* [PATCH BlueZ 1/3] avdtp: Fix accepting invalid/malformed capabilities
@ 2021-05-01 0:37 Luiz Augusto von Dentz
2021-05-01 0:37 ` [PATCH BlueZ 2/3] avrcp: Fix not checking if params_len match number of received bytes Luiz Augusto von Dentz
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2021-05-01 0:37 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Check if capabilities are valid before attempting to copy them.
---
profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++---------------
1 file changed, 36 insertions(+), 20 deletions(-)
diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 623fe30d3..c7bf99f42 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -1305,43 +1305,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session,
return NULL;
}
-static GSList *caps_to_list(uint8_t *data, int size,
+static GSList *caps_to_list(uint8_t *data, size_t size,
struct avdtp_service_capability **codec,
gboolean *delay_reporting)
{
+ struct avdtp_service_capability *cap;
GSList *caps;
- int processed;
if (delay_reporting)
*delay_reporting = FALSE;
- for (processed = 0, caps = NULL; processed + 2 <= size;) {
- struct avdtp_service_capability *cap;
- uint8_t length, category;
+ if (size < sizeof(*cap))
+ return NULL;
+
+ for (caps = NULL; size >= sizeof(*cap);) {
+ struct avdtp_service_capability *cpy;
- category = data[0];
- length = data[1];
+ cap = (struct avdtp_service_capability *)data;
- if (processed + 2 + length > size) {
+ if (sizeof(*cap) + cap->length >= size) {
error("Invalid capability data in getcap resp");
break;
}
- cap = g_malloc(sizeof(struct avdtp_service_capability) +
- length);
- memcpy(cap, data, 2 + length);
+ if (cap->category == AVDTP_MEDIA_CODEC &&
+ cap->length < sizeof(**codec)) {
+ error("Invalid codec data in getcap resp");
+ break;
+ }
+
+ cpy = btd_malloc(sizeof(*cpy) + cap->length);
+ memcpy(cpy, cap, sizeof(*cap) + cap->length);
- processed += 2 + length;
- data += 2 + length;
+ size -= sizeof(*cap) + cap->length;
+ data += sizeof(*cap) + cap->length;
- caps = g_slist_append(caps, cap);
+ caps = g_slist_append(caps, cpy);
- if (category == AVDTP_MEDIA_CODEC &&
- length >=
- sizeof(struct avdtp_media_codec_capability))
- *codec = cap;
- else if (category == AVDTP_DELAY_REPORTING && delay_reporting)
- *delay_reporting = TRUE;
+ switch (cap->category) {
+ case AVDTP_MEDIA_CODEC:
+ if (codec)
+ *codec = cap;
+ break;
+ case AVDTP_DELAY_REPORTING:
+ if (delay_reporting)
+ *delay_reporting = TRUE;
+ break;
+ }
}
return caps;
@@ -1538,6 +1548,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
&stream->codec,
&stream->delay_reporting);
+ if (!stream->caps || !stream->codec) {
+ err = AVDTP_UNSUPPORTED_CONFIGURATION;
+ category = 0x00;
+ goto failed_stream;
+ }
+
/* Verify that the Media Transport capability's length = 0. Reject otherwise */
for (l = stream->caps; l != NULL; l = g_slist_next(l)) {
struct avdtp_service_capability *cap = l->data;
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH BlueZ 2/3] avrcp: Fix not checking if params_len match number of received bytes
2021-05-01 0:37 [PATCH BlueZ 1/3] avdtp: Fix accepting invalid/malformed capabilities Luiz Augusto von Dentz
@ 2021-05-01 0:37 ` Luiz Augusto von Dentz
2021-05-01 0:37 ` [PATCH BlueZ 3/3] monitor/avdtp: Fix decoding of reject type Luiz Augusto von Dentz
2021-05-01 1:33 ` [BlueZ,1/3] avdtp: Fix accepting invalid/malformed capabilities bluez.test.bot
2 siblings, 0 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2021-05-01 0:37 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This makes sure the number of bytes in the params_len matches the
remaining bytes received so the code don't end up accessing invalid
memory.
