import bluez-5.63-1.el8
This commit is contained in:
parent
acd44be24d
commit
e3d62ae80a
@ -1 +1 @@
|
||||
a862b9ddc039f34f7135bbee3c3e80040e82e046 SOURCES/bluez-5.56.tar.xz
|
||||
c5137186e7cc60652eed44cff0067ef749e49eff SOURCES/bluez-5.63.tar.xz
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/bluez-5.56.tar.xz
|
||||
SOURCES/bluez-5.63.tar.xz
|
||||
|
@ -1,51 +0,0 @@
|
||||
From 2c3bba7b38be03834162e34069156f1fd49f0528 Mon Sep 17 00:00:00 2001
|
||||
From: "antoine.belvire@laposte.net" <antoine.belvire@laposte.net>
|
||||
Date: Tue, 27 Mar 2018 20:30:26 +0200
|
||||
Subject: [PATCH] adapter: Don't refresh adv_manager for non-LE devices
|
||||
|
||||
btd_adv_manager_refresh is called upon MGMT_SETTING_DISCOVERABLE setting change
|
||||
but as only LE adapters have an adv_manager, this leads to segmentation fault
|
||||
for non-LE devices:
|
||||
|
||||
0 btd_adv_manager_refresh (manager=0x0) at src/advertising.c:1176
|
||||
1 0x0000556fe45fcb02 in settings_changed (settings=<optimized out>,
|
||||
adapter=0x556fe53f7c70) at src/adapter.c:543
|
||||
2 new_settings_callback (index=<optimized out>, length=<optimized out>,
|
||||
param=<optimized out>, user_data=0x556fe53f7c70) at src/adapter.c:573
|
||||
3 0x0000556fe462c278 in request_complete (mgmt=mgmt@entry=0x556fe53f20c0,
|
||||
status=<optimized out>, opcode=opcode@entry=7, index=index@entry=0,
|
||||
length=length@entry=4, param=0x556fe53eb5f9) at src/shared/mgmt.c:261
|
||||
4 0x0000556fe462cd9d in can_read_data (io=<optimized out>,
|
||||
user_data=0x556fe53f20c0) at src/shared/mgmt.c:353
|
||||
5 0x0000556fe46396e3 in watch_callback (channel=<optimized out>,
|
||||
cond=<optimized out>, user_data=<optimized out>)
|
||||
at src/shared/io-glib.c:170
|
||||
6 0x00007fe351c980e5 in g_main_context_dispatch ()
|
||||
from /usr/lib64/libglib-2.0.so.0
|
||||
7 0x00007fe351c984b0 in ?? () from /usr/lib64/libglib-2.0.so.0
|
||||
8 0x00007fe351c987c2 in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0
|
||||
9 0x0000556fe45abc75 in main (argc=<optimized out>, argv=<optimized out>)
|
||||
at src/main.c:770
|
||||
|
||||
This commit prevents the call to btd_adv_manager_refresh for non-LE devices.
|
||||
---
|
||||
src/adapter.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/adapter.c b/src/adapter.c
|
||||
index 6b9222bcf..daccfdc19 100644
|
||||
--- a/src/adapter.c
|
||||
+++ b/src/adapter.c
|
||||
@@ -540,7 +540,8 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
|
||||
g_dbus_emit_property_changed(dbus_conn, adapter->path,
|
||||
ADAPTER_INTERFACE, "Discoverable");
|
||||
store_adapter_info(adapter);
|
||||
- btd_adv_manager_refresh(adapter->adv_manager);
|
||||
+ if (adapter->supported_settings & MGMT_SETTING_LE)
|
||||
+ btd_adv_manager_refresh(adapter->adv_manager);
|
||||
}
|
||||
|
||||
if (changed_mask & MGMT_SETTING_BONDABLE) {
|
||||
--
|
||||
2.17.0
|
||||
|
@ -1,25 +1,19 @@
|
||||
From 5a62336f4da3a2d1a1ab38d03980d57844bce147 Mon Sep 17 00:00:00 2001
|
||||
From: Gopal Tiwari <gtiwari@redhat.com>
|
||||
Date: Mon, 8 Jun 2020 20:56:46 +0530
|
||||
Subject: [PATCH BlueZ 1/4] build: Always define confdir and statedir
|
||||
|
||||
From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001
|
||||
From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001
|
||||
From: Bastien Nocera <hadess@hadess.net>
|
||||
Date: Wed, 20 Sep 2017 12:49:10 +0200
|
||||
|
||||
build: Always define confdir and statedir
|
||||
Subject: [PATCH 1/4] build: Always define confdir and statedir
|
||||
|
||||
As we will need those paths to lock down on them.
