import bluez-5.63-1.el8

2022-11-08 01:58:34 -05:00 · 2022-11-08 01:58:34 -05:00 · 7181a8e83c
commit 7181a8e83c
parent 886c9a2cfd
9 changed files with 68 additions and 671 deletions
--- a/.bluez.metadata
+++ b/.bluez.metadata
@ -1 +1 @@
-a862b9ddc039f34f7135bbee3c3e80040e82e046 SOURCES/bluez-5.56.tar.xz
+c5137186e7cc60652eed44cff0067ef749e49eff SOURCES/bluez-5.63.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/bluez-5.56.tar.xz
+SOURCES/bluez-5.63.tar.xz
--- a/SOURCES/0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
+++ b/SOURCES/0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
@ -1,51 +0,0 @@
 From 2c3bba7b38be03834162e34069156f1fd49f0528 Mon Sep 17 00:00:00 2001
 From: "antoine.belvire@laposte.net" <antoine.belvire@laposte.net>
 Date: Tue, 27 Mar 2018 20:30:26 +0200
 Subject: [PATCH] adapter: Don't refresh adv_manager for non-LE devices
 btd_adv_manager_refresh is called upon MGMT_SETTING_DISCOVERABLE setting change
 but as only LE adapters have an adv_manager, this leads to segmentation fault
 for non-LE devices:
 0  btd_adv_manager_refresh (manager=0x0) at src/advertising.c:1176
 1  0x0000556fe45fcb02 in settings_changed (settings=<optimized out>,
    adapter=0x556fe53f7c70) at src/adapter.c:543
 2  new_settings_callback (index=<optimized out>, length=<optimized out>,
    param=<optimized out>, user_data=0x556fe53f7c70) at src/adapter.c:573
 3  0x0000556fe462c278 in request_complete (mgmt=mgmt@entry=0x556fe53f20c0,
    status=<optimized out>, opcode=opcode@entry=7, index=index@entry=0,
    length=length@entry=4, param=0x556fe53eb5f9) at src/shared/mgmt.c:261
 4  0x0000556fe462cd9d in can_read_data (io=<optimized out>,
    user_data=0x556fe53f20c0) at src/shared/mgmt.c:353
 5  0x0000556fe46396e3 in watch_callback (channel=<optimized out>,
    cond=<optimized out>, user_data=<optimized out>)
    at src/shared/io-glib.c:170
 6  0x00007fe351c980e5 in g_main_context_dispatch ()
   from /usr/lib64/libglib-2.0.so.0
 7  0x00007fe351c984b0 in ?? () from /usr/lib64/libglib-2.0.so.0
 8  0x00007fe351c987c2 in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0
 9  0x0000556fe45abc75 in main (argc=<optimized out>, argv=<optimized out>)
    at src/main.c:770
 This commit prevents the call to btd_adv_manager_refresh for non-LE devices.
 ---
 src/adapter.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/adapter.c b/src/adapter.c
 index 6b9222bcf..daccfdc19 100644
 --- a/src/adapter.c
 +++ b/src/adapter.c
@@ -540,7 +540,8 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
 		g_dbus_emit_property_changed(dbus_conn, adapter->path,
 					ADAPTER_INTERFACE, "Discoverable");
 		store_adapter_info(adapter);
 -		btd_adv_manager_refresh(adapter->adv_manager);
 +		if (adapter->supported_settings & MGMT_SETTING_LE)
 +			btd_adv_manager_refresh(adapter->adv_manager);
 	}
 	if (changed_mask & MGMT_SETTING_BONDABLE) {
 -- 
 2.17.0
--- a/SOURCES/0001-build-Always-define-confdir-and-statedir.patch
+++ b/SOURCES/0001-build-Always-define-confdir-and-statedir.patch
@ -1,25 +1,19 @@
-From 5a62336f4da3a2d1a1ab38d03980d57844bce147 Mon Sep 17 00:00:00 2001
+From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001
 From: Gopal Tiwari <gtiwari@redhat.com>
 Date: Mon, 8 Jun 2020 20:56:46 +0530
 Subject: [PATCH BlueZ 1/4] build: Always define confdir and statedir
 From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 20 Sep 2017 12:49:10 +0200
-
+Subject: [PATCH 1/4] build: Always define confdir and statedir
 build: Always define confdir and statedir
 As we will need those paths to lock down on them.
