diff mbox series

[BlueZ,v2] profiles/avdtp: Fix reply for bad media transport format

Message ID 20250326090712.171313-1-frederic.danis@collabora.com
State New
Headers show
Series [BlueZ,v2] profiles/avdtp: Fix reply for bad media transport format | expand

Commit Message

Frédéric Danis March 26, 2025, 9:07 a.m. UTC 
Currently the avdtp_setconf_cmd() fails to check the capability length
of the Media Transport Service Category, which should be 0, because
caps_to_list() doesn't add it to the list of services as it should
be bigger than packet boundary.

This commit adds an &err parameter to caps_to_list() and set the error
to AVDTP_BAD_MEDIA_TRANSPORT_FORMAT if Media Transport capability as
invalid length.

This is required for passing AVDTP/SNK/ACP/TRA/BTR/BI-01-C PTS test
case:
To verify that the IUT (ACP) is able to issue a set configuration
reject response to the INT if the format of the media transport is
incorrect.
---
v1 -> v2: Pass the &err as parameter to caps_to_list instead of
          fabricating the capability

 profiles/audio/avdtp.c | 35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)

Comments

bluez.test.bot@gmail.com March 26, 2025, 10:11 a.m. UTC | #1 
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=947397

---Test result---

Test Summary:
CheckPatch                    PENDING   0.28 seconds
GitLint                       PENDING   0.30 seconds
BuildEll                      PASS      20.47 seconds
BluezMake                     PASS      1487.29 seconds
MakeCheck                     PASS      12.99 seconds
MakeDistcheck                 PASS      158.22 seconds
CheckValgrind                 PASS      214.27 seconds
CheckSmatch                   PASS      284.62 seconds
bluezmakeextell               PASS      98.90 seconds
IncrementalBuild              PENDING   0.32 seconds
ScanBuild                     PASS      868.30 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth
patchwork-bot+bluetooth@kernel.org March 26, 2025, 3:10 p.m. UTC | #2 
Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed, 26 Mar 2025 10:07:11 +0100 you wrote:
> Currently the avdtp_setconf_cmd() fails to check the capability length
> of the Media Transport Service Category, which should be 0, because
> caps_to_list() doesn't add it to the list of services as it should
> be bigger than packet boundary.
> 
> This commit adds an &err parameter to caps_to_list() and set the error
> to AVDTP_BAD_MEDIA_TRANSPORT_FORMAT if Media Transport capability as
> invalid length.
> 
> [...]

Here is the summary with links:
  - [BlueZ,v2] profiles/avdtp: Fix reply for bad media transport format
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=f2120e3ded06

You are awesome, thank you!
diff mbox series

Patch

diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 80fbe847e..dd8458f20 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -1312,7 +1312,8 @@  struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session,
 
 static GSList *caps_to_list(uint8_t *data, size_t size,
 				struct avdtp_service_capability **codec,
-				gboolean *delay_reporting)
+				gboolean *delay_reporting,
+				uint8_t *err)
 {
 	struct avdtp_service_capability *cap;
 	GSList *caps;
@@ -1328,6 +1329,17 @@  static GSList *caps_to_list(uint8_t *data, size_t size,
 
 		cap = (struct avdtp_service_capability *)data;
 
+		/* Verify that the Media Transport capability's length = 0.
+		 * Reject otherwise
+		 */
+		if (cap->category == AVDTP_MEDIA_TRANSPORT &&
+					cap->length != 0) {
+			error("Invalid media transport in getcap resp");
+			if (err)
+				*err = AVDTP_BAD_MEDIA_TRANSPORT_FORMAT;
+			break;
+		}
+
 		if (sizeof(*cap) + cap->length > size) {
 			error("Invalid capability data in getcap resp");
 			break;
@@ -1494,9 +1506,8 @@  static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
 	struct conf_rej rej;
 	struct avdtp_local_sep *sep;
 	struct avdtp_stream *stream;
-	uint8_t err, category = 0x00;
+	uint8_t err = 0, category = 0x00;
 	struct btd_service *service;
-	GSList *l;
 
 	if (size < sizeof(struct setconf_req)) {
 		error("Too short getcap request");
@@ -1552,7 +1563,10 @@  static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
 	stream->caps = caps_to_list(req->caps,
 					size - sizeof(struct setconf_req),
 					&stream->codec,
-					&stream->delay_reporting);
+					&stream->delay_reporting,
+					&err);
+	if (err)
+		goto failed_stream;
 
 	if (!stream->caps || !stream->codec) {
 		err = AVDTP_UNSUPPORTED_CONFIGURATION;
@@ -1560,16 +1574,6 @@  static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
 		goto failed_stream;
 	}
 
-	/* Verify that the Media Transport capability's length = 0. Reject otherwise */
-	for (l = stream->caps; l != NULL; l = g_slist_next(l)) {
-		struct avdtp_service_capability *cap = l->data;
-
-		if (cap->category == AVDTP_MEDIA_TRANSPORT && cap->length != 0) {
-			err = AVDTP_BAD_MEDIA_TRANSPORT_FORMAT;
-			goto failed_stream;
-		}
-	}
-
 	if (stream->delay_reporting && session->version < 0x0103)
 		session->version = 0x0103;
 
@@ -2827,7 +2831,8 @@  static gboolean avdtp_get_capabilities_resp(struct avdtp *session,
 	}
 
 	sep->caps = caps_to_list(resp->caps, size - sizeof(struct getcap_resp),
-					&sep->codec, &sep->delay_reporting);
+					&sep->codec, &sep->delay_reporting,
+					NULL);
 
 	return TRUE;
 }