* Re: [PATCH 1/2] neard: Fix passing negative error code to strerror
From: Johan Hedberg @ 2013-01-29 21:59 UTC (permalink / raw)
To: Szymon Janc; +Cc: linux-bluetooth
In-Reply-To: <1359449671-14584-1-git-send-email-szymon.janc@tieto.com>
Hi Szymon,
On Tue, Jan 29, 2013, Szymon Janc wrote:
> error_reply expects non-negative error code.
> ---
> plugins/neard.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Both patches have been applied. Thanks.
Johan
^ permalink raw reply
* [PATCH BlueZ v2 4/4] device: Fix missing PDUs during encryption procedure
From: Vinicius Costa Gomes @ 2013-01-29 19:00 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Vinicius Costa Gomes
In-Reply-To: <1359486007-3273-1-git-send-email-vinicius.gomes@openbossa.org>
In case the remote device sends an ATT PDU while encryption is going
on, we may lose it because the ATT socket (with security level medium),
would only be attached when encryption finishes.
---
src/device.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/src/device.c b/src/device.c
index ceaa575..0d2d3ee 100644
--- a/src/device.c
+++ b/src/device.c
@@ -3167,7 +3167,6 @@ int device_connect_le(struct btd_device *dev)
{
struct btd_adapter *adapter = dev->adapter;
struct att_callbacks *attcb;
- BtIOSecLevel sec_level;
GIOChannel *io;
GError *gerr = NULL;
char addr[18];
@@ -3185,21 +3184,18 @@ int device_connect_le(struct btd_device *dev)
attcb->success = att_success_cb;
attcb->user_data = dev;
- if (dev->paired)
- sec_level = BT_IO_SEC_MEDIUM;
- else
- sec_level = BT_IO_SEC_LOW;
-
/*
* This connection will help us catch any PDUs that comes before
- * pairing finishes
+ * pairing finishes. Its security level is low, because we don't
+ * want to miss any PDU that may come before the encryption
+ * procedure finishes
*/
io = bt_io_connect(att_connect_cb, attcb, NULL, &gerr,
BT_IO_OPT_SOURCE_BDADDR, adapter_get_address(adapter),
BT_IO_OPT_DEST_BDADDR, &dev->bdaddr,
BT_IO_OPT_DEST_TYPE, dev->bdaddr_type,
BT_IO_OPT_CID, ATT_CID,
- BT_IO_OPT_SEC_LEVEL, sec_level,
+ BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_LOW,
BT_IO_OPT_INVALID);
if (io == NULL) {
--
1.8.1.1
^ permalink raw reply related
* [PATCH BlueZ v2 3/4] gas: Fix not sending response to indication
From: Vinicius Costa Gomes @ 2013-01-29 19:00 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Vinicius Costa Gomes
In-Reply-To: <1359486007-3273-1-git-send-email-vinicius.gomes@openbossa.org>
Even if the remote device is not bonded, we should send the response to the
indication. If we don't the remote device may disconnect.
---
profiles/gatt/gas.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/profiles/gatt/gas.c b/profiles/gatt/gas.c
index c0520af..9360201 100644
--- a/profiles/gatt/gas.c
+++ b/profiles/gatt/gas.c
@@ -183,16 +183,16 @@ static void indication_cb(const uint8_t *pdu, uint16_t len, gpointer user_data)
DBG("Service Changed start: 0x%04X end: 0x%04X", start, end);
- if (device_is_bonded(gas->device) == FALSE) {
- DBG("Ignoring Service Changed: device is not bonded");
- return;
- }
-
/* Confirming indication received */
opdu = g_attrib_get_buffer(gas->attrib, &plen);
olen = enc_confirmation(opdu, plen);
g_attrib_send(gas->attrib, 0, opdu, olen, NULL, NULL, NULL);
+ if (device_is_bonded(gas->device) == FALSE) {
+ DBG("Ignoring Service Changed: device is not bonded");
+ return;
+ }
+
btd_device_gatt_set_service_changed(gas->device, start, end);
}
--
1.8.1.1
^ permalink raw reply related
* [PATCH BlueZ v2 2/4] gas: Move all the code to only one file
From: Vinicius Costa Gomes @ 2013-01-29 19:00 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Vinicius Costa Gomes
In-Reply-To: <1359486007-3273-1-git-send-email-vinicius.gomes@openbossa.org>
Our Generic Attribute/Access Service plugin is small and simple enough
to be kept in only one file.
---
Makefile.plugins | 4 +--
profiles/gatt/gas.c | 51 +++++++++++++++++++++++++++++--
profiles/gatt/gas.h | 25 ----------------
profiles/gatt/main.c | 47 -----------------------------
profiles/gatt/manager.c | 79 -------------------------------------------------
profiles/gatt/manager.h | 24 ---------------
6 files changed, 49 insertions(+), 181 deletions(-)
delete mode 100644 profiles/gatt/gas.h
delete mode 100644 profiles/gatt/main.c
delete mode 100644 profiles/gatt/manager.c
delete mode 100644 profiles/gatt/manager.h
diff --git a/Makefile.plugins b/Makefile.plugins
index faab011..f497782 100644
--- a/Makefile.plugins
+++ b/Makefile.plugins
@@ -69,9 +69,7 @@ builtin_sources += profiles/health/mcap_lib.h profiles/health/mcap_internal.h \
endif
builtin_modules += gatt
-builtin_sources += profiles/gatt/main.c profiles/gatt/manager.h \
- profiles/gatt/manager.c profiles/gatt/gas.h \
- profiles/gatt/gas.c
+builtin_sources += profiles/gatt/gas.c
builtin_modules += scanparam
builtin_sources += profiles/scanparam/scan.c
diff --git a/profiles/gatt/gas.c b/profiles/gatt/gas.c
index 429850b..c0520af 100644
--- a/profiles/gatt/gas.c
+++ b/profiles/gatt/gas.c
@@ -35,15 +35,16 @@
#include <btio/btio.h>
#include "lib/uuid.h"
+#include "plugin.h"
#include "adapter.h"
#include "device.h"
+#include "profile.h"
#include "attrib/att.h"
#include "attrib/gattrib.h"
#include "attio.h"
#include "attrib/gatt.h"
#include "log.h"
#include "textfile.h"
-#include "gas.h"
/* Generic Attribute/Access Service */
struct gas {