|
||||
---
|
||||
Makefile.am | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
Makefile.am | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 84c9712c9..6e77ed91e 100644
|
||||
index 9d25a815b..ac88c12e0 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -31,14 +31,15 @@ pkginclude_HEADERS =
|
||||
AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags)
|
||||
@@ -28,14 +28,14 @@
|
||||
$(LIBEDATASERVER_CFLAGS) $(ell_cflags)
|
||||
AM_LDFLAGS = $(MISC_LDFLAGS)
|
||||
|
||||
+confdir = $(sysconfdir)/bluetooth
|
||||
@ -31,11 +25,11 @@ index 84c9712c9..6e77ed91e 100644
|
||||
|
||||
-confdir = $(sysconfdir)/bluetooth
|
||||
conf_DATA =
|
||||
|
||||
-
|
||||
-statedir = $(localstatedir)/lib/bluetooth
|
||||
state_DATA =
|
||||
endif
|
||||
|
||||
--
|
||||
2.21.1
|
||||
2.21.0
|
||||
|
||||
|
@ -0,0 +1,36 @@
|
||||
From 4c3eedcb96bd4795dd5c25c688005fc12f364aeb Mon Sep 17 00:00:00 2001
|
||||
From: Gopal Tiwari <gtiwari@redhat.com>
|
||||
Date: Wed, 20 Apr 2022 12:19:05 +0530
|
||||
Subject: [PATCH BlueZ] gdbus: Emit InterfacesAdded of parents objects first
|
||||
|
||||
This makes InterfacesAdded respect the object hierarchy in case its
|
||||
parent has pending interfaces to be added.
|
||||
|
||||
Fixes: #272
|
||||
Fixes: #284
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1534857
|
||||
Fixes: https://bugs.archlinux.org/task/57464
|
||||
---
|
||||
gdbus/object.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/gdbus/object.c b/gdbus/object.c
|
||||
index 50a8b4ff1..f7c8c2be5 100644
|
||||
--- a/gdbus/object.c
|
||||
+++ b/gdbus/object.c
|
||||
@@ -551,6 +551,12 @@ static void emit_interfaces_added(struct generic_data *data)
|
||||
if (root == NULL || data == root)
|
||||
return;
|
||||
|
||||
+ /* Emit InterfacesAdded on the parent first so it appears first on the
|
||||
+ * bus as child objects may point to it.
|
||||
+ */
|
||||
+ if (data->parent && data->parent->added)
|
||||
+ emit_interfaces_added(data->parent);
|
||||
+
|
||||
signal = dbus_message_new_signal(root->path,
|
||||
DBUS_INTERFACE_OBJECT_MANAGER,
|
||||
"InterfacesAdded");
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,468 +0,0 @@
|
||||
From 4e6a2402ed4f46ea026ad0929fbc14faecf3a475 Mon Sep 17 00:00:00 2001
|
||||
From: Gopal Tiwari <gtiwari@redhat.com>
|
||||
Date: Wed, 1 Dec 2021 12:18:24 +0530
|
||||
Subject: [PATCH BlueZ] sdpd: Fix leaking buffers stored in cstates cache
|
||||
|
||||
commit e79417ed7185b150a056d4eb3a1ab528b91d2fc0
|
||||
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||
Date: Thu Jul 15 11:01:20 2021 -0700
|
||||
|
||||
sdpd: Fix leaking buffers stored in cstates cache
|
||||
|
||||
These buffer shall only be keep in cache for as long as they are
|
||||
needed so this would cleanup any client cstates in the following
|
||||
conditions:
|
||||
|
||||
- There is no cstate on the response
|
||||
- No continuation can be found for cstate
|
||||
- Different request opcode
|
||||
- Respond with an error
|
||||
- Client disconnect
|
||||
|
||||
Fixes: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq
|
||||
---
|
||||
src/sdpd-request.c | 170 ++++++++++++++++++++++++++++++++-------------
|
||||
src/sdpd-server.c | 20 +++---
|
||||
src/sdpd.h | 3 +
|
||||
unit/test-sdp.c | 2 +-
|
||||
4 files changed, 135 insertions(+), 60 deletions(-)
|
||||
|
||||
diff --git a/src/sdpd-request.c b/src/sdpd-request.c
|
||||
index 033d1e5bf..c8f5a2c72 100644
|
||||
--- a/src/sdpd-request.c
|
||||
+++ b/src/sdpd-request.c
|
||||
@@ -42,48 +42,78 @@ typedef struct {
|
||||
|
||||
#define MIN(x, y) ((x) < (y)) ? (x): (y)
|
||||
|
||||
-typedef struct _sdp_cstate_list sdp_cstate_list_t;
|
||||
+typedef struct sdp_cont_info sdp_cont_info_t;
|
||||
|
||||
-struct _sdp_cstate_list {
|
||||
- sdp_cstate_list_t *next;
|
||||
+struct sdp_cont_info {
|
||||
+ int sock;
|
||||
+ uint8_t opcode;
|
||||
uint32_t timestamp;
|
||||
