Add crasher fixes (rhbz #1027365)

This commit is contained in:
Bastien Nocera 2013-12-10 01:17:37 +01:00
parent 1b5c16bc39
commit 2a3b1dd3d1
6 changed files with 204 additions and 1 deletions

View File

@ -0,0 +1,38 @@
From f7861d27fbcbc519f57d8496aa9486f487908821 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Sat, 9 Nov 2013 18:13:43 +0100
Subject: [PATCH 1/5] obex: Use GLib helper function to manipulate paths
Instead of trying to do it by hand. This also makes sure that
relative paths aren't used by the agent.
---
obexd/src/manager.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/obexd/src/manager.c b/obexd/src/manager.c
index cec8a39..f18896e 100644
--- a/obexd/src/manager.c
+++ b/obexd/src/manager.c
@@ -651,14 +651,14 @@ static void agent_reply(DBusPendingCall *call, void *user_data)
DBUS_TYPE_STRING, &name,
DBUS_TYPE_INVALID)) {
/* Splits folder and name */
- const char *slash = strrchr(name, '/');
+ gboolean is_relative = !g_path_is_absolute(name);
DBG("Agent replied with %s", name);
- if (!slash) {
- agent->new_name = g_strdup(name);
+ if (is_relative) {
+ agent->new_name = g_path_get_basename(name);
agent->new_folder = NULL;
} else {
- agent->new_name = g_strdup(slash + 1);
- agent->new_folder = g_strndup(name, slash - name);
+ agent->new_name = g_path_get_basename(name);
+ agent->new_folder = g_path_get_dirname(name);
}
}
--
1.8.4.2

View File

@ -0,0 +1,47 @@
From c16ae7041c7511d8d1ed8441f696716fa6a9117e Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Tue, 19 Nov 2013 14:11:39 +0100
Subject: [PATCH 2/5] autopair: Don't handle the iCade
We can't easily enter digits other than 1 through 4 (inclusive)
so leave it up to the agent to figure out a good passcode
for the iCade.
Note that we can not use the VID/PID of the device, as it is not
yet known at that point.
---
plugins/autopair.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/plugins/autopair.c b/plugins/autopair.c
index 8c98c12..5d2f6f7 100644
--- a/plugins/autopair.c
+++ b/plugins/autopair.c
@@ -57,13 +57,23 @@ static ssize_t autopair_pincb(struct btd_adapter *adapter,
{
char addr[18];
char pinstr[7];
+ char name[25];
uint32_t class;
ba2str(device_get_address(device), addr);
class = btd_device_get_class(device);
- DBG("device %s 0x%x", addr, class);
+ device_get_name(device, name, sizeof(name));
+ name[sizeof(name) - 1] = 0;
+
+ DBG("device %s (%s) 0x%x", addr, name, class);
+
+ g_message ("vendor 0x%X product: 0x%X", btd_device_get_vendor (device), btd_device_get_product (device));
+
+ /* The iCade shouldn't use random PINs like normal keyboards */
+ if (name != NULL && strstr(name, "iCade") != NULL)
+ return 0;
/* This is a class-based pincode guesser. Ignore devices with an
* unknown class.
--
1.8.4.2

View File

@ -0,0 +1,29 @@
From 1da26fd3ce47728f423e290e3928257ead9baf76 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Sat, 7 Dec 2013 15:51:47 +0100
Subject: [PATCH] input: Fix crash when SDP record isn't available
On startup, if the SDP cache has been removed but the pairing
information is still present, we'd crash trying to access inside a
NULL record struct.
---
profiles/input/device.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/profiles/input/device.c b/profiles/input/device.c
index 6523161..8a28b0d 100644
--- a/profiles/input/device.c
+++ b/profiles/input/device.c
@@ -811,6 +811,9 @@ static struct input_device *input_device_new(struct btd_service *service)
struct input_device *idev;
char name[HCI_MAX_NAME_LENGTH + 1];
+ if (!rec)
+ return NULL;
+
idev = g_new0(struct input_device, 1);
bacpy(&idev->src, adapter_get_address(adapter));
bacpy(&idev->dst, device_get_address(device));
--
1.8.4.2