@@ -367,7 +368,7 @@ static void attio_disconnected_cb(gpointer user_data)
gas->attrib = NULL;
}
-int gas_register(struct btd_device *device, struct att_range *gap,
+static int gas_register(struct btd_device *device, struct att_range *gap,
struct att_range *gatt)
{
struct gas *gas;
@@ -392,7 +393,7 @@ int gas_register(struct btd_device *device, struct att_range *gap,
return 0;
}
-void gas_unregister(struct btd_device *device)
+static void gas_unregister(struct btd_device *device)
{
struct gas *gas;
GSList *l;
@@ -405,3 +406,47 @@ void gas_unregister(struct btd_device *device)
devices = g_slist_remove(devices, gas);
gas_free(gas);
}
+
+static int gatt_driver_probe(struct btd_profile *p, struct btd_device *device,
+ GSList *uuids)
+{
+ struct gatt_primary *gap, *gatt;
+
+ gap = btd_device_get_primary(device, GAP_UUID);
+ gatt = btd_device_get_primary(device, GATT_UUID);
+
+ if (gap == NULL || gatt == NULL) {
+ error("GAP and GATT are mandatory");
+ return -EINVAL;
+ }
+
+ return gas_register(device, &gap->range, &gatt->range);
+}
+
+static void gatt_driver_remove(struct btd_profile *p,
+ struct btd_device *device)
+{
+ gas_unregister(device);
+}
+
+static struct btd_profile gatt_profile = {
+ .name = "gap-gatt-profile",
+ .remote_uuids = BTD_UUIDS(GAP_UUID, GATT_UUID),
+ .device_probe = gatt_driver_probe,
+ .device_remove = gatt_driver_remove
+};
+
+static int gatt_init(void)
+{
+ btd_profile_register(&gatt_profile);
+
+ return 0;
+}
+
+static void gatt_exit(void)
+{
+ btd_profile_unregister(&gatt_profile);
+}
+
+BLUETOOTH_PLUGIN_DEFINE(gatt, VERSION, BLUETOOTH_PLUGIN_PRIORITY_DEFAULT,
+ gatt_init, gatt_exit)
diff --git a/profiles/gatt/gas.h b/profiles/gatt/gas.h
deleted file mode 100644
index 34853c7..0000000
--- a/profiles/gatt/gas.h
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- *
- * BlueZ - Bluetooth protocol stack for Linux
- *
- * Copyright (C) 2012 Instituto Nokia de Tecnologia - INdT
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- *
- */
-
-int gas_register(struct btd_device *device, struct att_range *gap,
- struct att_range *gatt);
-void gas_unregister(struct btd_device *device);
diff --git a/profiles/gatt/main.c b/profiles/gatt/main.c
deleted file mode 100644
index ecd4455..0000000
--- a/profiles/gatt/main.c
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- *
- * BlueZ - Bluetooth protocol stack for Linux
- *
- * Copyright (C) 2012 Instituto Nokia de Tecnologia - INdT
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- *
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <stdint.h>
-#include <glib.h>
-#include <errno.h>
-
-#include "plugin.h"
-#include "manager.h"
-#include "hcid.h"
-#include "log.h"
-
-static int gatt_init(void)
-{
- return gatt_manager_init();
-}
-
-static void gatt_exit(void)
-{
- gatt_manager_exit();
-}
-
-BLUETOOTH_PLUGIN_DEFINE(gatt, VERSION, BLUETOOTH_PLUGIN_PRIORITY_DEFAULT,
- gatt_init, gatt_exit)
diff --git a/profiles/gatt/manager.c b/profiles/gatt/manager.c
deleted file mode 100644
index 2f2bd14..0000000
--- a/profiles/gatt/manager.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- *
- * BlueZ - Bluetooth protocol stack for Linux
- *
- * Copyright (C) 2012 Instituto Nokia de Tecnologia - INdT
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- *
- */
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include <glib.h>
-#include <errno.h>
-#include <stdbool.h>
-
-#include "lib/uuid.h"
-#include "adapter.h"
-#include "device.h"
-#include "profile.h"
-#include "attrib/att.h"
-#include "attrib/gattrib.h"
-#include "attrib/gatt.h"
-#include "gas.h"
-#include "log.h"
-#include "manager.h"
-
-static int gatt_driver_probe(struct btd_profile *p, struct btd_device *device,
- GSList *uuids)
-{
- struct gatt_primary *gap, *gatt;
-
- gap = btd_device_get_primary(device, GAP_UUID);
- gatt = btd_device_get_primary(device, GATT_UUID);
-
- if (gap == NULL || gatt == NULL) {
- error("GAP and GATT are mandatory");
- return -EINVAL;
- }
-
- return gas_register(device, &gap->range, &gatt->range);
-}
-
-static void gatt_driver_remove(struct btd_profile *p,
- struct btd_device *device)
-{
- gas_unregister(device);
-}
-
-static struct btd_profile gatt_profile = {
- .name = "gap-gatt-profile",
- .remote_uuids = BTD_UUIDS(GAP_UUID, GATT_UUID),
- .device_probe = gatt_driver_probe,
- .device_remove = gatt_driver_remove
-};
-
-int gatt_manager_init(void)
-{
- return btd_profile_register(&gatt_profile);
-}
-
-void gatt_manager_exit(void)
-{
- btd_profile_unregister(&gatt_profile);
-}
diff --git a/profiles/gatt/manager.h b/profiles/gatt/manager.h
deleted file mode 100644
index 502fceb..0000000
--- a/profiles/gatt/manager.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- *
- * BlueZ - Bluetooth protocol stack for Linux
- *
- * Copyright (C) 2012 Instituto Nokia de Tecnologia - INdT
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- *
- */
-
-int gatt_manager_init(void);
-void gatt_manager_exit(void);
--
1.8.1.1
^ permalink raw reply related
* [PATCH BlueZ v2 1/4] device: Fix invalid memory access during Find Included
From: Vinicius Costa Gomes @ 2013-01-29 19:00 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Vinicius Costa Gomes
When doing the Find Included Services GATT procedure, the status of the ATT
procedure was being ignored, and in the case of a timeout it is possible to
crash bluetooth with an invalid memory access.
