diff --git a/0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch b/0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch new file mode 100644 index 0000000..004a389 --- /dev/null +++ b/0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch @@ -0,0 +1,38 @@ +From f7861d27fbcbc519f57d8496aa9486f487908821 Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Sat, 9 Nov 2013 18:13:43 +0100 +Subject: [PATCH 1/5] obex: Use GLib helper function to manipulate paths + +Instead of trying to do it by hand. This also makes sure that +relative paths aren't used by the agent. +--- + obexd/src/manager.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/obexd/src/manager.c b/obexd/src/manager.c +index cec8a39..f18896e 100644 +--- a/obexd/src/manager.c ++++ b/obexd/src/manager.c +@@ -651,14 +651,14 @@ static void agent_reply(DBusPendingCall *call, void *user_data) + DBUS_TYPE_STRING, &name, + DBUS_TYPE_INVALID)) { + /* Splits folder and name */ +- const char *slash = strrchr(name, '/'); ++ gboolean is_relative = !g_path_is_absolute(name); + DBG("Agent replied with %s", name); +- if (!slash) { +- agent->new_name = g_strdup(name); ++ if (is_relative) { ++ agent->new_name = g_path_get_basename(name); + agent->new_folder = NULL; + } else { +- agent->new_name = g_strdup(slash + 1); +- agent->new_folder = g_strndup(name, slash - name); ++ agent->new_name = g_path_get_basename(name); ++ agent->new_folder = g_path_get_dirname(name); + } + } + +-- +1.8.4.2 + diff --git a/0002-autopair-Don-t-handle-the-iCade.patch b/0002-autopair-Don-t-handle-the-iCade.patch new file mode 100644 index 0000000..68751ae --- /dev/null +++ b/0002-autopair-Don-t-handle-the-iCade.patch @@ -0,0 +1,47 @@ +From c16ae7041c7511d8d1ed8441f696716fa6a9117e Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Tue, 19 Nov 2013 14:11:39 +0100 +Subject: [PATCH 2/5] autopair: Don't handle the iCade + +We can't easily enter digits other than 1 through 4 (inclusive) +so leave it up to the agent to figure out a good passcode +for the iCade. + +Note that we can not use the VID/PID of the device, as it is not +yet known at that point. +--- + plugins/autopair.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/plugins/autopair.c b/plugins/autopair.c +index 8c98c12..5d2f6f7 100644 +--- a/plugins/autopair.c ++++ b/plugins/autopair.c +@@ -57,13 +57,23 @@ static ssize_t autopair_pincb(struct btd_adapter *adapter, + { + char addr[18]; + char pinstr[7]; ++ char name[25]; + uint32_t class; + + ba2str(device_get_address(device), addr); + + class = btd_device_get_class(device); + +- DBG("device %s 0x%x", addr, class); ++ device_get_name(device, name, sizeof(name)); ++ name[sizeof(name) - 1] = 0; ++ ++ DBG("device %s (%s) 0x%x", addr, name, class); ++ ++ g_message ("vendor 0x%X product: 0x%X", btd_device_get_vendor (device), btd_device_get_product (device)); ++ ++ /* The iCade shouldn't use random PINs like normal keyboards */ ++ if (name != NULL && strstr(name, "iCade") != NULL) ++ return 0; + + /* This is a class-based pincode guesser. Ignore devices with an + * unknown class. +-- +1.8.4.2 + diff --git a/0003-input-Fix-crash-when-SDP-record-isn-t-available.patch b/0003-input-Fix-crash-when-SDP-record-isn-t-available.patch new file mode 100644 index 0000000..de22106 --- /dev/null +++ b/0003-input-Fix-crash-when-SDP-record-isn-t-available.patch @@ -0,0 +1,29 @@ +From 1da26fd3ce47728f423e290e3928257ead9baf76 Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Sat, 7 Dec 2013 15:51:47 +0100 +Subject: [PATCH] input: Fix crash when SDP record isn't available + +On startup, if the SDP cache has been removed but the pairing +information is still present, we'd crash trying to access inside a +NULL record struct. +--- + profiles/input/device.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/profiles/input/device.c b/profiles/input/device.c +index 6523161..8a28b0d 100644 +--- a/profiles/input/device.c ++++ b/profiles/input/device.c +@@ -811,6 +811,9 @@ static struct input_device *input_device_new(struct btd_service *service) + struct input_device *idev; + char name[HCI_MAX_NAME_LENGTH + 1]; + ++ if (!rec) ++ return NULL; ++ + idev = g_new0(struct input_device, 1); + bacpy(&idev->src, adapter_get_address(adapter)); + bacpy(&idev->dst, device_get_address(device)); +-- +1.8.4.2 + diff --git a/0004-agent-Assert-possible-infinite-loop.patch b/0004-agent-Assert-possible-infinite-loop.patch new file mode 100644 index 0000000..2746e0c --- /dev/null +++ b/0004-agent-Assert-possible-infinite-loop.patch @@ -0,0 +1,25 @@ +From 67e5477687a2753d3f7b300bcfdc74464d8ad41f Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Mon, 9 Dec 2013 18:04:56 +0100 +Subject: [PATCH 4/5] agent: Assert possible infinite loop + +--- + src/agent.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/agent.c b/src/agent.c +index bcba969..b292881 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -203,6 +203,8 @@ void agent_unref(struct agent *agent) + if (agent->ref > 0) + return; + ++ g_assert (agent->ref == 0); ++ + if (agent->request) { + DBusError err; + agent_pincode_cb pincode_cb; +-- +1.8.4.2 + diff --git a/0005-core-Fix-crash-due-to-agent-callback-freeing-the-age.patch b/0005-core-Fix-crash-due-to-agent-callback-freeing-the-age.patch new file mode 100644 index 0000000..4c86cce --- /dev/null +++ b/0005-core-Fix-crash-due-to-agent-callback-freeing-the-age.patch @@ -0,0 +1,56 @@ +From 28419bdc2fd093bcbc68b629b9c7b8c295260c57 Mon Sep 17 00:00:00 2001 +From: Szymon Janc +Date: Mon, 9 Dec 2013 20:20:55 +0100 +Subject: [PATCH 5/5] core: Fix crash due to agent callback freeing the agent + +Similar fix was provided for simple_agent_reply in a2f5d438 but missed +pincode_reply case. + +Fix following: + +src/agent.c:agent_disconnect() Agent :1.48 disconnected +src/agent.c:set_default_agent() Default agent cleared +src/agent.c:agent_destroy() agent :1.48 +src/agent.c:agent_unref() 0x4701c68: ref=1 +Agent /org/bluez/agent replied with an error: + org.freedesktop.DBus.Error.NoReply, Message did not receive a reply + (timeout by message bus) +src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16 + pinlen 0 +src/agent.c:agent_unref() 0x4701c68: ref=0 +src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16 + pinlen 0 +src/agent.c:agent_unref() 0x4701c68: ref=-1 +src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16 + pinlen 0 +src/agent.c:agent_unref() 0x4701c68: ref=-2 +... +--- + src/agent.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/agent.c b/src/agent.c +index b292881..2ec3183 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -428,6 +428,9 @@ static void pincode_reply(DBusPendingCall *call, void *user_data) + * is only called after a reply has been received */ + message = dbus_pending_call_steal_reply(call); + ++ /* Protect from the callback freeing the agent */ ++ agent_ref(agent); ++ + dbus_error_init(&err); + if (dbus_set_error_from_message(&err, message)) { + error("Agent %s replied with an error: %s, %s", +@@ -467,6 +470,7 @@ done: + dbus_pending_call_cancel(req->call); + agent->request = NULL; + agent_request_free(req, TRUE); ++ agent_unref(agent); + } + + static int pincode_request_new(struct agent_request *req, const char *device_path, +-- +1.8.4.2 + diff --git a/bluez.spec b/bluez.spec index a926032..3c5ee6a 100644 --- a/bluez.spec +++ b/bluez.spec @@ -3,7 +3,7 @@ Summary: Bluetooth utilities Name: bluez Version: 5.11 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: Applications/System URL: http://www.bluez.org/ @@ -17,6 +17,11 @@ Patch1: playstation-peripheral-pugin-v5.x.patch Patch2: 0001-work-around-Logitech-diNovo-Edge-keyboard-firmware-i.patch # Non-upstream Patch3: 0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch +Patch4: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch +Patch5: 0002-autopair-Don-t-handle-the-iCade.patch +Patch6: 0003-input-Fix-crash-when-SDP-record-isn-t-available.patch +Patch7: 0004-agent-Assert-possible-infinite-loop.patch +Patch8: 0005-core-Fix-crash-due-to-agent-callback-freeing-the-age.patch BuildRequires: git BuildRequires: dbus-devel >= 0.90 @@ -228,6 +233,9 @@ mkdir -p $RPM_BUILD_ROOT/%{_libdir}/bluetooth/ /lib/udev/rules.d/97-hid2hci.rules %changelog +* Tue Dec 10 2013 Bastien Nocera 5.11-2 +- Add crasher fixes (rhbz #1027365) + * Mon Nov 18 2013 Bastien Nocera 5.11-1 - Update to 5.11