View File

@ -0,0 +1,25 @@
From 67e5477687a2753d3f7b300bcfdc74464d8ad41f Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Mon, 9 Dec 2013 18:04:56 +0100
Subject: [PATCH 4/5] agent: Assert possible infinite loop
---
src/agent.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/agent.c b/src/agent.c
index bcba969..b292881 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -203,6 +203,8 @@ void agent_unref(struct agent *agent)
if (agent->ref > 0)
return;
+ g_assert (agent->ref == 0);
+
if (agent->request) {
DBusError err;
agent_pincode_cb pincode_cb;
--
1.8.4.2

View File

@ -0,0 +1,56 @@
From 28419bdc2fd093bcbc68b629b9c7b8c295260c57 Mon Sep 17 00:00:00 2001
From: Szymon Janc <szymon.janc@gmail.com>
Date: Mon, 9 Dec 2013 20:20:55 +0100
Subject: [PATCH 5/5] core: Fix crash due to agent callback freeing the agent
Similar fix was provided for simple_agent_reply in a2f5d438 but missed
pincode_reply case.
Fix following:
src/agent.c:agent_disconnect() Agent :1.48 disconnected
src/agent.c:set_default_agent() Default agent cleared
src/agent.c:agent_destroy() agent :1.48
src/agent.c:agent_unref() 0x4701c68: ref=1
Agent /org/bluez/agent replied with an error:
org.freedesktop.DBus.Error.NoReply, Message did not receive a reply
(timeout by message bus)
src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
pinlen 0
src/agent.c:agent_unref() 0x4701c68: ref=0
src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
pinlen 0
src/agent.c:agent_unref() 0x4701c68: ref=-1
src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
pinlen 0
src/agent.c:agent_unref() 0x4701c68: ref=-2
...
---
src/agent.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/agent.c b/src/agent.c
index b292881..2ec3183 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -428,6 +428,9 @@ static void pincode_reply(DBusPendingCall *call, void *user_data)
* is only called after a reply has been received */
message = dbus_pending_call_steal_reply(call);
+ /* Protect from the callback freeing the agent */
+ agent_ref(agent);
+
dbus_error_init(&err);
if (dbus_set_error_from_message(&err, message)) {
error("Agent %s replied with an error: %s, %s",
@@ -467,6 +470,7 @@ done:
dbus_pending_call_cancel(req->call);
agent->request = NULL;
agent_request_free(req, TRUE);
+ agent_unref(agent);
}
static int pincode_request_new(struct agent_request *req, const char *device_path,
--
1.8.4.2

View File

@ -3,7 +3,7 @@
Summary: Bluetooth utilities
Name: bluez
Version: 5.11
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2+
Group: Applications/System
URL: http://www.bluez.org/
@ -17,6 +17,11 @@ Patch1: playstation-peripheral-pugin-v5.x.patch
Patch2: 0001-work-around-Logitech-diNovo-Edge-keyboard-firmware-i.patch
# Non-upstream
Patch3: 0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
Patch4: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
Patch5: 0002-autopair-Don-t-handle-the-iCade.patch
Patch6: 0003-input-Fix-crash-when-SDP-record-isn-t-available.patch
Patch7: 0004-agent-Assert-possible-infinite-loop.patch
Patch8: 0005-core-Fix-crash-due-to-agent-callback-freeing-the-age.patch
BuildRequires: git
BuildRequires: dbus-devel >= 0.90
@ -228,6 +233,9 @@ mkdir -p $RPM_BUILD_ROOT/%{_libdir}/bluetooth/
/lib/udev/rules.d/97-hid2hci.rules
%changelog
* Tue Dec 10 2013 Bastien Nocera <bnocera@redhat.com> 5.11-2
- Add crasher fixes (rhbz #1027365)
* Mon Nov 18 2013 Bastien Nocera <bnocera@redhat.com> 5.11-1
- Update to 5.11