Valgrind log:
==1755== Invalid read of size 8
==1755== at 0x46971A: find_included_cb (device.c:2964)
==1755== by 0x4465AE: isd_unref (gatt.c:92)
==1755== by 0x446885: find_included_cb (gatt.c:425)
==1755== by 0x448266: disconnect_timeout (gattrib.c:269)
==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x40A2EE: main (main.c:583)
==1755== Address 0x69530a8 is 8 bytes inside a block of size 64 free'd
==1755== at 0x4C2874F: free (vg_replace_malloc.c:446)
==1755== by 0x40BFA6: service_filter (watch.c:486)
==1755== by 0x40BC6A: message_filter (watch.c:554)
==1755== by 0x5160A1D: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.2)
==1755== by 0x40AAB7: message_dispatch (mainloop.c:76)
==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x40A2EE: main (main.c:583)
==1755==
==1755== Invalid read of size 8
==1755== at 0x4486D5: g_attrib_get_buffer (gattrib.c:657)
==1755== by 0x4467C5: find_included (gatt.c:363)
==1755== by 0x4465AE: isd_unref (gatt.c:92)
==1755== by 0x446885: find_included_cb (gatt.c:425)
==1755== by 0x448266: disconnect_timeout (gattrib.c:269)
==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x40A2EE: main (main.c:583)
==1755== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==1755==
==1755==
==1755== Process terminating with default action of signal 11 (SIGSEGV)
==1755== Access not within mapped region at address 0x18
==1755== at 0x4486D5: g_attrib_get_buffer (gattrib.c:657)
==1755== by 0x4467C5: find_included (gatt.c:363)
==1755== by 0x4465AE: isd_unref (gatt.c:92)
==1755== by 0x446885: find_included_cb (gatt.c:425)
==1755== by 0x448266: disconnect_timeout (gattrib.c:269)
==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x40A2EE: main (main.c:583)
---
attrib/gatt.c | 5 ++++-
src/device.c | 6 ++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/attrib/gatt.c b/attrib/gatt.c
index d54feac..44d3eb6 100644
--- a/attrib/gatt.c
+++ b/attrib/gatt.c
@@ -89,7 +89,10 @@ static void isd_unref(struct included_discovery *isd)
if (g_atomic_int_dec_and_test(&isd->refs) == FALSE)
return;
- isd->cb(isd->includes, isd->err, isd->user_data);
+ if (isd->err)
+ isd->cb(NULL, isd->err, isd->user_data);
+ else
+ isd->cb(isd->includes, isd->err, isd->user_data);
g_slist_free_full(isd->includes, g_free);
g_attrib_unref(isd->attrib);
diff --git a/src/device.c b/src/device.c
index 34902b3..ceaa575 100644
--- a/src/device.c
+++ b/src/device.c
@@ -2988,6 +2988,12 @@ static void find_included_cb(GSList *includes, uint8_t status,
struct gatt_primary *prim;
GSList *l;
+ if (status != 0) {
+ error("Find included services failed: %s (%d)",
+ att_ecode2str(status), status);
+ goto done;
+ }
+
if (includes == NULL)
goto done;
--
1.8.1.1
^ permalink raw reply related
* [PATCH BlueZ] core: Fix g_source_remove() with zero ID while removing device
From: Anderson Lizardo @ 2013-01-29 18:52 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Anderson Lizardo
store_device_info_cb() is also used as callback for g_idle_add() and
therefore sets device->store_id to zero. During device removal it may be
called manually, which must be done only after the existing
device->store_id is removed from mainloop.
Fix this GLib error (and a bunch of invalid read/writes when
store_device_info_cb() was called after device removal due to this bug):
bluetoothd[1192]: src/device.c:device_remove() Removing device
/org/bluez/hci0/dev_12_34_12_34_12_34
(bluetoothd:1192): GLib-CRITICAL **: g_source_remove: assertion `tag >
0' failed
bluetoothd[1192]: src/device.c:btd_device_unref() Freeing device
/org/bluez/hci0/dev_12_34_12_34_12_34
bluetoothd[1192]: src/device.c:device_free() 0x463a2a0
---
src/device.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/device.c b/src/device.c
index 34902b3..adf405a 100644
--- a/src/device.c
+++ b/src/device.c
@@ -2187,11 +2187,11 @@ void device_remove(struct btd_device *device, gboolean remove_stored)
do_disconnect(device);
if (device->store_id > 0) {
- if (!remove_stored)
- store_device_info_cb(device);
-
g_source_remove(device->store_id);
device->store_id = 0;
+
+ if (!remove_stored)
+ store_device_info_cb(device);
}
if (remove_stored)
--
1.7.9.5
^ permalink raw reply related
* Re: [PATCH v2] Bluetooth: Fix handling of unexpected SMP PDUs
From: Marcel Holtmann @ 2013-01-29 17:58 UTC (permalink / raw)
To: Johan Hedberg; +Cc: linux-bluetooth
In-Reply-To: <1359477863-24645-1-git-send-email-johan.hedberg@gmail.com>
Hi Johan,
> The conn->smp_chan pointer can be NULL if SMP PDUs arrive at unexpected
> moments. To avoid NULL pointer dereferences the code should be checking
> for this and disconnect if an unexpected SMP PDU arrives. This patch
> fixes the issue by adding a check for conn->smp_chan for all other PDUs
> except pairing request and security request (which are are the first
> PDUs to come to initialize the SMP context).
>
> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
> CC: stable@vger.kernel.org
> ---
> v2: Move the checks to a single place in smp_sig_channel() and instead
> of ignoring the PDUs return failure from smp_sig_channel() to trigger a
> disconnection.
>
> net/bluetooth/smp.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
this looks way better.
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Regards
Marcel
^ permalink raw reply
* Re: [PATCH] Bluetooth: Fix handling of unexpected SMP PDUs
From: Johan Hedberg @ 2013-01-29 17:19 UTC (permalink / raw)
To: Marcel Holtmann; +Cc: linux-bluetooth
In-Reply-To: <1359442248.16748.40.camel@aeonflux>
Hi Marcel,
On Tue, Jan 29, 2013, Marcel Holtmann wrote:
> > The hdev->smp_chan pointer can be NULL if SMP PDUs arrive at unexpected
> > moments. To avoid NULL pointer dereferences the code should be checking
> > for this and simply ignore such PDUs. This patch fixes the issue by
> > adding the checks into each individual PDU handler. It's done there
> > instead of a global place since for some PDUs it *is* ok for smp_chan to
> > be NULL (e.g. pairing request and security request).
>
> I am not sure we want to ignore such PDUs. Don't we have to respond with
> an error and actually disconnect at this point. Otherwise this might
> open up a denial of service attack.
