Upgrade to 5.72

Resolves: rhbz#1938686.
2024-02-28 01:16:20 +00:00 · 2022-06-09 14:24:04 +05:30
12 changed files with 182 additions and 729 deletions
--- a/.bluez.metadata
+++ b/.bluez.metadata
@ -0,0 +1,2 @@
 4d8fb1328e15df4021329d3eb6329b64777badaa bluez-5.64.tar.xz
 6c73541f2cd27543b66741d16d520970d8877940 bluez-5.72.tar.xz
--- a/0001-Add-missing-mesh-gatt-JSON-files.patch
+++ b/0001-Add-missing-mesh-gatt-JSON-files.patch
@ -0,0 +1,125 @@
 From 669de134aa19fbd6b7ac59575446a064bbf27565 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 14 Feb 2024 16:51:14 +0100
 Subject: [PATCH] Add missing mesh-gatt JSON files
 ---
 tools/mesh-gatt/local_node.json | 61 +++++++++++++++++++++++++++++++++
 tools/mesh-gatt/prov_db.json    | 37 ++++++++++++++++++++
 2 files changed, 98 insertions(+)
 create mode 100644 tools/mesh-gatt/local_node.json
 create mode 100644 tools/mesh-gatt/prov_db.json
 diff --git a/tools/mesh-gatt/local_node.json b/tools/mesh-gatt/local_node.json
 new file mode 100644
 index 000000000000..5ffa7ada1f65
 --- /dev/null
 +++ b/tools/mesh-gatt/local_node.json
@@ -0,0 +1,61 @@
 +{
 +  "$schema":"file:\/\/\/BlueZ\/Mesh\/local_schema\/mesh.jsonschema",
 +  "meshName":"BT Mesh",
 +  "netKeys":[
 +    {
 +      "index": 0,
 +      "keyRefresh": 0
 +    }
 +  ],
 +  "appKeys":[
 +    {
 +      "index": 0,
 +      "boundNetKey": 0
 +    },
 +    {
 +      "index": 1,
 +      "boundNetKey": 0
 +    }
 +  ],
 +"node": {
 +	"IVindex":"00000005",
 +	"IVupdate":"0",
 +	"sequenceNumber": 0,
 +    "composition": {
 +        "cid": "0002",
 +        "pid": "0010",
 +        "vid": "0001",
 +        "crpl": "000a",
 +        "features": {
 +            "relay": false,
 +            "proxy": true,
 +            "friend": false,
 +            "lowPower": false
 +        },
 +        "elements": [
 +            {
 +                "elementIndex": 0,
 +                "location": "0001",
 +                "models": ["0000", "0001", "1001"]
 +            }
 +        ]
 +    },
 +    "configuration":{
 +        "netKeys": [0],
 +        "appKeys": [ 0, 1],
 +        "defaultTTL": 10,
 +        "elements": [
 +          {
 +            "elementIndex": 0,
 +            "unicastAddress":"0077",
 +            "models": [
 +               {
 +                 "modelId": "1001",
 +                 "bind": [1]
 +                }
 +            ]
 +          }
 +        ]
 +    }
 +  }
 +}
 diff --git a/tools/mesh-gatt/prov_db.json b/tools/mesh-gatt/prov_db.json
 new file mode 100644
 index 000000000000..74a03128d4d5
 --- /dev/null
 +++ b/tools/mesh-gatt/prov_db.json
@@ -0,0 +1,37 @@
 +{
 +  "$schema":"file:\/\/\/BlueZ\/Mesh\/schema\/mesh.jsonschema",
 +  "meshName":"BT Mesh",
 +  "IVindex":5,
 +  "IVupdate":0,
 +  "netKeys":[
 +    {
 +      "index":0,
 +      "keyRefresh":0,
 +      "key":"18eed9c2a56add85049ffc3c59ad0e12"
 +    }
 +  ],
 +  "appKeys":[
 +    {
 +      "index":0,
 +      "boundNetKey":0,
 +      "key":"4f68ad85d9f48ac8589df665b6b49b8a"
 +    },
 +    {
 +      "index":1,
 +      "boundNetKey":0,
 +      "key":"2aa2a6ded5a0798ceab5787ca3ae39fc"
 +    }
 +  ],
 +  "provisioners":[
 +    {
 +      "provisionerName":"BT Mesh Provisioner",
 +      "unicastAddress":"0077",
 +      "allocatedUnicastRange":[
 +        {
 +          "lowAddress":"0100",
 +          "highAddress":"7fff"
 +        }
 +      ]
 +    }
 +  ],
 +}
 -- 
 2.43.0
--- a/0001-build-Always-define-confdir-and-statedir.patch
+++ b/0001-build-Always-define-confdir-and-statedir.patch
@ -1,35 +0,0 @@
 From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 20 Sep 2017 12:49:10 +0200
 Subject: [PATCH 1/4] build: Always define confdir and statedir
 As we will need those paths to lock down on them.