 ---
- Makefile.am | 5 +++--
+ Makefile.am | 6 +++---
- 1 file changed, 3 insertions(+), 2 deletions(-)
+ 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/Makefile.am b/Makefile.am
-index 84c9712c9..6e77ed91e 100644
+index 9d25a815b..ac88c12e0 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -31,14 +31,15 @@ pkginclude_HEADERS =
+@@ -28,14 +28,14 @@
- AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags)
+ 				$(LIBEDATASERVER_CFLAGS) $(ell_cflags)
 AM_LDFLAGS = $(MISC_LDFLAGS)
 +confdir = $(sysconfdir)/bluetooth
@ -31,11 +25,11 @@ index 84c9712c9..6e77ed91e 100644
 -confdir = $(sysconfdir)/bluetooth
 conf_DATA =
- 
+-
 -statedir = $(localstatedir)/lib/bluetooth
 state_DATA =
 endif
 -- 
-2.21.1
+2.21.0
--- a/SOURCES/0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch
+++ b/SOURCES/0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch
@ -0,0 +1,36 @@
 From 4c3eedcb96bd4795dd5c25c688005fc12f364aeb Mon Sep 17 00:00:00 2001
 From: Gopal Tiwari <gtiwari@redhat.com>
 Date: Wed, 20 Apr 2022 12:19:05 +0530
 Subject: [PATCH BlueZ] gdbus: Emit InterfacesAdded of parents objects first
 This makes InterfacesAdded respect the object hierarchy in case its
 parent has pending interfaces to be added.
 Fixes: #272
 Fixes: #284
 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1534857
 Fixes: https://bugs.archlinux.org/task/57464
 ---
 gdbus/object.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/gdbus/object.c b/gdbus/object.c
 index 50a8b4ff1..f7c8c2be5 100644
 --- a/gdbus/object.c
 +++ b/gdbus/object.c
@@ -551,6 +551,12 @@ static void emit_interfaces_added(struct generic_data *data)
 	if (root == NULL || data == root)
 		return;
 +	/* Emit InterfacesAdded on the parent first so it appears first on the
 +	 * bus as child objects may point to it.
 +	 */
 +	if (data->parent && data->parent->added)
 +		emit_interfaces_added(data->parent);
 +
 	signal = dbus_message_new_signal(root->path,
 					DBUS_INTERFACE_OBJECT_MANAGER,
 					"InterfacesAdded");
 -- 
 2.26.2
--- a/SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
+++ b/SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
@ -1,468 +0,0 @@
 From 4e6a2402ed4f46ea026ad0929fbc14faecf3a475 Mon Sep 17 00:00:00 2001
 From: Gopal Tiwari <gtiwari@redhat.com>
 Date: Wed, 1 Dec 2021 12:18:24 +0530
 Subject: [PATCH BlueZ] sdpd: Fix leaking buffers stored in cstates cache
 commit e79417ed7185b150a056d4eb3a1ab528b91d2fc0
 Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
 Date:   Thu Jul 15 11:01:20 2021 -0700
    sdpd: Fix leaking buffers stored in cstates cache
    These buffer shall only be keep in cache for as long as they are
    needed so this would cleanup any client cstates in the following
    conditions:
     - There is no cstate on the response
     - No continuation can be found for cstate
     - Different request opcode
     - Respond with an error
     - Client disconnect
    Fixes: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq
 ---
 src/sdpd-request.c | 170 ++++++++++++++++++++++++++++++++-------------
 src/sdpd-server.c  |  20 +++---
 src/sdpd.h         |   3 +
 unit/test-sdp.c    |   2 +-
 4 files changed, 135 insertions(+), 60 deletions(-)
 diff --git a/src/sdpd-request.c b/src/sdpd-request.c
 index 033d1e5bf..c8f5a2c72 100644
 --- a/src/sdpd-request.c
 +++ b/src/sdpd-request.c
@@ -42,48 +42,78 @@ typedef struct {
 #define MIN(x, y) ((x) < (y)) ? (x): (y)
 -typedef struct _sdp_cstate_list sdp_cstate_list_t;
 +typedef struct sdp_cont_info sdp_cont_info_t;
 -struct _sdp_cstate_list {
 -	sdp_cstate_list_t *next;
 +struct sdp_cont_info {
 +	int sock;
 +	uint8_t opcode;
 	uint32_t timestamp;
 	sdp_buf_t buf;
 };
 -static sdp_cstate_list_t *cstates;
 +static sdp_list_t *cstates;
 -/* FIXME: should probably remove it when it's found */
 -static sdp_buf_t *sdp_get_cached_rsp(sdp_cont_state_t *cstate)
 +static int cstate_match(const void *data, const void *user_data)
 {
 -	sdp_cstate_list_t *p;
 +	const sdp_cont_info_t *cinfo = data;
 +	const sdp_cont_state_t *cstate = user_data;
 -	for (p = cstates; p; p = p->next) {
 -		/* Check timestamp */
 -		if (p->timestamp != cstate->timestamp)
 -			continue;
 +	/* Check timestamp */
 +	return cinfo->timestamp - cstate->timestamp;
 +}
 +
 +static void sdp_cont_info_free(sdp_cont_info_t *cinfo)
 +{
 +	if (!cinfo)
 +		return;
 +
 +	cstates = sdp_list_remove(cstates, cinfo);
 +	free(cinfo->buf.data);
 +	free(cinfo);
 +}
 +
 +static sdp_cont_info_t *sdp_get_cont_info(sdp_req_t *req,
 +						sdp_cont_state_t *cstate)
 +{
 +	sdp_list_t *list;
 +
 +	list = sdp_list_find(cstates, cstate, cstate_match);
 +	if (list) {
 +		sdp_cont_info_t *cinfo = list->data;
 -		/* Check if requesting more than available */
 -		if (cstate->cStateValue.maxBytesSent < p->buf.data_size)
 -			return &p->buf;
 +		if (cinfo->opcode == req->opcode)
 +			return cinfo;
 +
 +		/* Cleanup continuation if the opcode doesn't match since its
 +		 * response buffer shall only be valid for the original requests
 +		 */
 +		sdp_cont_info_free(cinfo);
 +		return NULL;
 	}
 -	return 0;
 +	/* Cleanup cstates if no continuation info could be found */
 +	sdp_cstate_cleanup(req->sock);
 +
 +	return NULL;
 }
 -static uint32_t sdp_cstate_alloc_buf(sdp_buf_t *buf)
 +static uint32_t sdp_cstate_alloc_buf(sdp_req_t *req, sdp_buf_t *buf)
 {
 -	sdp_cstate_list_t *cstate = malloc(sizeof(sdp_cstate_list_t));
 +	sdp_cont_info_t *cinfo = malloc(sizeof(sdp_cont_info_t));
 	uint8_t *data = malloc(buf->data_size);
 	memcpy(data, buf->data, buf->data_size);
 -	memset((char *)cstate, 0, sizeof(sdp_cstate_list_t));
 -	cstate->buf.data = data;
 -	cstate->buf.data_size = buf->data_size;
 -	cstate->buf.buf_size = buf->data_size;
 -	cstate->timestamp = sdp_get_time();
 -	cstate->next = cstates;
 -	cstates = cstate;
 -	return cstate->timestamp;
 +	memset(cinfo, 0, sizeof(sdp_cont_info_t));
 +	cinfo->buf.data = data;
 +	cinfo->buf.data_size = buf->data_size;
 +	cinfo->buf.buf_size = buf->data_size;
 +	cinfo->timestamp = sdp_get_time();
 +	cinfo->sock = req->sock;
 +	cinfo->opcode = req->opcode;
 +
 +	cstates = sdp_list_append(cstates, cinfo);
 +
 +	return cinfo->timestamp;
 }
 /* Additional values for checking datatype (not in spec) */
@@ -274,14 +304,16 @@ static int sdp_set_cstate_pdu(sdp_buf_t *buf, sdp_cont_state_t *cstate)
 	return length;
 }
 -static int sdp_cstate_get(uint8_t *buffer, size_t len,
 -						sdp_cont_state_t **cstate)
 +static int sdp_cstate_get(sdp_req_t *req, uint8_t *buffer, size_t len,
 +			sdp_cont_state_t **cstate, sdp_cont_info_t **cinfo)
 {
 	uint8_t cStateSize = *buffer;
 	SDPDBG("Continuation State size : %d", cStateSize);
 	if (cStateSize == 0) {
 +		/* Cleanup cstates if request doesn't contain a cstate */
 +		sdp_cstate_cleanup(req->sock);
 		*cstate = NULL;
 		return 0;
 	}
@@ -306,6 +338,8 @@ static int sdp_cstate_get(uint8_t *buffer, size_t len,
 	SDPDBG("Cstate TS : 0x%x", (*cstate)->timestamp);
 	SDPDBG("Bytes sent : %d", (*cstate)->cStateValue.maxBytesSent);
 +	*cinfo = sdp_get_cont_info(req, *cstate);
 +
 	return 0;
 }
@@ -360,6 +394,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 	uint16_t expected, actual, rsp_count = 0;
 	uint8_t dtd;
 	sdp_cont_state_t *cstate = NULL;
 +	sdp_cont_info_t *cinfo = NULL;
 	uint8_t *pCacheBuffer = NULL;
 	int handleSize = 0;
 	uint32_t cStateId = 0;
@@ -399,9 +434,9 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 	/*
 	 * Check if continuation state exists, if yes attempt
 -	 * to get rsp remainder from cache, else send error
 +	 * to get rsp remainder from continuation info, else send error
 	 */
 -	if (sdp_cstate_get(pdata, data_left, &cstate) < 0) {
 +	if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) {
 		status = SDP_INVALID_SYNTAX;
 		goto done;
 	}
@@ -451,7 +486,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 		if (rsp_count > actual) {
 			/* cache the rsp and generate a continuation state */
 -			cStateId = sdp_cstate_alloc_buf(buf);
 +			cStateId = sdp_cstate_alloc_buf(req, buf);
 			/*
 			 * subtract handleSize since we now send only
 			 * a subset of handles
@@ -459,6 +494,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 			buf->data_size -= handleSize;
 		} else {
 			/* NULL continuation state */
 +			sdp_cont_info_free(cinfo);
 			sdp_set_cstate_pdu(buf, NULL);
 		}
 	}
@@ -468,13 +504,15 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 		short lastIndex = 0;
 		if (cstate) {
 -			/*
 -			 * Get the previous sdp_cont_state_t and obtain
 -			 * the cached rsp
 -			 */
 -			sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
 -			if (pCache) {
 -				pCacheBuffer = pCache->data;
 +			if (cinfo) {
 +				/* Check if requesting more than available */
 +				if (cstate->cStateValue.maxBytesSent >=
 +						cinfo->buf.data_size) {
 +					status = SDP_INVALID_CSTATE;
 +					goto done;
 +				}
 +
 +				pCacheBuffer = cinfo->buf.data;
 				/* get the rsp_count from the cached buffer */
 				rsp_count = get_be16(pCacheBuffer);
@@ -518,6 +556,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 		if (i == rsp_count) {
 			/* set "null" continuationState */
 			sdp_set_cstate_pdu(buf, NULL);
 +			sdp_cont_info_free(cinfo);
 		} else {
 			/*
 			 * there's more: set lastIndexSent to
@@ -540,6 +579,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 done:
 	free(cstate);
 +
 	if (pattern)
 		sdp_list_free(pattern, free);
@@ -619,15 +659,21 @@ static int extract_attrs(sdp_record_t *rec, sdp_list_t *seq, sdp_buf_t *buf)
 }
 /* Build cstate response */
 -static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf,
 -							uint16_t max)
 +static int sdp_cstate_rsp(sdp_cont_info_t *cinfo, sdp_cont_state_t *cstate,
 +					sdp_buf_t *buf, uint16_t max)
 {
 -	/* continuation State exists -> get from cache */
 -	sdp_buf_t *cache = sdp_get_cached_rsp(cstate);
 +	sdp_buf_t *cache;
 	uint16_t sent;
 -	if (!cache)
 +	if (!cinfo)
 +		return 0;
 +
 +	if (cstate->cStateValue.maxBytesSent >= cinfo->buf.data_size) {
 +		sdp_cont_info_free(cinfo);
 		return 0;
 +	}
 +
 +	cache = &cinfo->buf;
 	sent = MIN(max, cache->data_size - cstate->cStateValue.maxBytesSent);
 	memcpy(buf->data, cache->data + cstate->cStateValue.maxBytesSent, sent);
@@ -637,8 +683,10 @@ static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf,
 	SDPDBG("Response size : %d sending now : %d bytes sent so far : %d",
 		cache->data_size, sent, cstate->cStateValue.maxBytesSent);
 -	if (cstate->cStateValue.maxBytesSent == cache->data_size)
 +	if (cstate->cStateValue.maxBytesSent == cache->data_size) {
 +		sdp_cont_info_free(cinfo);
 		return sdp_set_cstate_pdu(buf, NULL);
 +	}
 	return sdp_set_cstate_pdu(buf, cstate);
 }
@@ -652,6 +700,7 @@ static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf,
 static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 {
 	sdp_cont_state_t *cstate = NULL;
 +	sdp_cont_info_t *cinfo = NULL;
 	short cstate_size = 0;
 	sdp_list_t *seq = NULL;
 	uint8_t dtd = 0;
@@ -708,7 +757,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 	 * if continuation state exists, attempt
 	 * to get rsp remainder from cache, else send error
 	 */
 -	if (sdp_cstate_get(pdata, data_left, &cstate) < 0) {
 +	if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) {
 		status = SDP_INVALID_SYNTAX;
 		goto done;
 	}
@@ -737,7 +786,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 	buf->buf_size -= sizeof(uint16_t);
 	if (cstate) {
 -		cstate_size = sdp_cstate_rsp(cstate, buf, max_rsp_size);
 +		cstate_size = sdp_cstate_rsp(cinfo, cstate, buf, max_rsp_size);
 		if (!cstate_size) {
 			status = SDP_INVALID_CSTATE;
 			error("NULL cache buffer and non-NULL continuation state");
@@ -749,7 +798,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 			sdp_cont_state_t newState;
 			memset((char *)&newState, 0, sizeof(sdp_cont_state_t));
 -			newState.timestamp = sdp_cstate_alloc_buf(buf);
 +			newState.timestamp = sdp_cstate_alloc_buf(req, buf);
 			/*
 			 * Reset the buffer size to the maximum expected and
 			 * set the sdp_cont_state_t
@@ -793,6 +842,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 	int scanned, rsp_count = 0;
 	sdp_list_t *pattern = NULL, *seq = NULL, *svcList;
 	sdp_cont_state_t *cstate = NULL;
 +	sdp_cont_info_t *cinfo = NULL;
 	short cstate_size = 0;
 	uint8_t dtd = 0;
 	sdp_buf_t tmpbuf;
@@ -852,7 +902,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 	 * if continuation state exists attempt
 	 * to get rsp remainder from cache, else send error
 	 */
 -	if (sdp_cstate_get(pdata, data_left, &cstate) < 0) {
 +	if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) {
 		status = SDP_INVALID_SYNTAX;
 		goto done;
 	}
@@ -906,7 +956,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 			sdp_cont_state_t newState;
 			memset((char *)&newState, 0, sizeof(sdp_cont_state_t));
 -			newState.timestamp = sdp_cstate_alloc_buf(buf);
 +			newState.timestamp = sdp_cstate_alloc_buf(req, buf);
 			/*
 			 * Reset the buffer size to the maximum expected and
 			 * set the sdp_cont_state_t
@@ -917,7 +967,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 		} else
 			cstate_size = sdp_set_cstate_pdu(buf, NULL);
 	} else {
 -		cstate_size = sdp_cstate_rsp(cstate, buf, max);
 +		cstate_size = sdp_cstate_rsp(cinfo, cstate, buf, max);
 		if (!cstate_size) {
 			status = SDP_INVALID_CSTATE;
 			SDPDBG("Non-null continuation state, but null cache buffer");
@@ -974,6 +1024,9 @@ static void process_request(sdp_req_t *req)
 		status = SDP_INVALID_PDU_SIZE;
 		goto send_rsp;
 	}
 +
 +	req->opcode = reqhdr->pdu_id;
 +
 	switch (reqhdr->pdu_id) {
 	case SDP_SVC_SEARCH_REQ:
 		SDPDBG("Got a svc srch req");
@@ -1020,6 +1073,8 @@ static void process_request(sdp_req_t *req)
 send_rsp:
 	if (status) {
 +		/* Cleanup cstates on error */
 +		sdp_cstate_cleanup(req->sock);
 		rsphdr->pdu_id = SDP_ERROR_RSP;
 		put_be16(status, rsp.data);
 		rsp.data_size = sizeof(uint16_t);
@@ -1108,3 +1163,20 @@ void handle_request(int sk, uint8_t *data, int len)
 	process_request(&req);
 }
 +
 +void sdp_cstate_cleanup(int sock)
 +{
 +	sdp_list_t *list;
 +
 +	/* Remove any cinfo for the client */
 +	for (list = cstates; list;) {
 +		sdp_cont_info_t *cinfo = list->data;
 +
 +		list = list->next;
 +
 +		if (cinfo->sock != sock)
 +			continue;
 +
 +		sdp_cont_info_free(cinfo);
 +	}
 +}
 diff --git a/src/sdpd-server.c b/src/sdpd-server.c
 index dfd8b1f00..66ee7ba14 100644
 --- a/src/sdpd-server.c
 +++ b/src/sdpd-server.c
@@ -146,16 +146,12 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d
 	sk = g_io_channel_unix_get_fd(chan);
 -	if (cond & (G_IO_HUP | G_IO_ERR)) {
 -		sdp_svcdb_collect_all(sk);
 -		return FALSE;
 -	}
 +	if (cond & (G_IO_HUP | G_IO_ERR))
 +		goto cleanup;
 	len = recv(sk, &hdr, sizeof(sdp_pdu_hdr_t), MSG_PEEK);
 -	if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t)) {
 -		sdp_svcdb_collect_all(sk);
 -		return FALSE;
 -	}
 +	if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t))
 +		goto cleanup;
 	size = sizeof(sdp_pdu_hdr_t) + ntohs(hdr.plen);
 	buf = malloc(size);
@@ -168,14 +164,18 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d
 	 * inside handle_request() in order to produce ErrorResponse.
 	 */
 	if (len <= 0) {
 -		sdp_svcdb_collect_all(sk);
 		free(buf);
 -		return FALSE;
 +		goto cleanup;
 	}
 	handle_request(sk, buf, len);
 	return TRUE;
 +
 +cleanup:
 +	sdp_svcdb_collect_all(sk);
 +	sdp_cstate_cleanup(sk);
 +	return FALSE;
 }
 static gboolean io_accept_event(GIOChannel *chan, GIOCondition cond, gpointer data)
 diff --git a/src/sdpd.h b/src/sdpd.h
 index 257411f03..4316aff67 100644
 --- a/src/sdpd.h
 +++ b/src/sdpd.h
@@ -27,8 +27,11 @@ typedef struct request {
 	int      flags;
 	uint8_t  *buf;
 	int      len;
 +	uint8_t  opcode;
 } sdp_req_t;
 +void sdp_cstate_cleanup(int sock);
 +
 void handle_internal_request(int sk, int mtu, void *data, int len);
 void handle_request(int sk, uint8_t *data, int len);
 diff --git a/unit/test-sdp.c b/unit/test-sdp.c
 index d3a885f19..8f95fcb71 100644
 --- a/unit/test-sdp.c
 +++ b/unit/test-sdp.c
@@ -235,7 +235,7 @@ static gboolean client_handler(GIOChannel *channel, GIOCondition cond,
 	tester_monitor('>', 0x0000, 0x0001, buf, len);
 	g_assert(len > 0);
 -	g_assert((size_t) len == rsp_pdu->raw_size + rsp_pdu->cont_len);
 +	g_assert_cmpuint(len, ==, rsp_pdu->raw_size + rsp_pdu->cont_len);
 	g_assert(memcmp(buf, rsp_pdu->raw_data,	rsp_pdu->raw_size) == 0);
 -- 
 2.26.2
--- a/SOURCES/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
+++ b/SOURCES/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
@ -1,115 +0,0 @@
 From d22177efb6f17ed281013cdfa4976d218718d5b6 Mon Sep 17 00:00:00 2001
 From: Gopal Tiwari <gtiwari@redhat.com>
 Date: Mon, 31 May 2021 12:29:01 +0530
 Subject: [PATCH BlueZ] shared/gatt-server: Fix not properly checking for
 secure flags
 commit ef7316b34cf3a568694bdb0e4e83af17804dff9e (HEAD)
 Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
 Date:   Tue Mar 2 11:38:33 2021 -0800
 shared/gatt-server: Fix not properly checking for secure flags
 When passing the mask to check_permissions all valid permissions for
 the operation must be set including BT_ATT_PERM_SECURE flags.
 (cherry picked from commit 00da0fb4972cf59e1c075f313da81ea549cb8738)
 Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
 ---
 src/shared/att-types.h   |  8 ++++++++
 src/shared/gatt-server.c | 25 +++++++------------------
 2 files changed, 15 insertions(+), 18 deletions(-)
 diff --git a/src/shared/att-types.h b/src/shared/att-types.h
 index 7108b4e94..3adc05d9e 100644
 --- a/src/shared/att-types.h
 +++ b/src/shared/att-types.h
@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
 #define BT_ATT_PERM_WRITE_SECURE	0x0200
 #define BT_ATT_PERM_SECURE		(BT_ATT_PERM_READ_SECURE | \
 					BT_ATT_PERM_WRITE_SECURE)
 +#define BT_ATT_PERM_READ_MASK		(BT_ATT_PERM_READ | \
 +					BT_ATT_PERM_READ_AUTHEN | \
 +					BT_ATT_PERM_READ_ENCRYPT | \
 +					BT_ATT_PERM_READ_SECURE)
 +#define BT_ATT_PERM_WRITE_MASK		(BT_ATT_PERM_WRITE | \
 +					BT_ATT_PERM_WRITE_AUTHEN | \
 +					BT_ATT_PERM_WRITE_ENCRYPT | \
 +					BT_ATT_PERM_WRITE_SECURE)
 /* GATT Characteristic Properties Bitfield values */
 #define BT_GATT_CHRC_PROP_BROADCAST			0x01
 diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
 index b5f7de7dc..970c35f94 100644
 --- a/src/shared/gatt-server.c
 +++ b/src/shared/gatt-server.c
@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
 		return;
 	}
 -	ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
 -						BT_ATT_PERM_READ_AUTHEN |
 -						BT_ATT_PERM_READ_ENCRYPT);
 +	ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
 	if (ecode)
 		goto error;
@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
 				(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
 				handle);
 -	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
 -						BT_ATT_PERM_WRITE_AUTHEN |
 -						BT_ATT_PERM_WRITE_ENCRYPT);
 +	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
 	if (ecode)
 		goto error;
@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
 			opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
 			handle);
 -	ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
 -						BT_ATT_PERM_READ_AUTHEN |
 -						BT_ATT_PERM_READ_ENCRYPT);
 +	ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
 	if (ecode)
 		goto error;
@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
 		goto error;
 	}
 -	ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
 -						BT_ATT_PERM_READ_AUTHEN |
 -						BT_ATT_PERM_READ_ENCRYPT);
 +	ecode = check_permissions(data->server, next_attr,
 +						BT_ATT_PERM_READ_MASK);
 	if (ecode)
 		goto error;
@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
 		goto error;
 	}
 -	ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
 -						BT_ATT_PERM_READ_AUTHEN |
 -						BT_ATT_PERM_READ_ENCRYPT);
 +	ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
 	if (ecode)
 		goto error;
@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
 	util_debug(server->debug_callback, server->debug_data,
 				"Prep Write Req - handle: 0x%04x", handle);
 -	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
 -						BT_ATT_PERM_WRITE_AUTHEN |
 -						BT_ATT_PERM_WRITE_ENCRYPT);
 +	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
 	if (ecode)
 		goto error;
 -- 
 2.26.2
--- a/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
+++ b/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
@ -1,34 +1,29 @@
-From 1da4185a89fba1c14032ab87757e5fb798d76bc0 Mon Sep 17 00:00:00 2001
+From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001
 From: Gopal Tiwari <gtiwari@redhat.com>
 Date: Mon, 8 Jun 2020 19:55:39 +0530
 Subject: [PATCH BlueZ 3/4] systemd: Add more filesystem lockdown
 From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 13 Sep 2017 15:37:11 +0200
-
+Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
 systemd: Add more filesystem lockdown
 We can only access the configuration file as read-only and read-write
 to the Bluetooth cache directory and sub-directories.
 ---
- Makefile.am              | 2 ++
+ Makefile.am              | 3 +++
 src/bluetooth.service.in | 4 ++++
- 2 files changed, 6 insertions(+)
+ 2 files changed, 7 insertions(+)
 diff --git a/Makefile.am b/Makefile.am
-index cdd2fd8fb..0af1a8c45 100644
+index ac88c12e0..0a6d09847 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \
+@@ -617,6 +617,9 @@
 SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
 		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
 +		       -e 's,@libexecdir\@,$(libexecdir),g' \
 +		       -e 's,@statedir\@,$(statedir),g' \
 +		       -e 's,@confdir\@,$(confdir),g' \
 		< $< > $@
- %.service: %.service.in Makefile
+ if RUN_RST2MAN
 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
 index 7c2f60bb4..4daedef2a 100644
 --- a/src/bluetooth.service.in
@ -45,5 +40,5 @@ index 7c2f60bb4..4daedef2a 100644
 # Privilege escalation
 NoNewPrivileges=true
 -- 
-2.21.1
+2.21.0
--- a/SPECS/bluez.spec
+++ b/SPECS/bluez.spec
@ -1,7 +1,7 @@
 Name:    bluez
 Summary: Bluetooth utilities
-Version: 5.56
+Version: 5.63
-Release: 3%{?dist}
+Release: 1%{?dist}
 License: GPLv2+
 URL:     http://www.bluez.org/
@ -29,9 +29,10 @@ Patch20: 0001-build-Always-define-confdir-and-statedir.patch
 Patch21: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
 Patch22: 0003-systemd-Add-more-filesystem-lockdown.patch
 Patch23: 0004-systemd-More-lockdown.patch
 Patch25: 0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1567622
-Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
+#Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
 #Patch25: 0001-core-Add-AlwaysPairable-to-main.conf.patch 
 #Patch26: 0002-agent-Make-the-first-agent-to-register-the-default.patch 
@ -44,9 +45,9 @@ Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
 #Patch30: 0001-input-hog-Attempt-to-set-security-level-if-not-bonde.patch
 # fixing https://bugzilla.redhat.com/show_bug.cgi?id=1965057
-Patch31: 0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
+#Patch31: 0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
-Patch32: 0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
+#Patch32: 0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
 BuildRequires: git-core
 BuildRequires: dbus-devel >= 1.6
@ -61,6 +62,7 @@ BuildRequires: systemd-devel
 BuildRequires: cups-devel
 # For autoreconf
 BuildRequires: libtool automake autoconf
 BuildRequires: python3-docutils
 Requires: dbus >= 1.6
@ -235,6 +237,7 @@ make check
 %{_bindir}/rctest
 %{_datadir}/zsh/site-functions/_bluetoothctl
 %{_mandir}/man1/btattach.1.gz
 %{_mandir}/man1/btmon.1.*
 %{_mandir}/man1/ciptool.1.gz
 %{_mandir}/man1/hcitool.1.gz
 %{_mandir}/man1/rfcomm.1.gz
@ -280,8 +283,11 @@ make check
 %{_userunitdir}/obex.service
 %changelog
 * Tue May 17 2022 Gopal Tiwari <gtiwari@redhat.com> - 5.63-1
 + bluez-5.63-1
 - Fixing (#)
-* Wed Dec 13 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.56-3
+* Mon Dec 13 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.56-3
 + bluez-5.56-3
 - Fixing (#2027434)
 - Fixing CVE-2021-41229
`@ -1 +1 @@`
	`a862b9ddc039f34f7135bbee3c3e80040e82e046 SOURCES/bluez-5.56.tar.xz`	`c5137186e7cc60652eed44cff0067ef749e49eff SOURCES/bluez-5.63.tar.xz`
`@ -1 +1 @@`
	`SOURCES/bluez-5.56.tar.xz`	`SOURCES/bluez-5.63.tar.xz`