I couldn't figure out any appropriate response since SMP doesn't really
have clear command-response pairs for everything. I've sent another
patch which still doesn't send a response but instead of just ignoring
the unexpected packet a disconnection is triggered.
Johan
^ permalink raw reply
* [PATCH] hidp: Make hidp_get_raw_report abort if the session is terminating
From: Karl Relton @ 2013-01-29 16:52 UTC (permalink / raw)
To: linux-bluetooth
From: Karl Relton <karllinuxtest.relton@ntlworld.com>
After linux 3.2 the hid_destroy_device call in hidp_session cleaning up
invokes a hook to the power_supply code which in turn tries to read the
battery capacity. This read will trigger a call to hidp_get_raw_report
which is bound to fail because the device is being taken away - so rather
than wait for the 5 second timeout failure this change enables it to fail
straight away.
Signed-off-by: Karl Relton <karllinuxtest.relton@ntlworld.com>
---
net/bluetooth/hidp/core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index b2bcbe2..a4c1bb0 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -311,6 +311,9 @@ static int hidp_get_raw_report(struct hid_device *hid,
int numbered_reports = hid->report_enum[report_type].numbered;
int ret;
+ if (atomic_read(&session->terminate))
+ return -EIO;
+
switch (report_type) {
case HID_FEATURE_REPORT:
report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_FEATURE;
@@ -695,8 +698,10 @@ static int hidp_session(void *arg)
set_current_state(TASK_INTERRUPTIBLE);
while (!atomic_read(&session->terminate)) {
if (ctrl_sk->sk_state != BT_CONNECTED ||
- intr_sk->sk_state != BT_CONNECTED)
+ intr_sk->sk_state != BT_CONNECTED) {
+ atomic_inc(&session->terminate);
break;
+ }
while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
skb_orphan(skb);
--
1.7.9.5
^ permalink raw reply related
* [PATCH v2] Bluetooth: Fix handling of unexpected SMP PDUs
From: Johan Hedberg @ 2013-01-29 16:44 UTC (permalink / raw)
To: linux-bluetooth
From: Johan Hedberg <johan.hedberg@intel.com>
The conn->smp_chan pointer can be NULL if SMP PDUs arrive at unexpected
moments. To avoid NULL pointer dereferences the code should be checking
for this and disconnect if an unexpected SMP PDU arrives. This patch
fixes the issue by adding a check for conn->smp_chan for all other PDUs
except pairing request and security request (which are are the first
PDUs to come to initialize the SMP context).
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
CC: stable@vger.kernel.org
---
v2: Move the checks to a single place in smp_sig_channel() and instead
of ignoring the PDUs return failure from smp_sig_channel() to trigger a
disconnection.
net/bluetooth/smp.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 68a9587..5abefb1 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -859,6 +859,19 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
skb_pull(skb, sizeof(code));
+ /*
+ * The SMP context must be initialized for all other PDUs except
+ * pairing and security requests. If we get any other PDU when
+ * not initialized simply disconnect (done if this function
+ * returns an error).
+ */
+ if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
+ !conn->smp_chan) {
+ BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
+ kfree_skb(skb);
+ return -ENOTSUPP;
+ }
+
switch (code) {
case SMP_CMD_PAIRING_REQ:
reason = smp_cmd_pairing_req(conn, skb);
--
1.7.10.4
^ permalink raw reply related
* [PATCH 2/2] neard: Fix memory leak on registering as agent
From: Szymon Janc @ 2013-01-29 8:54 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Szymon Janc
In-Reply-To: <1359449671-14584-1-git-send-email-szymon.janc@tieto.com>
Message reference was not dropped in register_agent. This fix following
memory leak reported by valgrind:
454 (184 direct, 270 indirect) bytes in 1 blocks are definitely lost in loss record 207 of 220
at 0x4C29DB4: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x513DCF2: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514222E: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x5149F46: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514A070: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514AA63: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514B0A5: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x5149E0C: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x5134D24: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x5136088: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x5135643: dbus_connection_send_with_reply_and_block (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x5130C93: dbus_bus_register (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
102 bytes in 1 blocks are indirectly lost in loss record 154 of 220
at 0x4C2B7B2: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x514F02F: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514F0DD: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514F239: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514DE0A: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514E3D3: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x513C138: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x513FF4D: dbus_message_iter_append_basic (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x5141790: dbus_message_new_error (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x5135C70: dbus_connection_dispatch (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x40A747: message_dispatch (mainloop.c:76)
by 0x4E7A91A: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
168 bytes in 1 blocks are indirectly lost in loss record 185 of 220
at 0x4C2B7B2: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x514F02F: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514F0DD: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514F239: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x513A3B3: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514228F: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x5149F46: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514A070: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514AA63: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x514B0A5: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x5149E0C: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
by 0x5134D24: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8)
---
plugins/neard.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/plugins/neard.c b/plugins/neard.c
index a68500a..b0150e9 100644
--- a/plugins/neard.c
+++ b/plugins/neard.c
@@ -121,12 +121,15 @@ static void register_agent(void)
if (!dbus_connection_send_with_reply(btd_get_dbus_connection(),
message, &call, -1)) {
+ dbus_message_unref(message);
error("D-Bus send failed");
return;
}
dbus_pending_call_set_notify(call, register_agent_cb, NULL, NULL);
dbus_pending_call_unref(call);
+
+ dbus_message_unref(message);
}
static void unregister_agent(void)
--
1.8.1.1
^ permalink raw reply related
* [PATCH 1/2] neard: Fix passing negative error code to strerror
From: Szymon Janc @ 2013-01-29 8:54 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Szymon Janc
error_reply expects non-negative error code.
---
plugins/neard.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/plugins/neard.c b/plugins/neard.c
index 380eddc..a68500a 100644
--- a/plugins/neard.c
+++ b/plugins/neard.c
@@ -636,7 +636,7 @@ static DBusMessage *push_oob(DBusConnection *conn, DBusMessage *msg, void *data)
agent = adapter_get_agent(adapter);
if (!agent)
- return error_reply(msg, -ENONET);
+ return error_reply(msg, ENONET);
io_cap = agent_get_io_capability(agent);
agent_unref(agent);
--
1.8.1.1
^ permalink raw reply related
* Re: [PATCH] Bluetooth: Fix handling of unexpected SMP PDUs
From: Marcel Holtmann @ 2013-01-29 6:50 UTC (permalink / raw)
To: Johan Hedberg; +Cc: linux-bluetooth
In-Reply-To: <1359417846-5064-1-git-send-email-johan.hedberg@gmail.com>
Hi Johan,
> The hdev->smp_chan pointer can be NULL if SMP PDUs arrive at unexpected
> moments. To avoid NULL pointer dereferences the code should be checking
> for this and simply ignore such PDUs. This patch fixes the issue by
> adding the checks into each individual PDU handler. It's done there
> instead of a global place since for some PDUs it *is* ok for smp_chan to
> be NULL (e.g. pairing request and security request).