---
profiles/audio/avrcp.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 05dd791de..c6a342ee3 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -1914,6 +1914,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction,
goto err_metadata;
}
+ operands += sizeof(*pdu);
+ operand_count -= sizeof(*pdu);
+
+ if (pdu->params_len != operand_count) {
+ DBG("AVRCP PDU parameters length don't match");
+ pdu->params_len = operand_count;
+ }
+
for (handler = session->control_handlers; handler->pdu_id; handler++) {
if (handler->pdu_id == pdu->pdu_id)
break;
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH BlueZ 3/3] monitor/avdtp: Fix decoding of reject type
2021-05-01 0:37 [PATCH BlueZ 1/3] avdtp: Fix accepting invalid/malformed capabilities Luiz Augusto von Dentz
2021-05-01 0:37 ` [PATCH BlueZ 2/3] avrcp: Fix not checking if params_len match number of received bytes Luiz Augusto von Dentz
@ 2021-05-01 0:37 ` Luiz Augusto von Dentz
2021-05-01 1:33 ` [BlueZ,1/3] avdtp: Fix accepting invalid/malformed capabilities bluez.test.bot
2 siblings, 0 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2021-05-01 0:37 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reject type was not being decoded, so this remove the early return and
leave the callback to decode it:
< ACL Data TX: Handle 42 flags 0x00 dlen 8
Channel: 64 len 4 [PSM 25 mode Basic (0x00)] {chan 1}
AVDTP: Set Configuration (0x03) Response Reject (0x03) type 0x00 label 2 nosp 0
Service Category: Reserved (0x00)
Error code: BAD_ACP_SEID (0x12)
---
monitor/avdtp.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/monitor/avdtp.c b/monitor/avdtp.c
index 9fe72d240..1393d1286 100644
--- a/monitor/avdtp.c
+++ b/monitor/avdtp.c
@@ -715,10 +715,6 @@ static bool avdtp_signalling_packet(struct avdtp_frame *avdtp_frame)
return true;
}
- /* General Reject */
- if ((hdr & 0x03) == 0x03)
- return true;
-
switch (sig_id) {
case AVDTP_DISCOVER:
return avdtp_discover(avdtp_frame);
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* RE: [BlueZ,1/3] avdtp: Fix accepting invalid/malformed capabilities
2021-05-01 0:37 [PATCH BlueZ 1/3] avdtp: Fix accepting invalid/malformed capabilities Luiz Augusto von Dentz
2021-05-01 0:37 ` [PATCH BlueZ 2/3] avrcp: Fix not checking if params_len match number of received bytes Luiz Augusto von Dentz
2021-05-01 0:37 ` [PATCH BlueZ 3/3] monitor/avdtp: Fix decoding of reject type Luiz Augusto von Dentz
@ 2021-05-01 1:33 ` bluez.test.bot
2021-05-05 22:19 ` Luiz Augusto von Dentz
2 siblings, 1 reply; 5+ messages in thread
From: bluez.test.bot @ 2021-05-01 1:33 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 3282 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=475947
---Test result---
Test Summary:
CheckPatch FAIL 0.63 seconds
GitLint FAIL 0.31 seconds
Prep - Setup ELL PASS 40.36 seconds
Build - Prep PASS 0.09 seconds
Build - Configure PASS 6.95 seconds
Build - Make PASS 173.87 seconds
Make Check PASS 9.34 seconds
Make Dist PASS 10.67 seconds
Make Dist - Configure PASS 4.33 seconds
Make Dist - Make PASS 69.15 seconds
Build w/ext ELL - Configure PASS 7.06 seconds
Build w/ext ELL - Make PASS 160.06 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script with rule in .checkpatch.conf
Output:
monitor/avdtp: Fix decoding of reject type
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#11:
AVDTP: Set Configuration (0x03) Response Reject (0x03) type 0x00 label 2 nosp 0
- total: 0 errors, 1 warnings, 10 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
"[PATCH] monitor/avdtp: Fix decoding of reject type" has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint with rule in .gitlint
Output:
monitor/avdtp: Fix decoding of reject type
8: B1 Line exceeds max length (85>80): " AVDTP: Set Configuration (0x03) Response Reject (0x03) type 0x00 label 2 nosp 0"
##############################
Test: Prep - Setup ELL - PASS
Desc: Clone, build, and install ELL
##############################
Test: Build - Prep - PASS
Desc: Prepare environment for build
##############################
Test: Build - Configure - PASS
Desc: Configure the BlueZ source tree
##############################
Test: Build - Make - PASS
Desc: Build the BlueZ source tree
##############################
Test: Make Check - PASS
Desc: Run 'make check'
##############################
Test: Make Dist - PASS
Desc: Run 'make dist' and build the distribution tarball
##############################
Test: Make Dist - Configure - PASS
Desc: Configure the source from distribution tarball
##############################
Test: Make Dist - Make - PASS
Desc: Build the source from distribution tarball
##############################
Test: Build w/ext ELL - Configure - PASS
Desc: Configure BlueZ source with '--enable-external-ell' configuration
##############################
Test: Build w/ext ELL - Make - PASS
Desc: Build BlueZ source with '--enable-external-ell' configuration
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [BlueZ,1/3] avdtp: Fix accepting invalid/malformed capabilities
2021-05-01 1:33 ` [BlueZ,1/3] avdtp: Fix accepting invalid/malformed capabilities bluez.test.bot
@ 2021-05-05 22:19 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2021-05-05 22:19 UTC (permalink / raw)
To: linux-bluetooth
Hi,
On Fri, Apr 30, 2021 at 6:33 PM <bluez.test.bot@gmail.com> wrote:
>
> This is automated email and please do not reply to this email!
