[PATCH] Check uuid in disconnect profile.

[PATCH] Check uuid in disconnect profile.

[Alexandros Antonopoulos]

If the user calls Device1.DisconnectProfile with an invalid profile
uuid disconnect_profile still tries to parse the uuid resulting in
a SIGSEGV

---
 src/device.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/device.c b/src/device.c
index 3675616..1771c0f 100644
--- a/src/device.c
+++ b/src/device.c
@@ -1270,6 +1270,9 @@ static DBusMessage *disconnect_profile(DBusConnection *conn, DBusMessage *msg,
 
 	uuid = bt_name2string(pattern);
 
+	if (uuid == NULL)
+		return btd_error_invalid_args(msg);
+
 	p = find_connectable_profile(dev, uuid);
 	g_free(uuid);
 
-- 
1.8.1

[PATCH] avctp: Fix avctp_unregister_browsing_pdu_handler inner loop

[Alexandros Antonopoulos]

Inner loop should access the sessions data and not the servers
data

---
 profiles/audio/avctp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/audio/avctp.c b/profiles/audio/avctp.c
index acce507..eb1d35e 100644
--- a/profiles/audio/avctp.c
+++ b/profiles/audio/avctp.c
@@ -1572,7 +1572,7 @@ gboolean avctp_unregister_browsing_pdu_handler(unsigned int id)
 		GSList *s;
 
 		for (s = server->sessions; s; s = s->next) {
-			struct avctp *session = l->data;
+			struct avctp *session = s->data;
 			struct avctp_channel *browsing = session->browsing;
 			GSList *h;
 
-- 
1.8.1

[PATCH] avctp: Fix request timeout after a channel is destroyed

[Alexandros Antonopoulos]

When the control channel is destroyed if there is a pending request
(chan->p) then the channel queue is deleted in avctp_channel_destroy
but the timer is still alive resulting in a SIGSEGV

---
 profiles/audio/avctp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/profiles/audio/avctp.c b/profiles/audio/avctp.c
index eb1d35e..e65594d 100644
--- a/profiles/audio/avctp.c
+++ b/profiles/audio/avctp.c
@@ -390,6 +390,9 @@ static void avctp_channel_destroy(struct avctp_channel *chan)
 	if (chan->watch)
 		g_source_remove(chan->watch);
 
+	if (chan->p)
+		pending_destroy(chan->p, NULL);
+
 	if (chan->process_id > 0)
 		g_source_remove(chan->process_id);
 
-- 
1.8.1

[PATCH] avctp: Fix size of read() for browsing channel callbacks

[Alexandros Antonopoulos]

The read() function should attempt to read browsing->imtu bytes
and not sizeof(browsing->imtu).

---
 profiles/audio/avctp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/audio/avctp.c b/profiles/audio/avctp.c
index 4309c60..acce507 100644
--- a/profiles/audio/avctp.c
+++ b/profiles/audio/avctp.c
@@ -649,7 +649,7 @@ static gboolean session_browsing_cb(GIOChannel *chan, GIOCondition cond,
 
 	sock = g_io_channel_unix_get_fd(chan);
 
-	ret = read(sock, buf, sizeof(browsing->imtu));
+	ret = read(sock, buf, browsing->imtu);
 	if (ret <= 0)
 		goto failed;
 
-- 
1.8.1

Re: [PATCH] Check uuid in disconnect profile.

[Luiz Augusto von Dentz]

Hi Alexandros,

On Mon, Jan 21, 2013 at 3:44 PM, Alexandros Antonopoulos
<alexandros.antonopoulos@oss.bmw-carit.de> wrote:
> If the user calls Device1.DisconnectProfile with an invalid profile
> uuid disconnect_profile still tries to parse the uuid resulting in
> a SIGSEGV
>
> ---
>  src/device.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/src/device.c b/src/device.c
> index 3675616..1771c0f 100644
> --- a/src/device.c
> +++ b/src/device.c
> @@ -1270,6 +1270,9 @@ static DBusMessage *disconnect_profile(DBusConnection *conn, DBusMessage *msg,
>
>         uuid = bt_name2string(pattern);
>
> +       if (uuid == NULL)
> +               return btd_error_invalid_args(msg);
> +
>         p = find_connectable_profile(dev, uuid);
>         g_free(uuid);
>
> --
> 1.8.1

All four patches are now upstream, Ive changed the commit message for
this one to include the prefix and also please next time state it is a
fix and provide the backtrace so we know the severity of the problem.

btw, thanks for the patches.


--
Luiz Augusto von Dentz