I am not sure we want to ignore such PDUs. Don't we have to respond with
an error and actually disconnect at this point. Otherwise this might
open up a denial of service attack.
Regards
Marcel
^ permalink raw reply
* [PATCH] Bluetooth: Fix handling of unexpected SMP PDUs
From: Johan Hedberg @ 2013-01-29 0:04 UTC (permalink / raw)
To: linux-bluetooth
From: Johan Hedberg <johan.hedberg@intel.com>
The hdev->smp_chan pointer can be NULL if SMP PDUs arrive at unexpected
moments. To avoid NULL pointer dereferences the code should be checking
for this and simply ignore such PDUs. This patch fixes the issue by
adding the checks into each individual PDU handler. It's done there
instead of a global place since for some PDUs it *is* ok for smp_chan to
be NULL (e.g. pairing request and security request).
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
CC: stable@vger.kernel.org
---
net/bluetooth/smp.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 68a9587..30b58a0 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -630,6 +630,9 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
BT_DBG("conn %p", conn);
+ if (!smp)
+ return 0;
+
if (!(conn->hcon->link_mode & HCI_LM_MASTER))
return SMP_CMD_NOTSUPP;
@@ -676,6 +679,9 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
+ if (!smp)
+ return 0;
+
memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
skb_pull(skb, sizeof(smp->pcnf));
@@ -699,6 +705,9 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
struct smp_chan *smp = conn->smp_chan;
struct hci_dev *hdev = conn->hcon->hdev;
+ if (!smp)
+ return 0;
+
BT_DBG("conn %p", conn);
swap128(skb->data, smp->rrnd);
@@ -817,6 +826,9 @@ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
struct smp_cmd_encrypt_info *rp = (void *) skb->data;
struct smp_chan *smp = conn->smp_chan;
+ if (!smp)
+ return 0;
+
skb_pull(skb, sizeof(*rp));
memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
@@ -832,6 +844,9 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
struct hci_conn *hcon = conn->hcon;
u8 authenticated;
+ if (!smp)
+ return 0;
+
skb_pull(skb, sizeof(*rp));
hci_dev_lock(hdev);
--
1.7.10.4
^ permalink raw reply related
* [PATCH BlueZ 4/4] gas: Fix not sending response to indication
From: Vinicius Costa Gomes @ 2013-01-28 23:48 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Vinicius Costa Gomes
In-Reply-To: <1359416891-12740-1-git-send-email-vinicius.gomes@openbossa.org>
Even if the remote device is not bonded, we should send the response to the
indication. If we don't the remote device may disconnect.
---
profiles/gatt/gas.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/profiles/gatt/gas.c b/profiles/gatt/gas.c
index e0edbf3..8477dca 100644
--- a/profiles/gatt/gas.c
+++ b/profiles/gatt/gas.c
@@ -184,16 +184,16 @@ static void indication_cb(const uint8_t *pdu, uint16_t len, gpointer user_data)
DBG("Service Changed start: 0x%04X end: 0x%04X", start, end);
- if (device_is_bonded(gas->device) == FALSE) {
- DBG("Ignoring Service Changed: device is not bonded");
- return;
- }
-
/* Confirming indication received */
opdu = g_attrib_get_buffer(gas->attrib, &plen);
olen = enc_confirmation(opdu, plen);
g_attrib_send(gas->attrib, 0, opdu, olen, NULL, NULL, NULL);
+ if (device_is_bonded(gas->device) == FALSE) {
+ DBG("Ignoring Service Changed: device is not bonded");
+ return;
+ }
+
btd_device_gatt_set_service_changed(gas->device, start, end);
}
--
1.8.1.1
^ permalink raw reply related
* [PATCH BlueZ 3/4] gas: Move all the code to only one file
From: Vinicius Costa Gomes @ 2013-01-28 23:48 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Vinicius Costa Gomes
In-Reply-To: <1359416891-12740-1-git-send-email-vinicius.gomes@openbossa.org>
Our Generic Attribute/Access Service plugin is small and simple enough
to be kept in only one file.