sdp_buf_t buf;
|
||||
};
|
||||
|
||||
-static sdp_cstate_list_t *cstates;
|
||||
+static sdp_list_t *cstates;
|
||||
|
||||
-/* FIXME: should probably remove it when it's found */
|
||||
-static sdp_buf_t *sdp_get_cached_rsp(sdp_cont_state_t *cstate)
|
||||
+static int cstate_match(const void *data, const void *user_data)
|
||||
{
|
||||
- sdp_cstate_list_t *p;
|
||||
+ const sdp_cont_info_t *cinfo = data;
|
||||
+ const sdp_cont_state_t *cstate = user_data;
|
||||
|
||||
- for (p = cstates; p; p = p->next) {
|
||||
- /* Check timestamp */
|
||||
- if (p->timestamp != cstate->timestamp)
|
||||
- continue;
|
||||
+ /* Check timestamp */
|
||||
+ return cinfo->timestamp - cstate->timestamp;
|
||||
+}
|
||||
+
|
||||
+static void sdp_cont_info_free(sdp_cont_info_t *cinfo)
|
||||
+{
|
||||
+ if (!cinfo)
|
||||
+ return;
|
||||
+
|
||||
+ cstates = sdp_list_remove(cstates, cinfo);
|
||||
+ free(cinfo->buf.data);
|
||||
+ free(cinfo);
|
||||
+}
|
||||
+
|
||||
+static sdp_cont_info_t *sdp_get_cont_info(sdp_req_t *req,
|
||||
+ sdp_cont_state_t *cstate)
|
||||
+{
|
||||
+ sdp_list_t *list;
|
||||
+
|
||||
+ list = sdp_list_find(cstates, cstate, cstate_match);
|
||||
+ if (list) {
|
||||
+ sdp_cont_info_t *cinfo = list->data;
|
||||
|
||||
- /* Check if requesting more than available */
|
||||
- if (cstate->cStateValue.maxBytesSent < p->buf.data_size)
|
||||
- return &p->buf;
|
||||
+ if (cinfo->opcode == req->opcode)
|
||||
+ return cinfo;
|
||||
+
|
||||
+ /* Cleanup continuation if the opcode doesn't match since its
|
||||
+ * response buffer shall only be valid for the original requests
|
||||
+ */
|
||||
+ sdp_cont_info_free(cinfo);
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
- return 0;
|
||||
+ /* Cleanup cstates if no continuation info could be found */
|
||||
+ sdp_cstate_cleanup(req->sock);
|
||||
+
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
-static uint32_t sdp_cstate_alloc_buf(sdp_buf_t *buf)
|
||||
+static uint32_t sdp_cstate_alloc_buf(sdp_req_t *req, sdp_buf_t *buf)
|
||||
{
|
||||
- sdp_cstate_list_t *cstate = malloc(sizeof(sdp_cstate_list_t));
|
||||
+ sdp_cont_info_t *cinfo = malloc(sizeof(sdp_cont_info_t));
|
||||
uint8_t *data = malloc(buf->data_size);
|
||||
|
||||
memcpy(data, buf->data, buf->data_size);
|
||||
- memset((char *)cstate, 0, sizeof(sdp_cstate_list_t));
|
||||
- cstate->buf.data = data;
|
||||
- cstate->buf.data_size = buf->data_size;
|
||||
- cstate->buf.buf_size = buf->data_size;
|
||||
- cstate->timestamp = sdp_get_time();
|
||||
- cstate->next = cstates;
|
||||
- cstates = cstate;
|
||||
- return cstate->timestamp;
|
||||
+ memset(cinfo, 0, sizeof(sdp_cont_info_t));
|
||||
+ cinfo->buf.data = data;
|
||||
+ cinfo->buf.data_size = buf->data_size;
|
||||
+ cinfo->buf.buf_size = buf->data_size;
|
||||
+ cinfo->timestamp = sdp_get_time();
|
||||
+ cinfo->sock = req->sock;
|
||||
+ cinfo->opcode = req->opcode;
|
||||
+
|
||||
+ cstates = sdp_list_append(cstates, cinfo);
|
||||
+
|
||||
+ return cinfo->timestamp;
|
||||
}
|
||||
|
||||
/* Additional values for checking datatype (not in spec) */
|
||||
@@ -274,14 +304,16 @@ static int sdp_set_cstate_pdu(sdp_buf_t *buf, sdp_cont_state_t *cstate)
|
||||
return length;
|
||||
}
|
||||
|
||||
-static int sdp_cstate_get(uint8_t *buffer, size_t len,
|
||||
- sdp_cont_state_t **cstate)
|
||||
+static int sdp_cstate_get(sdp_req_t *req, uint8_t *buffer, size_t len,
|
||||
+ sdp_cont_state_t **cstate, sdp_cont_info_t **cinfo)
|
||||
{
|
||||
uint8_t cStateSize = *buffer;
|
||||
|
||||
SDPDBG("Continuation State size : %d", cStateSize);
|
||||
|
||||
if (cStateSize == 0) {
|
||||
+ /* Cleanup cstates if request doesn't contain a cstate */
|
||||
+ sdp_cstate_cleanup(req->sock);
|
||||
*cstate = NULL;
|
||||
return 0;
|
||||
}
|
||||
@@ -306,6 +338,8 @@ static int sdp_cstate_get(uint8_t *buffer, size_t len,
|
||||
SDPDBG("Cstate TS : 0x%x", (*cstate)->timestamp);