>
> Dear submitter,
>
> Thank you for submitting the patches to the linux bluetooth mailing list.
> This is a CI test results with your patch series:
> PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=475947
>
> ---Test result---
>
> Test Summary:
> CheckPatch FAIL 0.63 seconds
> GitLint FAIL 0.31 seconds
> Prep - Setup ELL PASS 40.36 seconds
> Build - Prep PASS 0.09 seconds
> Build - Configure PASS 6.95 seconds
> Build - Make PASS 173.87 seconds
> Make Check PASS 9.34 seconds
> Make Dist PASS 10.67 seconds
> Make Dist - Configure PASS 4.33 seconds
> Make Dist - Make PASS 69.15 seconds
> Build w/ext ELL - Configure PASS 7.06 seconds
> Build w/ext ELL - Make PASS 160.06 seconds
>
> Details
> ##############################
> Test: CheckPatch - FAIL
> Desc: Run checkpatch.pl script with rule in .checkpatch.conf
> Output:
> monitor/avdtp: Fix decoding of reject type
> WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
> #11:
> AVDTP: Set Configuration (0x03) Response Reject (0x03) type 0x00 label 2 nosp 0
>
> - total: 0 errors, 1 warnings, 10 lines checked
>
> NOTE: For some of the reported defects, checkpatch may be able to
> mechanically convert to the typical style using --fix or --fix-inplace.
>
> "[PATCH] monitor/avdtp: Fix decoding of reject type" has style problems, please review.
>
> NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPLIT_STRING SSCANF_TO_KSTRTO
>
> NOTE: If any of the errors are false positives, please report
> them to the maintainer, see CHECKPATCH in MAINTAINERS.
>
>
> ##############################
> Test: GitLint - FAIL
> Desc: Run gitlint with rule in .gitlint
> Output:
> monitor/avdtp: Fix decoding of reject type
> 8: B1 Line exceeds max length (85>80): " AVDTP: Set Configuration (0x03) Response Reject (0x03) type 0x00 label 2 nosp 0"
>
>
> ##############################
> Test: Prep - Setup ELL - PASS
> Desc: Clone, build, and install ELL
>
> ##############################
> Test: Build - Prep - PASS
> Desc: Prepare environment for build
>
> ##############################
> Test: Build - Configure - PASS
> Desc: Configure the BlueZ source tree
>
> ##############################
> Test: Build - Make - PASS
> Desc: Build the BlueZ source tree
>
> ##############################
> Test: Make Check - PASS
> Desc: Run 'make check'
>
> ##############################
> Test: Make Dist - PASS
> Desc: Run 'make dist' and build the distribution tarball
>
> ##############################
> Test: Make Dist - Configure - PASS
> Desc: Configure the source from distribution tarball
>
> ##############################
> Test: Make Dist - Make - PASS
> Desc: Build the source from distribution tarball
>
> ##############################
> Test: Build w/ext ELL - Configure - PASS
> Desc: Configure BlueZ source with '--enable-external-ell' configuration
>
> ##############################
> Test: Build w/ext ELL - Make - PASS
> Desc: Build BlueZ source with '--enable-external-ell' configuration
>
>
>
> ---
> Regards,
> Linux Bluetooth
Pushed.
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-05-05 22:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-01 0:37 [PATCH BlueZ 1/3] avdtp: Fix accepting invalid/malformed capabilities Luiz Augusto von Dentz
2021-05-01 0:37 ` [PATCH BlueZ 2/3] avrcp: Fix not checking if params_len match number of received bytes Luiz Augusto von Dentz
2021-05-01 0:37 ` [PATCH BlueZ 3/3] monitor/avdtp: Fix decoding of reject type Luiz Augusto von Dentz
2021-05-01 1:33 ` [BlueZ,1/3] avdtp: Fix accepting invalid/malformed capabilities bluez.test.bot
2021-05-05 22:19 ` Luiz Augusto von Dentz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.