---
Makefile.plugins | 4 +--
profiles/gatt/gas.c | 46 ++++++++++++++++++++++++++++
profiles/gatt/main.c | 47 -----------------------------
profiles/gatt/manager.c | 79 -------------------------------------------------
profiles/gatt/manager.h | 24 ---------------
5 files changed, 47 insertions(+), 153 deletions(-)
delete mode 100644 profiles/gatt/main.c
delete mode 100644 profiles/gatt/manager.c
delete mode 100644 profiles/gatt/manager.h
diff --git a/Makefile.plugins b/Makefile.plugins
index faab011..f497782 100644
--- a/Makefile.plugins
+++ b/Makefile.plugins
@@ -69,9 +69,7 @@ builtin_sources += profiles/health/mcap_lib.h profiles/health/mcap_internal.h \
endif
builtin_modules += gatt
-builtin_sources += profiles/gatt/main.c profiles/gatt/manager.h \
- profiles/gatt/manager.c profiles/gatt/gas.h \
- profiles/gatt/gas.c
+builtin_sources += profiles/gatt/gas.c
builtin_modules += scanparam
builtin_sources += profiles/scanparam/scan.c
diff --git a/profiles/gatt/gas.c b/profiles/gatt/gas.c
index 429850b..e0edbf3 100644
--- a/profiles/gatt/gas.c
+++ b/profiles/gatt/gas.c
@@ -35,8 +35,10 @@
#include <btio/btio.h>
#include "lib/uuid.h"
+#include "plugin.h"
#include "adapter.h"
#include "device.h"
+#include "profile.h"
#include "attrib/att.h"
#include "attrib/gattrib.h"
#include "attio.h"
@@ -405,3 +407,47 @@ void gas_unregister(struct btd_device *device)
devices = g_slist_remove(devices, gas);
gas_free(gas);
}
+
+static int gatt_driver_probe(struct btd_profile *p, struct btd_device *device,
+ GSList *uuids)
+{
+ struct gatt_primary *gap, *gatt;
+
+ gap = btd_device_get_primary(device, GAP_UUID);
+ gatt = btd_device_get_primary(device, GATT_UUID);
+
+ if (gap == NULL || gatt == NULL) {
+ error("GAP and GATT are mandatory");
+ return -EINVAL;
+ }
+
+ return gas_register(device, &gap->range, &gatt->range);
+}
+
+static void gatt_driver_remove(struct btd_profile *p,
+ struct btd_device *device)
+{
+ gas_unregister(device);
+}
+
+static struct btd_profile gatt_profile = {
+ .name = "gap-gatt-profile",
+ .remote_uuids = BTD_UUIDS(GAP_UUID, GATT_UUID),
+ .device_probe = gatt_driver_probe,
+ .device_remove = gatt_driver_remove
+};
+
+static int gatt_init(void)
+{
+ btd_profile_register(&gatt_profile);
+
+ return 0;
+}
+
+static void gatt_exit(void)
+{
+ btd_profile_unregister(&gatt_profile);
+}
+
+BLUETOOTH_PLUGIN_DEFINE(gatt, VERSION, BLUETOOTH_PLUGIN_PRIORITY_DEFAULT,
+ gatt_init, gatt_exit)
diff --git a/profiles/gatt/main.c b/profiles/gatt/main.c
deleted file mode 100644
index ecd4455..0000000
--- a/profiles/gatt/main.c
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- *
- * BlueZ - Bluetooth protocol stack for Linux
- *
- * Copyright (C) 2012 Instituto Nokia de Tecnologia - INdT
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- *
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <stdint.h>
-#include <glib.h>
-#include <errno.h>
-
-#include "plugin.h"
-#include "manager.h"
-#include "hcid.h"
-#include "log.h"
-
-static int gatt_init(void)
-{
- return gatt_manager_init();
-}
-
-static void gatt_exit(void)
-{
- gatt_manager_exit();
-}
-
-BLUETOOTH_PLUGIN_DEFINE(gatt, VERSION, BLUETOOTH_PLUGIN_PRIORITY_DEFAULT,
- gatt_init, gatt_exit)
diff --git a/profiles/gatt/manager.c b/profiles/gatt/manager.c
deleted file mode 100644
index 2f2bd14..0000000
--- a/profiles/gatt/manager.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- *
- * BlueZ - Bluetooth protocol stack for Linux
- *
- * Copyright (C) 2012 Instituto Nokia de Tecnologia - INdT
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- *
- */
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include <glib.h>
-#include <errno.h>
-#include <stdbool.h>
-
-#include "lib/uuid.h"
-#include "adapter.h"
-#include "device.h"
-#include "profile.h"
-#include "attrib/att.h"
-#include "attrib/gattrib.h"
-#include "attrib/gatt.h"
-#include "gas.h"
-#include "log.h"
-#include "manager.h"
-
-static int gatt_driver_probe(struct btd_profile *p, struct btd_device *device,
- GSList *uuids)
-{
- struct gatt_primary *gap, *gatt;
-
- gap = btd_device_get_primary(device, GAP_UUID);
- gatt = btd_device_get_primary(device, GATT_UUID);
-
- if (gap == NULL || gatt == NULL) {
- error("GAP and GATT are mandatory");
- return -EINVAL;
- }
-
- return gas_register(device, &gap->range, &gatt->range);
-}
-
-static void gatt_driver_remove(struct btd_profile *p,
- struct btd_device *device)
-{
- gas_unregister(device);
-}
-
-static struct btd_profile gatt_profile = {
- .name = "gap-gatt-profile",
- .remote_uuids = BTD_UUIDS(GAP_UUID, GATT_UUID),
- .device_probe = gatt_driver_probe,
- .device_remove = gatt_driver_remove
-};
-
-int gatt_manager_init(void)
-{
- return btd_profile_register(&gatt_profile);
-}
-
-void gatt_manager_exit(void)
-{
- btd_profile_unregister(&gatt_profile);
-}
diff --git a/profiles/gatt/manager.h b/profiles/gatt/manager.h
deleted file mode 100644
index 502fceb..0000000
--- a/profiles/gatt/manager.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- *
- * BlueZ - Bluetooth protocol stack for Linux
- *
- * Copyright (C) 2012 Instituto Nokia de Tecnologia - INdT
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- *
- */
-
-int gatt_manager_init(void);
-void gatt_manager_exit(void);
--
1.8.1.1
^ permalink raw reply related
* [PATCH BlueZ 2/4] device: Fix missing PDUs during encryption procedure
From: Vinicius Costa Gomes @ 2013-01-28 23:48 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Vinicius Costa Gomes
In-Reply-To: <1359416891-12740-1-git-send-email-vinicius.gomes@openbossa.org>
In case the remote device sends an ATT PDU while encryption is going
on, we may lose it because the ATT socket (with security level medium),
would only be attached when encryption finishes.
---
src/device.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/src/device.c b/src/device.c
index ceaa575..0d2d3ee 100644
--- a/src/device.c
+++ b/src/device.c
@@ -3167,7 +3167,6 @@ int device_connect_le(struct btd_device *dev)
{
struct btd_adapter *adapter = dev->adapter;
struct att_callbacks *attcb;
- BtIOSecLevel sec_level;
GIOChannel *io;
GError *gerr = NULL;
char addr[18];
@@ -3185,21 +3184,18 @@ int device_connect_le(struct btd_device *dev)
attcb->success = att_success_cb;
attcb->user_data = dev;
- if (dev->paired)
- sec_level = BT_IO_SEC_MEDIUM;
- else
- sec_level = BT_IO_SEC_LOW;
-
/*
* This connection will help us catch any PDUs that comes before
- * pairing finishes
+ * pairing finishes. Its security level is low, because we don't
+ * want to miss any PDU that may come before the encryption
+ * procedure finishes
*/
io = bt_io_connect(att_connect_cb, attcb, NULL, &gerr,
BT_IO_OPT_SOURCE_BDADDR, adapter_get_address(adapter),
BT_IO_OPT_DEST_BDADDR, &dev->bdaddr,
BT_IO_OPT_DEST_TYPE, dev->bdaddr_type,
BT_IO_OPT_CID, ATT_CID,
- BT_IO_OPT_SEC_LEVEL, sec_level,
+ BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_LOW,
BT_IO_OPT_INVALID);
if (io == NULL) {
--
1.8.1.1
^ permalink raw reply related
* [PATCH BlueZ 1/4] device: Fix invalid memory access during Find Included
From: Vinicius Costa Gomes @ 2013-01-28 23:48 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Vinicius Costa Gomes
When doing the Find Included Services GATT procedure, the status of the ATT
procedure was being ignored, and in the case of a timeout it is possible to
crash bluetooth with an invalid memory access.