|
||||
SDPDBG("Bytes sent : %d", (*cstate)->cStateValue.maxBytesSent);
|
||||
|
||||
+ *cinfo = sdp_get_cont_info(req, *cstate);
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -360,6 +394,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
uint16_t expected, actual, rsp_count = 0;
|
||||
uint8_t dtd;
|
||||
sdp_cont_state_t *cstate = NULL;
|
||||
+ sdp_cont_info_t *cinfo = NULL;
|
||||
uint8_t *pCacheBuffer = NULL;
|
||||
int handleSize = 0;
|
||||
uint32_t cStateId = 0;
|
||||
@@ -399,9 +434,9 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
|
||||
/*
|
||||
* Check if continuation state exists, if yes attempt
|
||||
- * to get rsp remainder from cache, else send error
|
||||
+ * to get rsp remainder from continuation info, else send error
|
||||
*/
|
||||
- if (sdp_cstate_get(pdata, data_left, &cstate) < 0) {
|
||||
+ if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) {
|
||||
status = SDP_INVALID_SYNTAX;
|
||||
goto done;
|
||||
}
|
||||
@@ -451,7 +486,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
|
||||
if (rsp_count > actual) {
|
||||
/* cache the rsp and generate a continuation state */
|
||||
- cStateId = sdp_cstate_alloc_buf(buf);
|
||||
+ cStateId = sdp_cstate_alloc_buf(req, buf);
|
||||
/*
|
||||
* subtract handleSize since we now send only
|
||||
* a subset of handles
|
||||
@@ -459,6 +494,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
buf->data_size -= handleSize;
|
||||
} else {
|
||||
/* NULL continuation state */
|
||||
+ sdp_cont_info_free(cinfo);
|
||||
sdp_set_cstate_pdu(buf, NULL);
|
||||
}
|
||||
}
|
||||
@@ -468,13 +504,15 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
short lastIndex = 0;
|
||||
|
||||
if (cstate) {
|
||||
- /*
|
||||
- * Get the previous sdp_cont_state_t and obtain
|
||||
- * the cached rsp
|
||||
- */
|
||||
- sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
|
||||
- if (pCache) {
|
||||
- pCacheBuffer = pCache->data;
|
||||
+ if (cinfo) {
|
||||
+ /* Check if requesting more than available */
|
||||
+ if (cstate->cStateValue.maxBytesSent >=
|
||||
+ cinfo->buf.data_size) {
|
||||
+ status = SDP_INVALID_CSTATE;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ pCacheBuffer = cinfo->buf.data;
|
||||
/* get the rsp_count from the cached buffer */
|
||||
rsp_count = get_be16(pCacheBuffer);
|
||||
|
||||
@@ -518,6 +556,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
if (i == rsp_count) {
|
||||
/* set "null" continuationState */
|
||||
sdp_set_cstate_pdu(buf, NULL);
|
||||
+ sdp_cont_info_free(cinfo);
|
||||
} else {
|
||||
/*
|
||||
* there's more: set lastIndexSent to
|
||||
@@ -540,6 +579,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
|
||||
done:
|
||||
free(cstate);
|
||||
+
|
||||
if (pattern)
|
||||
sdp_list_free(pattern, free);
|
||||
|
||||
@@ -619,15 +659,21 @@ static int extract_attrs(sdp_record_t *rec, sdp_list_t *seq, sdp_buf_t *buf)
|
||||
}
|
||||
|
||||
/* Build cstate response */
|
||||
-static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf,
|
||||
- uint16_t max)
|
||||
+static int sdp_cstate_rsp(sdp_cont_info_t *cinfo, sdp_cont_state_t *cstate,
|
||||
+ sdp_buf_t *buf, uint16_t max)
|
||||
{
|
||||
- /* continuation State exists -> get from cache */
|
||||
- sdp_buf_t *cache = sdp_get_cached_rsp(cstate);
|
||||
+ sdp_buf_t *cache;
|
||||
uint16_t sent;
|
||||
|
||||
- if (!cache)
|
||||
+ if (!cinfo)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (cstate->cStateValue.maxBytesSent >= cinfo->buf.data_size) {
|
||||
+ sdp_cont_info_free(cinfo);
|
||||
return 0;
|
||||
+ }
|
||||
+
|
||||
+ cache = &cinfo->buf;
|
||||
|
||||
sent = MIN(max, cache->data_size - cstate->cStateValue.maxBytesSent);
|
||||
memcpy(buf->data, cache->data + cstate->cStateValue.maxBytesSent, sent);
|
||||
@@ -637,8 +683,10 @@ static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf,
|
||||
SDPDBG("Response size : %d sending now : %d bytes sent so far : %d",
|
||||
cache->data_size, sent, cstate->cStateValue.maxBytesSent);
|
||||
|
||||
- if (cstate->cStateValue.maxBytesSent == cache->data_size)
|
||||
+ if (cstate->cStateValue.maxBytesSent == cache->data_size) {
|
||||
+ sdp_cont_info_free(cinfo);
|
||||
return sdp_set_cstate_pdu(buf, NULL);
|
||||
+ }
|
||||
|
||||
return sdp_set_cstate_pdu(buf, cstate);
|
||||
}
|
||||
@@ -652,6 +700,7 @@ static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf,
|
||||
static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
{
|
||||
sdp_cont_state_t *cstate = NULL;
|
||||
+ sdp_cont_info_t *cinfo = NULL;
|
||||
short cstate_size = 0;
|
||||
sdp_list_t *seq = NULL;
|
||||
uint8_t dtd = 0;
|
||||
@@ -708,7 +757,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
* if continuation state exists, attempt
|
||||
* to get rsp remainder from cache, else send error
|
||||
*/
|
||||
- if (sdp_cstate_get(pdata, data_left, &cstate) < 0) {
|
||||
+ if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) {
|
||||
status = SDP_INVALID_SYNTAX;
|
||||
goto done;
|
||||
}
|
||||
@@ -737,7 +786,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
buf->buf_size -= sizeof(uint16_t);
|
||||
|
||||
if (cstate) {
|
||||
- cstate_size = sdp_cstate_rsp(cstate, buf, max_rsp_size);
|
||||
+ cstate_size = sdp_cstate_rsp(cinfo, cstate, buf, max_rsp_size);
|
||||
if (!cstate_size) {
|
||||
status = SDP_INVALID_CSTATE;
|
||||
error("NULL cache buffer and non-NULL continuation state");
|
||||
@@ -749,7 +798,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
sdp_cont_state_t newState;
|
||||
|
||||
memset((char *)&newState, 0, sizeof(sdp_cont_state_t));
|
||||
- newState.timestamp = sdp_cstate_alloc_buf(buf);
|
||||
+ newState.timestamp = sdp_cstate_alloc_buf(req, buf);
|
||||
/*
|
||||
* Reset the buffer size to the maximum expected and
|
||||
* set the sdp_cont_state_t
|
||||
@@ -793,6 +842,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
int scanned, rsp_count = 0;
|
||||
sdp_list_t *pattern = NULL, *seq = NULL, *svcList;
|
||||
sdp_cont_state_t *cstate = NULL;
|
||||
+ sdp_cont_info_t *cinfo = NULL;
|
||||
short cstate_size = 0;
|
||||
uint8_t dtd = 0;
|
||||
sdp_buf_t tmpbuf;
|
||||
@@ -852,7 +902,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
* if continuation state exists attempt
|
||||
* to get rsp remainder from cache, else send error
|
||||
*/
|
||||
- if (sdp_cstate_get(pdata, data_left, &cstate) < 0) {
|
||||
+ if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) {
|
||||
status = SDP_INVALID_SYNTAX;
|
||||
goto done;
|
||||
}
|
||||
@@ -906,7 +956,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
sdp_cont_state_t newState;
|
||||
|
||||
memset((char *)&newState, 0, sizeof(sdp_cont_state_t));
|
||||
- newState.timestamp = sdp_cstate_alloc_buf(buf);
|
||||
+ newState.timestamp = sdp_cstate_alloc_buf(req, buf);
|
||||
/*
|
||||
* Reset the buffer size to the maximum expected and
|
||||
* set the sdp_cont_state_t
|
||||
@@ -917,7 +967,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
|
||||
} else
|
||||
cstate_size = sdp_set_cstate_pdu(buf, NULL);
|
||||
} else {
|
||||
- cstate_size = sdp_cstate_rsp(cstate, buf, max);
|
||||
+ cstate_size = sdp_cstate_rsp(cinfo, cstate, buf, max);
|
||||
if (!cstate_size) {
|
||||
status = SDP_INVALID_CSTATE;
|
||||
SDPDBG("Non-null continuation state, but null cache buffer");
|
||||
@@ -974,6 +1024,9 @@ static void process_request(sdp_req_t *req)
|
||||
status = SDP_INVALID_PDU_SIZE;
|
||||
goto send_rsp;
|
||||
}
|
||||
+
|
||||
+ req->opcode = reqhdr->pdu_id;
|
||||
+
|
||||
switch (reqhdr->pdu_id) {
|
||||
case SDP_SVC_SEARCH_REQ:
|
||||
SDPDBG("Got a svc srch req");
|
||||
@@ -1020,6 +1073,8 @@ static void process_request(sdp_req_t *req)
|
||||
|
||||
send_rsp:
|
||||
if (status) {
|
||||
+ /* Cleanup cstates on error */
|
||||
+ sdp_cstate_cleanup(req->sock);
|
||||
rsphdr->pdu_id = SDP_ERROR_RSP;
|
||||
put_be16(status, rsp.data);
|
||||
rsp.data_size = sizeof(uint16_t);
|
||||
@@ -1108,3 +1163,20 @@ void handle_request(int sk, uint8_t *data, int len)
|
||||
|
||||
process_request(&req);
|
||||
}
|
||||
+
|
||||
+void sdp_cstate_cleanup(int sock)
|
||||
+{
|
||||
+ sdp_list_t *list;
|
||||
+
|
||||
+ /* Remove any cinfo for the client */
|
||||
+ for (list = cstates; list;) {
|
||||
+ sdp_cont_info_t *cinfo = list->data;
|
||||
+
|
||||
+ list = list->next;
|
||||
+
|
||||
+ if (cinfo->sock != sock)
|
||||
+ continue;
|
||||
+
|
||||
+ sdp_cont_info_free(cinfo);
|
||||
+ }
|
||||
+}
|
||||
diff --git a/src/sdpd-server.c b/src/sdpd-server.c
|
||||
index dfd8b1f00..66ee7ba14 100644
|
||||
--- a/src/sdpd-server.c
|
||||
+++ b/src/sdpd-server.c
|
||||
@@ -146,16 +146,12 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d
|
||||
|
||||
sk = g_io_channel_unix_get_fd(chan);
|
||||
|
||||
- if (cond & (G_IO_HUP | G_IO_ERR)) {
|
||||
- sdp_svcdb_collect_all(sk);
|
||||
- return FALSE;
|
||||
- }
|
||||
+ if (cond & (G_IO_HUP | G_IO_ERR))
|
||||
+ goto cleanup;
|
||||
|
||||
len = recv(sk, &hdr, sizeof(sdp_pdu_hdr_t), MSG_PEEK);
|
||||
- if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t)) {
|
||||
- sdp_svcdb_collect_all(sk);
|
||||
- return FALSE;
|
||||
- }
|
||||
+ if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t))
|
||||
+ goto cleanup;
|
||||
|
||||
size = sizeof(sdp_pdu_hdr_t) + ntohs(hdr.plen);
|
||||
buf = malloc(size);
|
||||
@@ -168,14 +164,18 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d
|
||||
* inside handle_request() in order to produce ErrorResponse.
|
||||
*/
|
||||
if (len <= 0) {
|
||||
- sdp_svcdb_collect_all(sk);
|
||||
free(buf);
|
||||
- return FALSE;
|
||||
+ goto cleanup;
|
||||
}
|
||||
|
||||
handle_request(sk, buf, len);
|
||||
|
||||
return TRUE;
|
||||
+
|
||||
+cleanup:
|
||||
+ sdp_svcdb_collect_all(sk);
|
||||
+ sdp_cstate_cleanup(sk);
|
||||
+ return FALSE;
|
||||
}
|
||||
|
||||
static gboolean io_accept_event(GIOChannel *chan, GIOCondition cond, gpointer data)
|
||||
diff --git a/src/sdpd.h b/src/sdpd.h
|
||||
index 257411f03..4316aff67 100644
|
||||
--- a/src/sdpd.h
|
||||
+++ b/src/sdpd.h
|
||||
@@ -27,8 +27,11 @@ typedef struct request {
|
||||
int flags;
|
||||
uint8_t *buf;
|
||||
int len;
|
||||
+ uint8_t opcode;
|
||||
} sdp_req_t;
|
||||
|
||||
+void sdp_cstate_cleanup(int sock);
|
||||
+
|
||||
void handle_internal_request(int sk, int mtu, void *data, int len);
|
||||
void handle_request(int sk, uint8_t *data, int len);
|
||||
|
||||
diff --git a/unit/test-sdp.c b/unit/test-sdp.c
|
||||
index d3a885f19..8f95fcb71 100644
|
||||
--- a/unit/test-sdp.c
|
||||
+++ b/unit/test-sdp.c
|
||||
@@ -235,7 +235,7 @@ static gboolean client_handler(GIOChannel *channel, GIOCondition cond,
|
||||
tester_monitor('>', 0x0000, 0x0001, buf, len);
|
||||
|
||||
g_assert(len > 0);
|
||||
- g_assert((size_t) len == rsp_pdu->raw_size + rsp_pdu->cont_len);
|
||||
+ g_assert_cmpuint(len, ==, rsp_pdu->raw_size + rsp_pdu->cont_len);
|
||||
|
||||
g_assert(memcmp(buf, rsp_pdu->raw_data, rsp_pdu->raw_size) == 0);
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,115 +0,0 @@
|
||||
From d22177efb6f17ed281013cdfa4976d218718d5b6 Mon Sep 17 00:00:00 2001
|
||||
From: Gopal Tiwari <gtiwari@redhat.com>
|
||||
Date: Mon, 31 May 2021 12:29:01 +0530
|
||||
Subject: [PATCH BlueZ] shared/gatt-server: Fix not properly checking for
|
||||
secure flags
|
||||
|
||||
commit ef7316b34cf3a568694bdb0e4e83af17804dff9e (HEAD)
|
||||
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||
Date: Tue Mar 2 11:38:33 2021 -0800
|
||||
|
||||
shared/gatt-server: Fix not properly checking for secure flags
|
||||
|
||||
When passing the mask to check_permissions all valid permissions for
|
||||
the operation must be set including BT_ATT_PERM_SECURE flags.
|
||||
|
||||
(cherry picked from commit 00da0fb4972cf59e1c075f313da81ea549cb8738)
|
||||
Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
|
||||
---
|
||||
src/shared/att-types.h | 8 ++++++++
|
||||
src/shared/gatt-server.c | 25 +++++++------------------
|
||||
2 files changed, 15 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/src/shared/att-types.h b/src/shared/att-types.h
|
||||
index 7108b4e94..3adc05d9e 100644
|
||||
--- a/src/shared/att-types.h
|
||||
+++ b/src/shared/att-types.h
|
||||
@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
|
||||
#define BT_ATT_PERM_WRITE_SECURE 0x0200
|
||||
#define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \
|
||||
BT_ATT_PERM_WRITE_SECURE)
|
||||
+#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ | \
|
||||
+ BT_ATT_PERM_READ_AUTHEN | \
|
||||
+ BT_ATT_PERM_READ_ENCRYPT | \
|
||||
+ BT_ATT_PERM_READ_SECURE)
|
||||
+#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE | \
|
||||
+ BT_ATT_PERM_WRITE_AUTHEN | \
|
||||
+ BT_ATT_PERM_WRITE_ENCRYPT | \
|
||||
+ BT_ATT_PERM_WRITE_SECURE)
|
||||
|
||||
/* GATT Characteristic Properties Bitfield values */
|
||||
#define BT_GATT_CHRC_PROP_BROADCAST 0x01
|
||||
diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
|
||||
index b5f7de7dc..970c35f94 100644
|
||||
--- a/src/shared/gatt-server.c
|
||||
+++ b/src/shared/gatt-server.c
|
||||
@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
|
||||
return;
|
||||
}
|
||||
|
||||
- ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
|
||||
- BT_ATT_PERM_READ_AUTHEN |
|
||||
- BT_ATT_PERM_READ_ENCRYPT);
|
||||
+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
|
||||
if (ecode)
|
||||
goto error;
|
||||
|
||||
@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
|
||||
(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
|
||||
handle);
|
||||
|
||||
- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
|
||||
- BT_ATT_PERM_WRITE_AUTHEN |
|
||||
- BT_ATT_PERM_WRITE_ENCRYPT);
|
||||
+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
|
||||
if (ecode)
|
||||
goto error;
|
||||
|
||||
@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
|
||||
opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
|
||||
handle);
|
||||
|
||||
- ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
|
||||
- BT_ATT_PERM_READ_AUTHEN |
|
||||
- BT_ATT_PERM_READ_ENCRYPT);
|
||||
+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
|
||||
if (ecode)
|
||||
goto error;
|
||||
|
||||
@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
|
||||
goto error;
|
||||
}
|
||||
|
||||
- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
|
||||
- BT_ATT_PERM_READ_AUTHEN |
|
||||
- BT_ATT_PERM_READ_ENCRYPT);
|
||||
+ ecode = check_permissions(data->server, next_attr,
|
||||
+ BT_ATT_PERM_READ_MASK);
|
||||
if (ecode)
|
||||
goto error;
|
||||
|
||||
@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
|
||||
goto error;
|
||||
}
|
||||
|
||||
- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
|
||||
- BT_ATT_PERM_READ_AUTHEN |
|
||||
- BT_ATT_PERM_READ_ENCRYPT);
|
||||
+ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
|
||||
if (ecode)
|
||||
goto error;
|
||||
|
||||
@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
|
||||
util_debug(server->debug_callback, server->debug_data,
|
||||
"Prep Write Req - handle: 0x%04x", handle);
|
||||
|
||||
- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
|
||||
- BT_ATT_PERM_WRITE_AUTHEN |
|
||||
- BT_ATT_PERM_WRITE_ENCRYPT);
|
||||
+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
|
||||
if (ecode)
|
||||
goto error;
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,34 +1,29 @@
|
||||
From 1da4185a89fba1c14032ab87757e5fb798d76bc0 Mon Sep 17 00:00:00 2001
|
||||
From: Gopal Tiwari <gtiwari@redhat.com>
|
||||
Date: Mon, 8 Jun 2020 19:55:39 +0530
|
||||
Subject: [PATCH BlueZ 3/4] systemd: Add more filesystem lockdown
|
||||
|
||||
From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001
|
||||
From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001
|
||||
From: Bastien Nocera <hadess@hadess.net>
|
||||
Date: Wed, 13 Sep 2017 15:37:11 +0200
|
||||
|
||||
systemd: Add more filesystem lockdown
|
||||
Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
|
||||
|
||||
We can only access the configuration file as read-only and read-write
|
||||
to the Bluetooth cache directory and sub-directories.
|
||||
---
|
||||
Makefile.am | 2 ++
|
||||
Makefile.am | 3 +++
|
||||
src/bluetooth.service.in | 4 ++++
|
||||
2 files changed, 6 insertions(+)
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index cdd2fd8fb..0af1a8c45 100644
|
||||
index ac88c12e0..0a6d09847 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \
|
||||
@@ -617,6 +617,9 @@
|
||||
|
||||
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
|
||||
$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
|
||||
+ -e 's,@libexecdir\@,$(libexecdir),g' \
|
||||
+ -e 's,@statedir\@,$(statedir),g' \
|
||||
+ -e 's,@confdir\@,$(confdir),g' \
|
||||
< $< > $@
|
||||
|
||||
%.service: %.service.in Makefile
|
||||
if RUN_RST2MAN
|
||||
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
||||
index 7c2f60bb4..4daedef2a 100644
|
||||
--- a/src/bluetooth.service.in
|
||||
@ -45,5 +40,5 @@ index 7c2f60bb4..4daedef2a 100644
|
||||
# Privilege escalation
|
||||
NoNewPrivileges=true
|
||||
--
|
||||
2.21.1
|
||||
2.21.0
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
Name: bluez
|
||||
Summary: Bluetooth utilities
|
||||
Version: 5.56
|
||||
Release: 3%{?dist}
|
||||
Version: 5.63
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2+
|
||||
URL: http://www.bluez.org/
|
||||
|
||||
@ -29,9 +29,10 @@ Patch20: 0001-build-Always-define-confdir-and-statedir.patch
|
||||
Patch21: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
|
||||
Patch22: 0003-systemd-Add-more-filesystem-lockdown.patch
|
||||
Patch23: 0004-systemd-More-lockdown.patch
|
||||
Patch25: 0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1567622
|
||||
Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
|
||||
#Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
|
||||
|
||||
#Patch25: 0001-core-Add-AlwaysPairable-to-main.conf.patch
|
||||
#Patch26: 0002-agent-Make-the-first-agent-to-register-the-default.patch
|
||||
@ -44,9 +45,9 @@ Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
|
||||
#Patch30: 0001-input-hog-Attempt-to-set-security-level-if-not-bonde.patch
|
||||
|
||||
# fixing https://bugzilla.redhat.com/show_bug.cgi?id=1965057
|
||||
Patch31: 0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
|
||||
#Patch31: 0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
|
||||
|
||||
Patch32: 0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
|
||||
#Patch32: 0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
|
||||
|
||||
BuildRequires: git-core
|
||||
BuildRequires: dbus-devel >= 1.6
|
||||
@ -61,6 +62,7 @@ BuildRequires: systemd-devel
|
||||
BuildRequires: cups-devel
|
||||
# For autoreconf
|
||||
BuildRequires: libtool automake autoconf
|
||||
BuildRequires: python3-docutils
|
||||
|
||||
Requires: dbus >= 1.6
|
||||
|
||||
@ -235,6 +237,7 @@ make check
|
||||
%{_bindir}/rctest
|
||||
%{_datadir}/zsh/site-functions/_bluetoothctl
|
||||
%{_mandir}/man1/btattach.1.gz
|
||||
%{_mandir}/man1/btmon.1.*
|
||||
%{_mandir}/man1/ciptool.1.gz
|
||||
%{_mandir}/man1/hcitool.1.gz
|
||||
%{_mandir}/man1/rfcomm.1.gz
|
||||
@ -280,8 +283,11 @@ make check
|
||||
%{_userunitdir}/obex.service
|
||||
|
||||
%changelog
|
||||
* Tue May 17 2022 Gopal Tiwari <gtiwari@redhat.com> - 5.63-1
|
||||
+ bluez-5.63-1
|
||||
- Fixing (#)
|
||||
|
||||
* Wed Dec 13 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.56-3
|
||||
* Mon Dec 13 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.56-3
|
||||
+ bluez-5.56-3
|
||||
- Fixing (#2027434)
|
||||
- Fixing CVE-2021-41229
|
||||
|
Loading…
Reference in New Issue
Block a user