 ---
 Makefile.am | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/Makefile.am b/Makefile.am
 index 9d25a815b..ac88c12e0 100644
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -31,14 +31,14 @@ pkginclude_HEADERS =
 AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags)
 AM_LDFLAGS = $(MISC_LDFLAGS)
 +confdir = $(sysconfdir)/bluetooth
 +statedir = $(localstatedir)/lib/bluetooth
 +
 if DATAFILES
 dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
 dbus_DATA = src/bluetooth.conf
 -confdir = $(sysconfdir)/bluetooth
 conf_DATA =
 -
 -statedir = $(localstatedir)/lib/bluetooth
 state_DATA =
 endif
 -- 
 2.21.0
--- a/0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
+++ b/0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
@ -1,19 +1,29 @@
-From 90b72b787a6ae6b9b0bf8ece238e108e8607a433 Mon Sep 17 00:00:00 2001
+From 873e49357081e5c5d8d3d23759f1723db7292bf6 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
-Date: Sat, 9 Nov 2013 18:13:43 +0100
+Date: Mon, 12 Feb 2024 20:02:45 +0000
-Subject: [PATCH 1/2] obex: Use GLib helper function to manipulate paths
+Subject: [PATCH] obex: Use GLib helper function to manipulate paths
 Instead of trying to do it by hand. This also makes sure that
 relative paths aren't used by the agent.
 [Emil Velikov]
 Originally this patch was posted in 2013, but deferred since bluez was
 planning to move away from glib. Presently there's no obvious action
 towards that goal, so I think we can safely land this.
 As mentioned by the author, current code allows for relative paths and
 considering that obexd service runs without meaningful sandboxing and on
 some distributions it is ran as root, we should plug the whole before
 anyone (ab)uses it.
 ---
- obexd/src/manager.c | 10 +++++-----
+ obexd/src/manager.c | 15 +++++----------
- 1 file changed, 5 insertions(+), 5 deletions(-)
+ 1 file changed, 5 insertions(+), 10 deletions(-)
 diff --git a/obexd/src/manager.c b/obexd/src/manager.c
-index f84384ae4..285c07c37 100644
+index 73fd6b9aff15..cc1de7ae2ed3 100644
 --- a/obexd/src/manager.c
 +++ b/obexd/src/manager.c
-@@ -650,14 +650,14 @@ static void agent_reply(DBusPendingCall *call, void *user_data)
+@@ -644,18 +644,13 @@ static void agent_reply(DBusPendingCall *call, void *user_data)
 				DBUS_TYPE_STRING, &name,
 				DBUS_TYPE_INVALID)) {
 		/* Splits folder and name */
@ -22,17 +32,21 @@ index f84384ae4..285c07c37 100644
 		DBG("Agent replied with %s", name);
 -		if (!slash) {
 -			agent->new_name = g_strdup(name);
-+		if (is_relative) {
+		agent->new_name = g_path_get_basename(name);
-+			agent->new_name = g_path_get_basename(name);
+		if (is_relative)
 			agent->new_folder = NULL;
- 		} else {
+-		} else {
-			agent->new_name = g_strdup(slash + 1);
+-			if (strlen(slash) == 1)
 -				agent->new_name = NULL;
 -			else
 -				agent->new_name = g_strdup(slash + 1);
 -			agent->new_folder = g_strndup(name, slash - name);
-+			agent->new_name = g_path_get_basename(name);
+-		}
 +		else
 +			agent->new_folder = g_path_get_dirname(name);
 		}
 	}
 	dbus_message_unref(reply);
 -- 
-2.14.1
+2.43.0
--- a/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
+++ b/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
@ -1,468 +0,0 @@
 From 4e6a2402ed4f46ea026ad0929fbc14faecf3a475 Mon Sep 17 00:00:00 2001
 From: Gopal Tiwari <gtiwari@redhat.com>
 Date: Wed, 1 Dec 2021 12:18:24 +0530
 Subject: [PATCH BlueZ] sdpd: Fix leaking buffers stored in cstates cache
 commit e79417ed7185b150a056d4eb3a1ab528b91d2fc0
 Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
 Date:   Thu Jul 15 11:01:20 2021 -0700
    sdpd: Fix leaking buffers stored in cstates cache
    These buffer shall only be keep in cache for as long as they are
    needed so this would cleanup any client cstates in the following
    conditions:
     - There is no cstate on the response
     - No continuation can be found for cstate
     - Different request opcode
     - Respond with an error
     - Client disconnect
    Fixes: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq
 ---
 src/sdpd-request.c | 170 ++++++++++++++++++++++++++++++++-------------
 src/sdpd-server.c  |  20 +++---
 src/sdpd.h         |   3 +
 unit/test-sdp.c    |   2 +-
 4 files changed, 135 insertions(+), 60 deletions(-)
 diff --git a/src/sdpd-request.c b/src/sdpd-request.c
 index 033d1e5bf..c8f5a2c72 100644
 --- a/src/sdpd-request.c
 +++ b/src/sdpd-request.c
@@ -42,48 +42,78 @@ typedef struct {
 #define MIN(x, y) ((x) < (y)) ? (x): (y)
 -typedef struct _sdp_cstate_list sdp_cstate_list_t;
 +typedef struct sdp_cont_info sdp_cont_info_t;
 -struct _sdp_cstate_list {
 -	sdp_cstate_list_t *next;
 +struct sdp_cont_info {
 +	int sock;
 +	uint8_t opcode;
 	uint32_t timestamp;
 	sdp_buf_t buf;
 };
 -static sdp_cstate_list_t *cstates;
 +static sdp_list_t *cstates;
 -/* FIXME: should probably remove it when it's found */
 -static sdp_buf_t *sdp_get_cached_rsp(sdp_cont_state_t *cstate)
 +static int cstate_match(const void *data, const void *user_data)
 {
 -	sdp_cstate_list_t *p;
 +	const sdp_cont_info_t *cinfo = data;
 +	const sdp_cont_state_t *cstate = user_data;
 -	for (p = cstates; p; p = p->next) {
 -		/* Check timestamp */
 -		if (p->timestamp != cstate->timestamp)
 -			continue;
 +	/* Check timestamp */
 +	return cinfo->timestamp - cstate->timestamp;
 +}
 +
 +static void sdp_cont_info_free(sdp_cont_info_t *cinfo)
 +{
 +	if (!cinfo)
 +		return;
 +
 +	cstates = sdp_list_remove(cstates, cinfo);
 +	free(cinfo->buf.data);
 +	free(cinfo);
 +}
 +
 +static sdp_cont_info_t *sdp_get_cont_info(sdp_req_t *req,
 +						sdp_cont_state_t *cstate)
 +{
 +	sdp_list_t *list;
 +
 +	list = sdp_list_find(cstates, cstate, cstate_match);
 +	if (list) {
 +		sdp_cont_info_t *cinfo = list->data;
 -		/* Check if requesting more than available */
 -		if (cstate->cStateValue.maxBytesSent < p->buf.data_size)
 -			return &p->buf;
 +		if (cinfo->opcode == req->opcode)
 +			return cinfo;
 +
 +		/* Cleanup continuation if the opcode doesn't match since its
 +		 * response buffer shall only be valid for the original requests
 +		 */
 +		sdp_cont_info_free(cinfo);
 +		return NULL;
 	}
 -	return 0;
 +	/* Cleanup cstates if no continuation info could be found */
 +	sdp_cstate_cleanup(req->sock);
 +
 +	return NULL;
 }
 -static uint32_t sdp_cstate_alloc_buf(sdp_buf_t *buf)
 +static uint32_t sdp_cstate_alloc_buf(sdp_req_t *req, sdp_buf_t *buf)
 {
 -	sdp_cstate_list_t *cstate = malloc(sizeof(sdp_cstate_list_t));
 +	sdp_cont_info_t *cinfo = malloc(sizeof(sdp_cont_info_t));
 	uint8_t *data = malloc(buf->data_size);
 	memcpy(data, buf->data, buf->data_size);
 -	memset((char *)cstate, 0, sizeof(sdp_cstate_list_t));
 -	cstate->buf.data = data;
 -	cstate->buf.data_size = buf->data_size;
 -	cstate->buf.buf_size = buf->data_size;
 -	cstate->timestamp = sdp_get_time();
 -	cstate->next = cstates;
 -	cstates = cstate;
 -	return cstate->timestamp;
 +	memset(cinfo, 0, sizeof(sdp_cont_info_t));
 +	cinfo->buf.data = data;
 +	cinfo->buf.data_size = buf->data_size;
 +	cinfo->buf.buf_size = buf->data_size;
 +	cinfo->timestamp = sdp_get_time();
 +	cinfo->sock = req->sock;
 +	cinfo->opcode = req->opcode;
 +
 +	cstates = sdp_list_append(cstates, cinfo);
 +
 +	return cinfo->timestamp;
 }
 /* Additional values for checking datatype (not in spec) */
@@ -274,14 +304,16 @@ static int sdp_set_cstate_pdu(sdp_buf_t *buf, sdp_cont_state_t *cstate)
 	return length;
 }
 -static int sdp_cstate_get(uint8_t *buffer, size_t len,
 -						sdp_cont_state_t **cstate)
 +static int sdp_cstate_get(sdp_req_t *req, uint8_t *buffer, size_t len,
 +			sdp_cont_state_t **cstate, sdp_cont_info_t **cinfo)
 {
 	uint8_t cStateSize = *buffer;
 	SDPDBG("Continuation State size : %d", cStateSize);
 	if (cStateSize == 0) {
 +		/* Cleanup cstates if request doesn't contain a cstate */
 +		sdp_cstate_cleanup(req->sock);
 		*cstate = NULL;
 		return 0;
 	}
@@ -306,6 +338,8 @@ static int sdp_cstate_get(uint8_t *buffer, size_t len,
 	SDPDBG("Cstate TS : 0x%x", (*cstate)->timestamp);
 	SDPDBG("Bytes sent : %d", (*cstate)->cStateValue.maxBytesSent);
 +	*cinfo = sdp_get_cont_info(req, *cstate);
 +
 	return 0;
 }
@@ -360,6 +394,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 	uint16_t expected, actual, rsp_count = 0;
 	uint8_t dtd;
 	sdp_cont_state_t *cstate = NULL;
 +	sdp_cont_info_t *cinfo = NULL;
 	uint8_t *pCacheBuffer = NULL;
 	int handleSize = 0;
 	uint32_t cStateId = 0;
@@ -399,9 +434,9 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 	/*
 	 * Check if continuation state exists, if yes attempt
 -	 * to get rsp remainder from cache, else send error
 +	 * to get rsp remainder from continuation info, else send error
 	 */
 -	if (sdp_cstate_get(pdata, data_left, &cstate) < 0) {
 +	if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) {
 		status = SDP_INVALID_SYNTAX;
 		goto done;
 	}
@@ -451,7 +486,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 		if (rsp_count > actual) {
 			/* cache the rsp and generate a continuation state */
 -			cStateId = sdp_cstate_alloc_buf(buf);
 +			cStateId = sdp_cstate_alloc_buf(req, buf);
 			/*
 			 * subtract handleSize since we now send only
 			 * a subset of handles
@@ -459,6 +494,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 			buf->data_size -= handleSize;
 		} else {
 			/* NULL continuation state */
 +			sdp_cont_info_free(cinfo);
 			sdp_set_cstate_pdu(buf, NULL);
 		}
 	}
@@ -468,13 +504,15 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 		short lastIndex = 0;
 		if (cstate) {
 -			/*
 -			 * Get the previous sdp_cont_state_t and obtain
 -			 * the cached rsp
 -			 */
 -			sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
 -			if (pCache) {
 -				pCacheBuffer = pCache->data;
 +			if (cinfo) {
 +				/* Check if requesting more than available */
 +				if (cstate->cStateValue.maxBytesSent >=
 +						cinfo->buf.data_size) {
 +					status = SDP_INVALID_CSTATE;
 +					goto done;
 +				}
 +
 +				pCacheBuffer = cinfo->buf.data;
 				/* get the rsp_count from the cached buffer */
 				rsp_count = get_be16(pCacheBuffer);
@@ -518,6 +556,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 		if (i == rsp_count) {
 			/* set "null" continuationState */
 			sdp_set_cstate_pdu(buf, NULL);
 +			sdp_cont_info_free(cinfo);
 		} else {
 			/*
 			 * there's more: set lastIndexSent to
@@ -540,6 +579,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 done:
 	free(cstate);
 +
 	if (pattern)
 		sdp_list_free(pattern, free);
@@ -619,15 +659,21 @@ static int extract_attrs(sdp_record_t *rec, sdp_list_t *seq, sdp_buf_t *buf)
 }
 /* Build cstate response */
 -static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf,
 -							uint16_t max)
 +static int sdp_cstate_rsp(sdp_cont_info_t *cinfo, sdp_cont_state_t *cstate,
 +					sdp_buf_t *buf, uint16_t max)
 {
 -	/* continuation State exists -> get from cache */
 -	sdp_buf_t *cache = sdp_get_cached_rsp(cstate);
 +	sdp_buf_t *cache;
 	uint16_t sent;
 -	if (!cache)
 +	if (!cinfo)
 +		return 0;
 +
 +	if (cstate->cStateValue.maxBytesSent >= cinfo->buf.data_size) {
 +		sdp_cont_info_free(cinfo);
 		return 0;
 +	}
 +
 +	cache = &cinfo->buf;
 	sent = MIN(max, cache->data_size - cstate->cStateValue.maxBytesSent);
 	memcpy(buf->data, cache->data + cstate->cStateValue.maxBytesSent, sent);
@@ -637,8 +683,10 @@ static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf,
 	SDPDBG("Response size : %d sending now : %d bytes sent so far : %d",
 		cache->data_size, sent, cstate->cStateValue.maxBytesSent);
 -	if (cstate->cStateValue.maxBytesSent == cache->data_size)
 +	if (cstate->cStateValue.maxBytesSent == cache->data_size) {
 +		sdp_cont_info_free(cinfo);
 		return sdp_set_cstate_pdu(buf, NULL);
 +	}
 	return sdp_set_cstate_pdu(buf, cstate);
 }
@@ -652,6 +700,7 @@ static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf,
 static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 {
 	sdp_cont_state_t *cstate = NULL;
 +	sdp_cont_info_t *cinfo = NULL;
 	short cstate_size = 0;
 	sdp_list_t *seq = NULL;
 	uint8_t dtd = 0;
@@ -708,7 +757,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 	 * if continuation state exists, attempt
 	 * to get rsp remainder from cache, else send error
 	 */
 -	if (sdp_cstate_get(pdata, data_left, &cstate) < 0) {
 +	if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) {
 		status = SDP_INVALID_SYNTAX;
 		goto done;
 	}
@@ -737,7 +786,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 	buf->buf_size -= sizeof(uint16_t);
 	if (cstate) {
 -		cstate_size = sdp_cstate_rsp(cstate, buf, max_rsp_size);
 +		cstate_size = sdp_cstate_rsp(cinfo, cstate, buf, max_rsp_size);
 		if (!cstate_size) {
 			status = SDP_INVALID_CSTATE;
 			error("NULL cache buffer and non-NULL continuation state");
@@ -749,7 +798,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 			sdp_cont_state_t newState;
 			memset((char *)&newState, 0, sizeof(sdp_cont_state_t));
 -			newState.timestamp = sdp_cstate_alloc_buf(buf);
 +			newState.timestamp = sdp_cstate_alloc_buf(req, buf);
 			/*
 			 * Reset the buffer size to the maximum expected and
 			 * set the sdp_cont_state_t
@@ -793,6 +842,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 	int scanned, rsp_count = 0;
 	sdp_list_t *pattern = NULL, *seq = NULL, *svcList;
 	sdp_cont_state_t *cstate = NULL;
 +	sdp_cont_info_t *cinfo = NULL;
 	short cstate_size = 0;
 	uint8_t dtd = 0;
 	sdp_buf_t tmpbuf;
@@ -852,7 +902,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 	 * if continuation state exists attempt
 	 * to get rsp remainder from cache, else send error
 	 */
 -	if (sdp_cstate_get(pdata, data_left, &cstate) < 0) {
 +	if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) {
 		status = SDP_INVALID_SYNTAX;
 		goto done;
 	}
@@ -906,7 +956,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 			sdp_cont_state_t newState;
 			memset((char *)&newState, 0, sizeof(sdp_cont_state_t));
 -			newState.timestamp = sdp_cstate_alloc_buf(buf);
 +			newState.timestamp = sdp_cstate_alloc_buf(req, buf);
 			/*
 			 * Reset the buffer size to the maximum expected and
 			 * set the sdp_cont_state_t
@@ -917,7 +967,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 		} else
 			cstate_size = sdp_set_cstate_pdu(buf, NULL);
 	} else {
 -		cstate_size = sdp_cstate_rsp(cstate, buf, max);
 +		cstate_size = sdp_cstate_rsp(cinfo, cstate, buf, max);
 		if (!cstate_size) {
 			status = SDP_INVALID_CSTATE;
 			SDPDBG("Non-null continuation state, but null cache buffer");
@@ -974,6 +1024,9 @@ static void process_request(sdp_req_t *req)
 		status = SDP_INVALID_PDU_SIZE;
 		goto send_rsp;
 	}
 +
 +	req->opcode = reqhdr->pdu_id;
 +
 	switch (reqhdr->pdu_id) {
 	case SDP_SVC_SEARCH_REQ:
 		SDPDBG("Got a svc srch req");
@@ -1020,6 +1073,8 @@ static void process_request(sdp_req_t *req)
 send_rsp:
 	if (status) {
 +		/* Cleanup cstates on error */
 +		sdp_cstate_cleanup(req->sock);
 		rsphdr->pdu_id = SDP_ERROR_RSP;
 		put_be16(status, rsp.data);
 		rsp.data_size = sizeof(uint16_t);
@@ -1108,3 +1163,20 @@ void handle_request(int sk, uint8_t *data, int len)
 	process_request(&req);
 }
 +
 +void sdp_cstate_cleanup(int sock)
 +{
 +	sdp_list_t *list;
 +
 +	/* Remove any cinfo for the client */
 +	for (list = cstates; list;) {
 +		sdp_cont_info_t *cinfo = list->data;
 +
 +		list = list->next;
 +
 +		if (cinfo->sock != sock)
 +			continue;
 +
 +		sdp_cont_info_free(cinfo);
 +	}
 +}
 diff --git a/src/sdpd-server.c b/src/sdpd-server.c
 index dfd8b1f00..66ee7ba14 100644
 --- a/src/sdpd-server.c
 +++ b/src/sdpd-server.c
@@ -146,16 +146,12 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d
 	sk = g_io_channel_unix_get_fd(chan);
 -	if (cond & (G_IO_HUP | G_IO_ERR)) {
 -		sdp_svcdb_collect_all(sk);
 -		return FALSE;
 -	}
 +	if (cond & (G_IO_HUP | G_IO_ERR))
 +		goto cleanup;
 	len = recv(sk, &hdr, sizeof(sdp_pdu_hdr_t), MSG_PEEK);
 -	if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t)) {
 -		sdp_svcdb_collect_all(sk);
 -		return FALSE;
 -	}
 +	if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t))
 +		goto cleanup;
 	size = sizeof(sdp_pdu_hdr_t) + ntohs(hdr.plen);
 	buf = malloc(size);
@@ -168,14 +164,18 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d
 	 * inside handle_request() in order to produce ErrorResponse.
 	 */
 	if (len <= 0) {
 -		sdp_svcdb_collect_all(sk);
 		free(buf);
 -		return FALSE;
 +		goto cleanup;
 	}
 	handle_request(sk, buf, len);
 	return TRUE;
 +
 +cleanup:
 +	sdp_svcdb_collect_all(sk);
 +	sdp_cstate_cleanup(sk);
 +	return FALSE;
 }
 static gboolean io_accept_event(GIOChannel *chan, GIOCondition cond, gpointer data)
 diff --git a/src/sdpd.h b/src/sdpd.h
 index 257411f03..4316aff67 100644
 --- a/src/sdpd.h
 +++ b/src/sdpd.h
@@ -27,8 +27,11 @@ typedef struct request {
 	int      flags;
 	uint8_t  *buf;
 	int      len;
 +	uint8_t  opcode;
 } sdp_req_t;
 +void sdp_cstate_cleanup(int sock);
 +
 void handle_internal_request(int sk, int mtu, void *data, int len);
 void handle_request(int sk, uint8_t *data, int len);
 diff --git a/unit/test-sdp.c b/unit/test-sdp.c
 index d3a885f19..8f95fcb71 100644
 --- a/unit/test-sdp.c
 +++ b/unit/test-sdp.c
@@ -235,7 +235,7 @@ static gboolean client_handler(GIOChannel *channel, GIOCondition cond,
 	tester_monitor('>', 0x0000, 0x0001, buf, len);
 	g_assert(len > 0);
 -	g_assert((size_t) len == rsp_pdu->raw_size + rsp_pdu->cont_len);
 +	g_assert_cmpuint(len, ==, rsp_pdu->raw_size + rsp_pdu->cont_len);
 	g_assert(memcmp(buf, rsp_pdu->raw_data,	rsp_pdu->raw_size) == 0);
 -- 
 2.26.2
--- a/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
+++ b/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
@ -1,38 +0,0 @@
 From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001
 From: Craig Andrews <candrews@integralblue.com>
 Date: Wed, 13 Sep 2017 15:23:09 +0200
 Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
 PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
 namespace. This is useful to secure access to temporary files of the
 process.
 NoNewPrivileges ensures that service process and all its children
 can never gain new privileges through execve(), lowering the risk of
 possible privilege escalations.
 ---
 src/bluetooth.service.in | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
 index f9faaa452..7c2f60bb4 100644
 --- a/src/bluetooth.service.in
 +++ b/src/bluetooth.service.in
@@ -12,8 +12,14 @@ NotifyAccess=main
 #Restart=on-failure
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 LimitNPROC=1
 +
 +# Filesystem lockdown
 ProtectHome=true
 ProtectSystem=full
 +PrivateTmp=true
 +
 +# Privilege escalation
 +NoNewPrivileges=true
 [Install]
 WantedBy=bluetooth.target
 -- 
 2.21.0
--- a/0003-systemd-Add-more-filesystem-lockdown.patch
+++ b/0003-systemd-Add-more-filesystem-lockdown.patch
@ -1,44 +0,0 @@
 From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 13 Sep 2017 15:37:11 +0200
 Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
 We can only access the configuration file as read-only and read-write
 to the Bluetooth cache directory and sub-directories.
 ---
 Makefile.am              | 3 +++
 src/bluetooth.service.in | 4 ++++
 2 files changed, 7 insertions(+)
 diff --git a/Makefile.am b/Makefile.am
 index ac88c12e0..0a6d09847 100644
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -562,6 +562,9 @@ MAINTAINERCLEANFILES = Makefile.in \
 SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
 		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
 +		       -e 's,@libexecdir\@,$(libexecdir),g' \
 +		       -e 's,@statedir\@,$(statedir),g' \
 +		       -e 's,@confdir\@,$(confdir),g' \
 		< $< > $@
 %.service: %.service.in Makefile
 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
 index 7c2f60bb4..4daedef2a 100644
 --- a/src/bluetooth.service.in
 +++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@ LimitNPROC=1
 ProtectHome=true
 ProtectSystem=full
 PrivateTmp=true
 +ProtectKernelTunables=true
 +ProtectControlGroups=true
 +ReadWritePaths=@statedir@
 +ReadOnlyPaths=@confdir@
 # Privilege escalation
 NoNewPrivileges=true
 -- 
 2.21.0
--- a/0004-systemd-More-lockdown.patch
+++ b/0004-systemd-More-lockdown.patch
@ -1,34 +0,0 @@
 From a6963e0402695d7b6a89c1b1c75c40dbd8fcde52 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 13 Sep 2017 15:38:26 +0200
 Subject: [PATCH 4/4] systemd: More lockdown
 bluetoothd does not need to execute mapped memory, or real-time
 access, so block those.
 ---
 src/bluetooth.service.in | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
 index 4daedef2a..f18801866 100644
 --- a/src/bluetooth.service.in
 +++ b/src/bluetooth.service.in
@@ -22,9 +22,15 @@ ProtectControlGroups=true
 ReadWritePaths=@statedir@
 ReadOnlyPaths=@confdir@
 +# Execute Mappings
 +MemoryDenyWriteExecute=true
 +
 # Privilege escalation
 NoNewPrivileges=true
 +# Real-time
 +RestrictRealtime=true
 +
 [Install]
 WantedBy=bluetooth.target
 Alias=dbus-org.bluez.service
 -- 
 2.21.0
--- a/0005-media-rename-local-function-conflicting-with-pause-2.patch
+++ b/0005-media-rename-local-function-conflicting-with-pause-2.patch
@ -1,42 +0,0 @@
 From 124dee151746b4a8a2e8a7194af78f2c82f75d79 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
 Date: Wed, 3 Mar 2021 08:57:36 +0100
 Subject: [PATCH] media: rename local function conflicting with pause(2)
 profiles/audio/media.c:1284:13: error: conflicting types for 'pause'; have '_Bool(void *)'
 1284 | static bool pause(void *user_data)
      |             ^~~~~
 In file included from /usr/include/bits/sigstksz.h:24,
                 from /usr/include/signal.h:315,
                 from /usr/include/glib-2.0/glib/gbacktrace.h:36,
                 from /usr/include/glib-2.0/glib.h:34,
                 from profiles/audio/media.c:21:
 /usr/include/unistd.h:478:12: note: previous declaration of 'pause' with type 'int(void)'
  478 | extern int pause (void);
      |            ^~~~~
 ---
 profiles/audio/media.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/profiles/audio/media.c b/profiles/audio/media.c
 index c84bbe22dc..3d8c4b69c3 100644
 --- a/profiles/audio/media.c
 +++ b/profiles/audio/media.c
@@ -1281,7 +1281,7 @@ static bool stop(void *user_data)
 	return media_player_send(mp, "Stop");
 }
 -static bool pause(void *user_data)
 +static bool pause_play(void *user_data)
 {
 	struct media_player *mp = user_data;
@@ -1331,7 +1331,7 @@ static struct avrcp_player_cb player_cb = {
 	.set_volume = set_volume,
 	.play = play,
 	.stop = stop,
 -	.pause = pause,
 +	.pause = pause_play,
 	.next = next,
 	.previous = previous,
 };
--- a/bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch
+++ b/bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch
@ -1,41 +0,0 @@
 From 28ddec8d6b829e002fa268c07b71e4c564ba9e16 Mon Sep 17 00:00:00 2001
 From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
 Date: Thu, 11 Mar 2021 07:36:07 -0800
 Subject: [PATCH] avdtp: Fix removing all remote SEPs when loading from cache
 If avdtp_discover is called after cache has been loaded it end up
 removing all remote SEPs as they have not been discovered yet.
 Fixes: https://github.com/bluez/bluez/issues/102
 ---
 profiles/audio/avdtp.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)
 diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
 index 088ca58b3..1d5871c62 100644
 --- a/profiles/audio/avdtp.c
 +++ b/profiles/audio/avdtp.c
@@ -3381,10 +3381,18 @@ int avdtp_discover(struct avdtp *session, avdtp_discover_cb_t cb,
 	session->discover = g_new0(struct discover_callback, 1);
 	if (session->seps) {
 -		session->discover->cb = cb;
 -		session->discover->user_data = user_data;
 -		session->discover->id = g_idle_add(process_discover, session);
 -		return 0;
 +		struct avdtp_remote_sep *sep = session->seps->data;
 +
 +		/* Check that SEP have been discovered as it may be loaded from
 +		 * cache.
 +		 */
 +		if (sep->discovered) {
 +			session->discover->cb = cb;
 +			session->discover->user_data = user_data;
 +			session->discover->id = g_idle_add(process_discover,
 +								session);
 +			return 0;
 +		}
 	}
 	err = send_request(session, FALSE, NULL, AVDTP_DISCOVER, NULL, 0);
--- a/bluez.spec
+++ b/bluez.spec
@ -5,7 +5,7 @@
 %endif
 Name:    bluez
-Version: 5.64
+Version: 5.72
 Release: 1%{?dist}
 Summary: Bluetooth utilities
 License: GPLv2+
@ -16,13 +16,8 @@ Source1: bluez.gitignore
 # https://github.com/hadess/bluez/commits/obex-5.46
 Patch1: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
-# https://github.com/hadess/bluez/commits/systemd-hardening
+# https://patchwork.kernel.org/project/bluetooth/patch/20240214155019.325715-1-hadess@hadess.net/
-#Patch10: 0001-build-Always-define-confdir-and-statedir.patch
+Patch2: 0001-Add-missing-mesh-gatt-JSON-files.patch
 #Patch11: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
 #Patch12: 0003-systemd-Add-more-filesystem-lockdown.patch
 #Patch13: 0004-systemd-More-lockdown.patch
 #Patch14: 0005-media-rename-local-function-conflicting-with-pause-2.patch
 #Patch15: bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch
 BuildRequires: dbus-devel >= 1.6
 BuildRequires: glib2-devel
@ -40,6 +35,7 @@ BuildRequires: cups-devel
 BuildRequires: libtool automake autoconf
 # For man pages
 BuildRequires: python3-docutils
 BuildRequires: python3-pygments
 Requires: dbus >= 1.6
 Requires(post): systemd
@ -149,9 +145,7 @@ Object Exchange daemon for sharing files, contacts etc over bluetooth
 %build
 autoreconf -vif
 %configure --enable-tools --enable-library --disable-optimization \
 %if %{with deprecated}
           --enable-deprecated \
 %endif
           --enable-sixaxis --enable-cups --enable-nfc --enable-mesh \
           --enable-hid2hci --enable-testing \
           --with-systemdsystemunitdir=%{_unitdir} \
@ -166,6 +160,10 @@ autoreconf -vif
 # "make install" fails to install gatttool, necessary for Bluetooth Low Energy
 # Red Hat Bugzilla bug #1141909, Debian bug #720486
 install -m0755 attrib/gatttool $RPM_BUILD_ROOT%{_bindir}
 %else
 for i in ciptool gatttool hciattach hciconfig hcidump hcitool rfcomm sdptool ; do \
 	rm -f $RPM_BUILD_ROOT%{_bindir}/$i $RPM_BUILD_ROOT%{_mandir}/man1/$i*.1* ; \
 done
 %endif
 # "make install" fails to install avinfo
@ -236,7 +234,6 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
 %doc AUTHORS ChangeLog
 %dir %{_sysconfdir}/bluetooth
 %config %{_sysconfdir}/bluetooth/main.conf
 %config %{_sysconfdir}/dbus-1/system.d/bluetooth.conf
 %{_bindir}/avinfo
 %{_bindir}/bluemoon
 %{_bindir}/bluetoothctl
@ -248,7 +245,10 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
 %{_bindir}/l2test
 %{_bindir}/mpris-proxy
 %{_bindir}/rctest
 %{_mandir}/man1/bluetoothctl.1.*
 %{_mandir}/man1/bluetoothctl-*.1.*
 %{_mandir}/man1/btattach.1.*
 %{_mandir}/man1/btmgmt.1.*
 %{_mandir}/man1/btmon.1.*
 %{_mandir}/man1/l2ping.1.*
 %{_mandir}/man1/rctest.1.*
@ -258,6 +258,7 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
 %{_libdir}/bluetooth/
 %{_localstatedir}/lib/bluetooth
 %{_datadir}/dbus-1/system-services/org.bluez.service
 %{_datadir}/dbus-1/system.d/bluetooth.conf
 %{_unitdir}/bluetooth.service
 %{_datadir}/zsh/site-functions/_bluetoothctl
@ -287,8 +288,14 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
 %files libs-devel
 %doc doc/*txt
 %{_bindir}/isotest
 %{_bindir}/l2test
 %{_bindir}/rctest
 %{_libdir}/libbluetooth.so
 %{_includedir}/bluetooth
 %{_mandir}/man1/isotest.1.*
 %{_mandir}/man1/rctest.1.*
 %{_mandir}/man5/org.bluez.*.5.*
 %{_libdir}/pkgconfig/bluez.pc
 %dir %{_libexecdir}/bluetooth
 %{_libexecdir}/bluetooth/btvirt
@ -304,11 +311,11 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
 %files mesh
 %doc tools/mesh-gatt/*.json
 %config %{_sysconfdir}/bluetooth/mesh-main.conf
 %config %{_sysconfdir}/dbus-1/system.d/bluetooth-mesh.conf
 %{_bindir}/meshctl
 %{_bindir}/mesh-cfgclient
 %{_bindir}/mesh-cfgtest
 %{_datadir}/dbus-1/system-services/org.bluez.mesh.service
 %{_datadir}/dbus-1/system.d/bluetooth-mesh.conf
 %{_libexecdir}/bluetooth/bluetooth-meshd
 %{_unitdir}/bluetooth-mesh.service
 %{_localstatedir}/lib/bluetooth/mesh
@ -320,10 +327,16 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
 %{_userunitdir}/obex.service
 %changelog
 * Thu Feb 15 2024 Bastien Nocera <bnocera@redhat.com> - 5.72-1
 - Update to 5.72
 * Thu Jun 9 2022 Gopal Tiwari <gtiwari@redhat.com> - 5.64-2
 - Coverity fixes for bluez.
 * Thu May 5 2022 Gopal Tiwari <gtiwari@redhat.com> - 5.64-1
 - Update to 5.64
-* Fri Dec 16 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.56-8
+* Thu Dec 16 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.56-8
 - Fixing Gating and version
  Related: rhbz#2027435
--- a/1
+++ b/1
@ -1 +1,2 @@
 SHA512 (bluez-5.64.tar.xz) = f11f9974b29c5c6fce3890d7e42425c1cb02e42c1b8f49c5cc4b249234e67b64317d0e5e82721e2fbf1b53269c8569a9c869d59ce42b5e927f6622f0753e53cd
 SHA512 (bluez-5.72.tar.xz) = 1c6560f60ac0654d7c25ed8ab2f0f3a3a9ca8688ee28e1c476ffc7ae38737e739d27bbb88789c86b03fc600a8a68496d90a7b395ec393dd2bbf69be62357991a
Author	SHA1	Message	Date
David Marlin	358da0160e	Upgrade to 5.72	2024-02-28 01:16:20 +00:00
Gopal Tiwari	43f9b44f02	Resolves: rhbz#1938686.	2022-06-09 14:24:04 +05:30
		`@ -0,0 +1,2 @@`
							`4d8fb1328e15df4021329d3eb6329b64777badaa bluez-5.64.tar.xz`
							`6c73541f2cd27543b66741d16d520970d8877940 bluez-5.72.tar.xz`
`@ -1 +1,2 @@`
	`SHA512 (bluez-5.64.tar.xz) = f11f9974b29c5c6fce3890d7e42425c1cb02e42c1b8f49c5cc4b249234e67b64317d0e5e82721e2fbf1b53269c8569a9c869d59ce42b5e927f6622f0753e53cd`	`SHA512 (bluez-5.64.tar.xz) = f11f9974b29c5c6fce3890d7e42425c1cb02e42c1b8f49c5cc4b249234e67b64317d0e5e82721e2fbf1b53269c8569a9c869d59ce42b5e927f6622f0753e53cd`
		`SHA512 (bluez-5.72.tar.xz) = 1c6560f60ac0654d7c25ed8ab2f0f3a3a9ca8688ee28e1c476ffc7ae38737e739d27bbb88789c86b03fc600a8a68496d90a7b395ec393dd2bbf69be62357991a`