Valgrind log:
==1755== Invalid read of size 8
==1755== at 0x46971A: find_included_cb (device.c:2964)
==1755== by 0x4465AE: isd_unref (gatt.c:92)
==1755== by 0x446885: find_included_cb (gatt.c:425)
==1755== by 0x448266: disconnect_timeout (gattrib.c:269)
==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x40A2EE: main (main.c:583)
==1755== Address 0x69530a8 is 8 bytes inside a block of size 64 free'd
==1755== at 0x4C2874F: free (vg_replace_malloc.c:446)
==1755== by 0x40BFA6: service_filter (watch.c:486)
==1755== by 0x40BC6A: message_filter (watch.c:554)
==1755== by 0x5160A1D: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.2)
==1755== by 0x40AAB7: message_dispatch (mainloop.c:76)
==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x40A2EE: main (main.c:583)
==1755==
==1755== Invalid read of size 8
==1755== at 0x4486D5: g_attrib_get_buffer (gattrib.c:657)
==1755== by 0x4467C5: find_included (gatt.c:363)
==1755== by 0x4465AE: isd_unref (gatt.c:92)
==1755== by 0x446885: find_included_cb (gatt.c:425)
==1755== by 0x448266: disconnect_timeout (gattrib.c:269)
==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x40A2EE: main (main.c:583)
==1755== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==1755==
==1755==
==1755== Process terminating with default action of signal 11 (SIGSEGV)
==1755== Access not within mapped region at address 0x18
==1755== at 0x4486D5: g_attrib_get_buffer (gattrib.c:657)
==1755== by 0x4467C5: find_included (gatt.c:363)
==1755== by 0x4465AE: isd_unref (gatt.c:92)
==1755== by 0x446885: find_included_cb (gatt.c:425)
==1755== by 0x448266: disconnect_timeout (gattrib.c:269)
==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
==1755== by 0x40A2EE: main (main.c:583)
---
attrib/gatt.c | 5 ++++-
src/device.c | 6 ++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/attrib/gatt.c b/attrib/gatt.c
index d54feac..44d3eb6 100644
--- a/attrib/gatt.c
+++ b/attrib/gatt.c
@@ -89,7 +89,10 @@ static void isd_unref(struct included_discovery *isd)
if (g_atomic_int_dec_and_test(&isd->refs) == FALSE)
return;
- isd->cb(isd->includes, isd->err, isd->user_data);
+ if (isd->err)
+ isd->cb(NULL, isd->err, isd->user_data);
+ else
+ isd->cb(isd->includes, isd->err, isd->user_data);
g_slist_free_full(isd->includes, g_free);
g_attrib_unref(isd->attrib);
diff --git a/src/device.c b/src/device.c
index 34902b3..ceaa575 100644
--- a/src/device.c
+++ b/src/device.c
@@ -2988,6 +2988,12 @@ static void find_included_cb(GSList *includes, uint8_t status,
struct gatt_primary *prim;
GSList *l;
+ if (status != 0) {
+ error("Find included services failed: %s (%d)",
+ att_ecode2str(status), status);
+ goto done;
+ }
+
if (includes == NULL)
goto done;
--
1.8.1.1
^ permalink raw reply related
* Re: [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter
From: Johan Hedberg @ 2013-01-28 22:39 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
In-Reply-To: <1359409441-21066-1-git-send-email-luiz.dentz@gmail.com>
Hi Luiz,
On Mon, Jan 28, 2013, Luiz Augusto von Dentz wrote:
> Invalid read of size 8
> at 0x448200: g_attrib_unregister (gattrib.c:722)
> by 0x440476: destroy_thermometer (thermometer.c:167)
> by 0x40D849: remove_interface (object.c:656)
> by 0x40DAA9: g_dbus_unregister_interface (object.c:1413)
> by 0x3DF7A63C9C: g_slist_foreach (gslist.c:894)
> by 0x469656: device_remove (device.c:2200)
> by 0x45CDC1: adapter_remove (adapter.c:3884)
> by 0x45F146: index_removed (adapter.c:5442)
> by 0x46BC17: received_data (mgmt.c:252)
> by 0x3DF7A47A74: g_main_context_dispatch (gmain.c:2715)
> by 0x3DF7A47DA7: g_main_context_iterate.isra.24 (gmain.c:3290)
> by 0x3DF7A481A1: g_main_loop_run (gmain.c:3484)
> Address 0x40 is not stack'd, malloc'd or (recently) free'd
> ---
> v2: Print a warning if invalid id is passed to g_attrib_unregister
>
> profiles/thermometer/thermometer.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
Both patches have been applied. Thanks.
Johan
^ permalink raw reply
* [PATCH BlueZ 2/2 v2] attrib: Don't attempt to unregister event id 0
From: Luiz Augusto von Dentz @ 2013-01-28 21:44 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <1359409441-21066-1-git-send-email-luiz.dentz@gmail.com>
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Id 0 is considered invalid so the code should not even try to lookup for
it in the event list instead print a warning and return FALSE
immediatelly.
