration parsing

Use helpers to simplify temporary string usage, and cleanup in error
paths.


  Commit: e33f5027b898a84e664752d92b16a2b8ac25eda3
      https://github.com/bluez/bluez/commit/e33f5027b898a84e664752d92b16a2b8ac25eda3
  Author: Bastien Nocera <hadess@hadess.net>
  Date:   2026-05-12 (Tue, 12 May 2026)

  Changed paths:
    M client/mgmt.c

  Log Message:
  -----------
  client: Use _cleanup_fd_ to simplify urandom access

fd gets auto-closed before exiting the scope.


  Commit: 02aa9a8cfe6af80d59cca0851608ed87a708e0ed
      https://github.com/bluez/bluez/commit/02aa9a8cfe6af80d59cca0851608ed87a708e0ed
  Author: Bastien Nocera <hadess@hadess.net>
  Date:   2026-05-12 (Tue, 12 May 2026)

  Changed paths:
    M tools/btattach.c

  Log Message:
  -----------
  btattach: Use _cleanup_fd_ to simplify error paths

Use _cleanup_fd_ and _steal_fd() to simplify error paths, and only
"steal" the file descriptor on success.


  Commit: f95b524e5a1d5a851ada7532160b80fa44dd4721
      https://github.com/bluez/bluez/commit/f95b524e5a1d5a851ada7532160b80fa44dd4721
  Author: Bastien Nocera <hadess@hadess.net>
  Date:   2026-05-12 (Tue, 12 May 2026)

  Changed paths:
    M mesh/net.c

  Log Message:
  -----------
  mesh: Remove unused but set variable

We played around with the bits, but didn't do anything with it.

mesh/net.c: In function ‘ack_received’:
mesh/net.c:1569:18: error: variable ‘ack_copy’ set but not used [-Werror=unused-but-set-variable=]
 1569 |         uint32_t ack_copy = ack_flag;
      |                  ^~~~~~~~


  Commit: 3940d9cf85a2a62ec2ad60ee50b2ac70b801cdf9
      https://github.com/bluez/bluez/commit/3940d9cf85a2a62ec2ad60ee50b2ac70b801cdf9
  Author: Bastien Nocera <hadess@hadess.net>
  Date:   2026-05-12 (Tue, 12 May 2026)

  Changed paths:
    M tools/mesh/mesh-db.c

  Log Message:
  -----------
  mesh: Fix str{r,}chr usage

Fix the code manipulating "const char *" return values from
json_object_to_json_string_ext() to modify it for printing, we're
not allowed to do that.

tools/mesh/mesh-db.c: In function ‘mesh_db_finish_export’:
tools/mesh/mesh-db.c:2598:13: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
 2598 |         pos = strrchr(hdr, '}');
      |             ^
tools/mesh/mesh-db.c:2604:13: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
 2604 |         pos = strrchr(hdr, '"');
      |             ^
tools/mesh/mesh-db.c:2613:13: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
 2613 |         pos = strchr(str, '{');
      |             ^


  Commit: 7b2b51ac6f6482e531dd23af7c6761f8c786cd13
      https://github.com/bluez/bluez/commit/7b2b51ac6f6482e531dd23af7c6761f8c786cd13
  Author: Bastien Nocera <hadess@hadess.net>
  Date:   2026-05-12 (Tue, 12 May 2026)

  Changed paths:
    M mesh/util.c

  Log Message:
  -----------
  mesh: Fix const qualifier dropping when using strchr()

strchr() with a const string returns a const string, we don't change
that string or "next", so make both const and get rid of the warning.

mesh/util.c: In function ‘create_dir’:
mesh/util.c:108:14: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
  108 |         prev = strchr(dir_name, '/');
      |              ^


  Commit: ec223f0782ef1265823b5233fccea0f3f552bab0
      https://github.com/bluez/bluez/commit/ec223f0782ef1265823b5233fccea0f3f552bab0
  Author: Pauli Virtanen <pav@iki.fi>
  Date:   2026-05-12 (Tue, 12 May 2026)

  Changed paths:
    M src/adapter.c

  Log Message:
  -----------
  adapter: add BCAA UUID also when seen device is not discoverable

BAP v1.0.2 Sec 6.4 specifies Broadcast discovery uses observation
procedure (Core Vol 3 Part C Sec 9.1.2) which makes no reference to
device discoverability state.

However, if remote device does:

1. Send Advertising Data for some other UUID with General Discoverable
2. Send Advertising Data for BCAA UUID with no flags

then adapter.c:btd_adapter_device_found() creates device in step 1. but
in step 2. it ignores the BCAA UUID since the device exists but is not
discoverable; the monitoring=true special case applies only for
first-seen devices.  Consequently bap plugin fails to pick up the BCAA
stream.

This sequence was observed to be produced by BlueZ + btvirt.

Fix by monitoring also previously existing but currently non-connectable
devices with BCAA UUID.

Link: https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/2812#note_3467783
Log:
--------------------------
@ MGMT Event: Device Found (0x0012) plen 17
        LE Address: 00:AA:01:00:00:42 (Intel Corporation)
        RSSI: invalid (0x7f)
        Flags: 0x00000000
        Data length: 3
        Data[3]:
        02 01 06                                         ...
        Flags: 0x06
          LE General Discoverable Mode
          BR/EDR Not Supported
...
@ MGMT Event: Device Found (0x0012) plen 39
        LE Address: 00:AA:01:00:00:42 (Intel Corporation)
        RSSI: invalid (0x7f)
        Flags: 0x00000004
          Not Connectable
        Data length: 25
        Data[25]:
        06 16 52 18 56 db 55 03 03 4e 18 0d 16 4e 18 00  ..R.V.U..N...N..
        ff 0f 0f 00 04 03 01 01 00                       .........
        Service Data: Broadcast Audio Announcement (0x1852)
        Broadcast ID: 5626710 (0x55db56)
        16-bit Service UUIDs (complete): 1 entry
          Audio Stream Control (0x184e)
        Service Data: Audio Stream Control (0x184e)
          Data[10]:
        00 ff 0f 0f 00 04 03 01 01 00
--------------------------


  Commit: 6ba04fad369f1dced3892944df6779c5f99b359c
      https://github.com/bluez/bluez/commit/6ba04fad369f1dced3892944df6779c5f99b359c
  Author: Frédéric Danis <frederic.danis@collabora.com>
  Date:   2026-05-12 (Tue, 12 May 2026)

  Changed paths:
    M obexd/client/pbap.c

  Log Message:
  -----------
  pbap: Fix not checking Database Identifier length

Database Identifier is supposed to be 16 bytes values.

A paired Bluetooth device acting as a PBAP server can overflow the
heap in obexd by up to 239 bytes into adjacent allocations by returning
a DATABASEID_TAG application parameter with an oversized length.
With both length and content fully attacker-controlled, this enables
standard glibc heap exploitation primitives (tcache/fastbin poisoning)
leading to remote code execution in the obexd process.


Compare: https://github.com/bluez/bluez/compare/7cd27f4f66aa...6ba04fad369f

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications