[PATCH BlueZ 1/3] avdtp: Fix accepting invalid/malformed capabilities

[PATCH BlueZ 1/3] avdtp: Fix accepting invalid/malformed capabilities

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Check if capabilities are valid before attempting to copy them.
---
 profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++---------------
 1 file changed, 36 insertions(+), 20 deletions(-)

diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 623fe30d3..c7bf99f42 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -1305,43 +1305,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session,
 	return NULL;
 }
 
-static GSList *caps_to_list(uint8_t *data, int size,
+static GSList *caps_to_list(uint8_t *data, size_t size,
 				struct avdtp_service_capability **codec,
 				gboolean *delay_reporting)
 {
+	struct avdtp_service_capability *cap;
 	GSList *caps;
-	int processed;
 
 	if (delay_reporting)
 		*delay_reporting = FALSE;
 
-	for (processed = 0, caps = NULL; processed + 2 <= size;) {
-		struct avdtp_service_capability *cap;
-		uint8_t length, category;
+	if (size < sizeof(*cap))
+		return NULL;
+
+	for (caps = NULL; size >= sizeof(*cap);) {
+		struct avdtp_service_capability *cpy;
 
-		category = data[0];
-		length = data[1];
+		cap = (struct avdtp_service_capability *)data;
 
-		if (processed + 2 + length > size) {
+		if (sizeof(*cap) + cap->length >= size) {
 			error("Invalid capability data in getcap resp");
 			break;
 		}
 
-		cap = g_malloc(sizeof(struct avdtp_service_capability) +
-					length);
-		memcpy(cap, data, 2 + length);
+		if (cap->category == AVDTP_MEDIA_CODEC &&
+					cap->length < sizeof(**codec)) {
+			error("Invalid codec data in getcap resp");
+			break;
+		}
+
+		cpy = btd_malloc(sizeof(*cpy) + cap->length);
+		memcpy(cpy, cap, sizeof(*cap) + cap->length);
 
-		processed += 2 + length;
-		data += 2 + length;
+		size -= sizeof(*cap) + cap->length;
+		data += sizeof(*cap) + cap->length;
 
-		caps = g_slist_append(caps, cap);
+		caps = g_slist_append(caps, cpy);
 
-		if (category == AVDTP_MEDIA_CODEC &&
-				length >=
-				sizeof(struct avdtp_media_codec_capability))
-			*codec = cap;
-		else if (category == AVDTP_DELAY_REPORTING && delay_reporting)
-			*delay_reporting = TRUE;
+		switch (cap->category) {
+		case AVDTP_MEDIA_CODEC:
+			if (codec)
+				*codec = cap;
+			break;
+		case AVDTP_DELAY_REPORTING:
+			if (delay_reporting)
+				*delay_reporting = TRUE;
+			break;
+		}
 	}
 
 	return caps;
@@ -1538,6 +1548,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
 					&stream->codec,
 					&stream->delay_reporting);
 
+	if (!stream->caps || !stream->codec) {
+		err = AVDTP_UNSUPPORTED_CONFIGURATION;
+		category = 0x00;
+		goto failed_stream;
+	}
+
 	/* Verify that the Media Transport capability's length = 0. Reject otherwise */
 	for (l = stream->caps; l != NULL; l = g_slist_next(l)) {
 		struct avdtp_service_capability *cap = l->data;
-- 
2.30.2

[PATCH BlueZ 2/3] avrcp: Fix not checking if params_len match number of received bytes

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This makes sure the number of bytes in the params_len matches the
remaining bytes received so the code don't end up accessing invalid
memory.
---
 profiles/audio/avrcp.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 05dd791de..c6a342ee3 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -1914,6 +1914,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction,
 		goto err_metadata;
 	}
 
+	operands += sizeof(*pdu);
+	operand_count -= sizeof(*pdu);
+
+	if (pdu->params_len != operand_count) {
+		DBG("AVRCP PDU parameters length don't match");
+		pdu->params_len = operand_count;
+	}
+
 	for (handler = session->control_handlers; handler->pdu_id; handler++) {
 		if (handler->pdu_id == pdu->pdu_id)
 			break;
-- 
2.30.2

[PATCH BlueZ 3/3] monitor/avdtp: Fix decoding of reject type

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Reject type was not being decoded, so this remove the early return and
leave the callback to decode it:

< ACL Data TX: Handle 42 flags 0x00 dlen 8
      Channel: 64 len 4 [PSM 25 mode Basic (0x00)] {chan 1}
      AVDTP: Set Configuration (0x03) Response Reject (0x03) type 0x00 label 2 nosp 0
        Service Category: Reserved (0x00)
        Error code: BAD_ACP_SEID (0x12)
---
 monitor/avdtp.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/monitor/avdtp.c b/monitor/avdtp.c
index 9fe72d240..1393d1286 100644
--- a/monitor/avdtp.c
+++ b/monitor/avdtp.c
@@ -715,10 +715,6 @@ static bool avdtp_signalling_packet(struct avdtp_frame *avdtp_frame)
 		return true;
 	}
 
-	/* General Reject */
-	if ((hdr & 0x03) == 0x03)
-		return true;
-
 	switch (sig_id) {
 	case AVDTP_DISCOVER:
 		return avdtp_discover(avdtp_frame);
-- 
2.30.2

RE: [BlueZ,1/3] avdtp: Fix accepting invalid/malformed capabilities

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 3282 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=475947

---Test result---

Test Summary:
CheckPatch                    FAIL      0.63 seconds
GitLint                       FAIL      0.31 seconds
Prep - Setup ELL              PASS      40.36 seconds
Build - Prep                  PASS      0.09 seconds
Build - Configure             PASS      6.95 seconds
Build - Make                  PASS      173.87 seconds
Make Check                    PASS      9.34 seconds
Make Dist                     PASS      10.67 seconds
Make Dist - Configure         PASS      4.33 seconds
Make Dist - Make              PASS      69.15 seconds
Build w/ext ELL - Configure   PASS      7.06 seconds
Build w/ext ELL - Make        PASS      160.06 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script with rule in .checkpatch.conf
Output:
monitor/avdtp: Fix decoding of reject type
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#11: 
      AVDTP: Set Configuration (0x03) Response Reject (0x03) type 0x00 label 2 nosp 0

- total: 0 errors, 1 warnings, 10 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

"[PATCH] monitor/avdtp: Fix decoding of reject type" has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint with rule in .gitlint
Output:
monitor/avdtp: Fix decoding of reject type
8: B1 Line exceeds max length (85>80): "      AVDTP: Set Configuration (0x03) Response Reject (0x03) type 0x00 label 2 nosp 0"


##############################
Test: Prep - Setup ELL - PASS
Desc: Clone, build, and install ELL

##############################
Test: Build - Prep - PASS
Desc: Prepare environment for build

##############################
Test: Build - Configure - PASS
Desc: Configure the BlueZ source tree

##############################
Test: Build - Make - PASS
Desc: Build the BlueZ source tree

##############################
Test: Make Check - PASS
Desc: Run 'make check'

##############################
Test: Make Dist - PASS
Desc: Run 'make dist' and build the distribution tarball

##############################
Test: Make Dist - Configure - PASS
Desc: Configure the source from distribution tarball

##############################
Test: Make Dist - Make - PASS
Desc: Build the source from distribution tarball

##############################
Test: Build w/ext ELL - Configure - PASS
Desc: Configure BlueZ source with '--enable-external-ell' configuration

##############################
Test: Build w/ext ELL - Make - PASS
Desc: Build BlueZ source with '--enable-external-ell' configuration



---
Regards,
Linux Bluetooth

Re: [BlueZ,1/3] avdtp: Fix accepting invalid/malformed capabilities

[Luiz Augusto von Dentz]

Hi,

On Fri, Apr 30, 2021 at 6:33 PM <bluez.test.bot@gmail.com> wrote:
>
> This is automated email and please do not reply to this email!
>
> Dear submitter,
>
> Thank you for submitting the patches to the linux bluetooth mailing list.
> This is a CI test results with your patch series:
> PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=475947
>
> ---Test result---
>
> Test Summary:
> CheckPatch                    FAIL      0.63 seconds
> GitLint                       FAIL      0.31 seconds
> Prep - Setup ELL              PASS      40.36 seconds
> Build - Prep                  PASS      0.09 seconds
> Build - Configure             PASS      6.95 seconds
> Build - Make                  PASS      173.87 seconds
> Make Check                    PASS      9.34 seconds
> Make Dist                     PASS      10.67 seconds
> Make Dist - Configure         PASS      4.33 seconds
> Make Dist - Make              PASS      69.15 seconds
> Build w/ext ELL - Configure   PASS      7.06 seconds
> Build w/ext ELL - Make        PASS      160.06 seconds
>
> Details
> ##############################
> Test: CheckPatch - FAIL
> Desc: Run checkpatch.pl script with rule in .checkpatch.conf
> Output:
> monitor/avdtp: Fix decoding of reject type
> WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
> #11:
>       AVDTP: Set Configuration (0x03) Response Reject (0x03) type 0x00 label 2 nosp 0
>
> - total: 0 errors, 1 warnings, 10 lines checked
>
> NOTE: For some of the reported defects, checkpatch may be able to
>       mechanically convert to the typical style using --fix or --fix-inplace.
>
> "[PATCH] monitor/avdtp: Fix decoding of reject type" has style problems, please review.
>
> NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPLIT_STRING SSCANF_TO_KSTRTO
>
> NOTE: If any of the errors are false positives, please report
>       them to the maintainer, see CHECKPATCH in MAINTAINERS.
>
>
> ##############################
> Test: GitLint - FAIL
> Desc: Run gitlint with rule in .gitlint
> Output:
> monitor/avdtp: Fix decoding of reject type
> 8: B1 Line exceeds max length (85>80): "      AVDTP: Set Configuration (0x03) Response Reject (0x03) type 0x00 label 2 nosp 0"
>
>
> ##############################
> Test: Prep - Setup ELL - PASS
> Desc: Clone, build, and install ELL
>
> ##############################
> Test: Build - Prep - PASS
> Desc: Prepare environment for build
>
> ##############################
> Test: Build - Configure - PASS
> Desc: Configure the BlueZ source tree
>
> ##############################
> Test: Build - Make - PASS
> Desc: Build the BlueZ source tree
>
> ##############################
> Test: Make Check - PASS
> Desc: Run 'make check'
>
> ##############################
> Test: Make Dist - PASS
> Desc: Run 'make dist' and build the distribution tarball
>
> ##############################
> Test: Make Dist - Configure - PASS
> Desc: Configure the source from distribution tarball
>
> ##############################
> Test: Make Dist - Make - PASS
> Desc: Build the source from distribution tarball
>
> ##############################
> Test: Build w/ext ELL - Configure - PASS
> Desc: Configure BlueZ source with '--enable-external-ell' configuration
>
> ##############################
> Test: Build w/ext ELL - Make - PASS
> Desc: Build BlueZ source with '--enable-external-ell' configuration
>
>
>
> ---
> Regards,
> Linux Bluetooth

Pushed.

-- 
Luiz Augusto von Dentz