---
attrib/gattrib.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/attrib/gattrib.c b/attrib/gattrib.c
index 58f19d0..01c19f9 100644
--- a/attrib/gattrib.c
+++ b/attrib/gattrib.c
@@ -719,6 +719,11 @@ gboolean g_attrib_unregister(GAttrib *attrib, guint id)
struct event *evt;
GSList *l;
+ if (id == 0) {
+ warn("%s: invalid id", __FUNCTION__);
+ return FALSE;
+ }
+
l = g_slist_find_custom(attrib->events, GUINT_TO_POINTER(id),
event_cmp_by_id);
if (l == NULL)
--
1.8.1
^ permalink raw reply related
* [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter
From: Luiz Augusto von Dentz @ 2013-01-28 21:44 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Invalid read of size 8
at 0x448200: g_attrib_unregister (gattrib.c:722)
by 0x440476: destroy_thermometer (thermometer.c:167)
by 0x40D849: remove_interface (object.c:656)
by 0x40DAA9: g_dbus_unregister_interface (object.c:1413)
by 0x3DF7A63C9C: g_slist_foreach (gslist.c:894)
by 0x469656: device_remove (device.c:2200)
by 0x45CDC1: adapter_remove (adapter.c:3884)
by 0x45F146: index_removed (adapter.c:5442)
by 0x46BC17: received_data (mgmt.c:252)
by 0x3DF7A47A74: g_main_context_dispatch (gmain.c:2715)
by 0x3DF7A47DA7: g_main_context_iterate.isra.24 (gmain.c:3290)
by 0x3DF7A481A1: g_main_loop_run (gmain.c:3484)
Address 0x40 is not stack'd, malloc'd or (recently) free'd
---
v2: Print a warning if invalid id is passed to g_attrib_unregister
profiles/thermometer/thermometer.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/profiles/thermometer/thermometer.c b/profiles/thermometer/thermometer.c
index 0cf14e6..1b299e7 100644
--- a/profiles/thermometer/thermometer.c
+++ b/profiles/thermometer/thermometer.c
@@ -164,12 +164,12 @@ static void destroy_thermometer(gpointer user_data)
if (t->attioid > 0)
btd_device_remove_attio_callback(t->dev, t->attioid);
- g_attrib_unregister(t->attrib, t->attio_measurement_id);
- g_attrib_unregister(t->attrib, t->attio_intermediate_id);
- g_attrib_unregister(t->attrib, t->attio_interval_id);
-
- if (t->attrib != NULL)
+ if (t->attrib != NULL) {
+ g_attrib_unregister(t->attrib, t->attio_measurement_id);
+ g_attrib_unregister(t->attrib, t->attio_intermediate_id);
+ g_attrib_unregister(t->attrib, t->attio_interval_id);
g_attrib_unref(t->attrib);
+ }
btd_device_unref(t->dev);
g_free(t->svc_range);
--
1.8.1
^ permalink raw reply related
* RE: LE auto connect
From: Damjan Cvetko @ 2013-01-28 21:43 UTC (permalink / raw)
To: Johan Hedberg; +Cc: linux-bluetooth@vger.kernel.org
In-Reply-To: <20130128182332.GA23272@x220.ger.corp.intel.com>
Hey Johan.
> Thanks. I pushed a cleaned up version of the adapter.c changes since that needs to be in a separate patch anyway. Could you create a proper git patch (git format-patch & git send-email) from the first part of the patch and resend it?
Sent a patch to the list, hope it's ok now.
BR.
Damjan
^ permalink raw reply
* [PATCH BlueZ 2/2] attrib: Don't attempt to unregister event id 0
From: Luiz Augusto von Dentz @ 2013-01-28 21:30 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <1359408630-20210-1-git-send-email-luiz.dentz@gmail.com>
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Id 0 is considered invalid so the code should not even try to lookup for
it in the event list.
---
attrib/gattrib.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/attrib/gattrib.c b/attrib/gattrib.c
index 58f19d0..ca73491 100644
--- a/attrib/gattrib.c
+++ b/attrib/gattrib.c
@@ -719,6 +719,9 @@ gboolean g_attrib_unregister(GAttrib *attrib, guint id)
struct event *evt;
GSList *l;
+ if (id == 0)
+ return FALSE;
+
l = g_slist_find_custom(attrib->events, GUINT_TO_POINTER(id),
event_cmp_by_id);
if (l == NULL)
--
1.8.1
^ permalink raw reply related
* [PATCH BlueZ 1/2] thermometer: Fix crash while unregistering adapter
From: Luiz Augusto von Dentz @ 2013-01-28 21:30 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Invalid read of size 8
at 0x448200: g_attrib_unregister (gattrib.c:722)
by 0x440476: destroy_thermometer (thermometer.c:167)
by 0x40D849: remove_interface (object.c:656)
by 0x40DAA9: g_dbus_unregister_interface (object.c:1413)
by 0x3DF7A63C9C: g_slist_foreach (gslist.c:894)
by 0x469656: device_remove (device.c:2200)
by 0x45CDC1: adapter_remove (adapter.c:3884)
by 0x45F146: index_removed (adapter.c:5442)
by 0x46BC17: received_data (mgmt.c:252)
by 0x3DF7A47A74: g_main_context_dispatch (gmain.c:2715)
by 0x3DF7A47DA7: g_main_context_iterate.isra.24 (gmain.c:3290)
by 0x3DF7A481A1: g_main_loop_run (gmain.c:3484)
Address 0x40 is not stack'd, malloc'd or (recently) free'd
---
profiles/thermometer/thermometer.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/profiles/thermometer/thermometer.c b/profiles/thermometer/thermometer.c
index 0cf14e6..1b299e7 100644
--- a/profiles/thermometer/thermometer.c
+++ b/profiles/thermometer/thermometer.c
@@ -164,12 +164,12 @@ static void destroy_thermometer(gpointer user_data)
if (t->attioid > 0)
btd_device_remove_attio_callback(t->dev, t->attioid);
- g_attrib_unregister(t->attrib, t->attio_measurement_id);
- g_attrib_unregister(t->attrib, t->attio_intermediate_id);
- g_attrib_unregister(t->attrib, t->attio_interval_id);
-
- if (t->attrib != NULL)
+ if (t->attrib != NULL) {
+ g_attrib_unregister(t->attrib, t->attio_measurement_id);
+ g_attrib_unregister(t->attrib, t->attio_intermediate_id);
+ g_attrib_unregister(t->attrib, t->attio_interval_id);
g_attrib_unref(t->attrib);
+ }
btd_device_unref(t->dev);
g_free(t->svc_range);
--
1.8.1
^ permalink raw reply related
* [PATCH] Add heartrate monitoring LE device to auto connect list.
From: Damjan Cvetko @ 2013-01-28 21:27 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Damjan Cvetko
---
profiles/heartrate/heartrate.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/profiles/heartrate/heartrate.c b/profiles/heartrate/heartrate.c
index 5c56d3f..1788d4f 100644
--- a/profiles/heartrate/heartrate.c
+++ b/profiles/heartrate/heartrate.c
@@ -801,6 +801,8 @@ static int heartrate_device_register(struct btd_device *device,
hr->attioid = btd_device_add_attio_callback(device, attio_connected_cb,
attio_disconnected_cb, hr);
+ device_set_auto_connect(device, TRUE);
+
return 0;
}
--
1.7.10.4
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox