From: Xiao Yao <[email protected]>
BLUETOOTH SPECIFICATION Page 61 of 140
Audio/Video Distribution Transport Protocol Specification (V13)
8.4.6 Message integrity verification at receiver side
- The receiver of an AVDTP signaling message shall not interpret corrupted
messages. Those messages are discarded and no signaling message is returned
to the sender if no error code is applicable. Possible corrupted messages
are:
* Response messages where the transaction label cannot match a previous
command sent to the remote device
Consider the following scenario:
btmon log:
... ...
AVDTP: Discover (0x01) Command (0x00) type 0x00 label 5 nosp 0
AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 5 nosp 0
AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 6 nosp 0
AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 6 nosp 0
AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 7 nosp 0
AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 7 nosp 0
< AVDTP: Set Configuration (0x03) Command (0x00) type 0x00 label 8 nosp 0
//Currently, a 'set configuration' message has been received from the
//sender, which contains a transaction label valued at 8. This message
//was then relayed to A2DP backend(PulseAudio/PipeWire) using the dbus
//interface.
---
set_configuration()(media.c)
msg = dbus_message_new_method_call(endpoint->sender, endpoint->path,
MEDIA_ENDPOINT_INTERFACE,
"SetConfiguration");
media_endpoint_async_call()
//dbus send
g_dbus_send_message_with_reply(btd_get_dbus_connection(),
msg, &request->call,
REQUEST_TIMEOUT(3 seconds))
dbus_pending_call_set_notify(request->call, endpoint_reply, request,NULL);
...
> AVDTP: Discover (0x01) Command (0x00) type 0x00 label 0 nosp 0
//At this time, the A2DP reverse discovery issued an A2DP discover command.
< AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 0 nosp 0
//After receiving the discover reply, the session->in.transaction is
//changed to 0
> AVDTP: Set Configuration (0x03) Response Accept (0x02) type 0x00 label 0 nosp 0
//The audio backend reply the dbus message
endpoint_reply (media.c)
setconf_cb (avdtp.c)
//Here avdtp_send sends an incorrect transaction value, causing
//the sender to discard the message. (The correct transaction
//value is 8)
avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
AVDTP_SET_CONFIGURATION, NULL, 0)
AVDTP: Delay Report (0x0d) Command (0x00) type 0x00 label 1 nosp 0
AVDTP: Delay Report (0x0d) Response Accept (0x02) type 0x00 label 1 nosp 0
AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 2 nosp 0
AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 2 nosp 0
... ...
Therefore, a async_transaction that requires asynchronous return is
recorded to prevent it from being incorrectly modified.
Signed-off-by: Xiao Yao <[email protected]>
---
profiles/audio/avdtp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 10ef380d4..2171e7723 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -286,6 +286,7 @@ struct in_buf {
gboolean active;
int no_of_packets;
uint8_t transaction;
+ uint8_t async_transaction;
uint8_t message_type;
uint8_t signal_id;
uint8_t buf[1024];
@@ -1459,6 +1460,9 @@ static void setconf_cb(struct avdtp *session, struct avdtp_stream *stream,
struct conf_rej rej;
struct avdtp_local_sep *sep;
+ if (session->in.transaction != session->in.async_transaction)
+ session->in.transaction = session->in.async_transaction;
+
if (err != NULL) {
rej.error = AVDTP_UNSUPPORTED_CONFIGURATION;
rej.category = err->err.error_code;
@@ -1569,6 +1573,7 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
session->version = 0x0103;
if (sep->ind && sep->ind->set_configuration) {
+ session->in.async_transaction = transaction;
if (!sep->ind->set_configuration(session, sep, stream,
stream->caps,
setconf_cb,
--
2.34.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=813236
---Test result---
Test Summary:
CheckPatch FAIL 0.66 seconds
GitLint FAIL 0.51 seconds
BuildEll PASS 23.65 seconds
BluezMake PASS 713.42 seconds
MakeCheck PASS 11.68 seconds
MakeDistcheck PASS 158.89 seconds
CheckValgrind PASS 221.11 seconds
CheckSmatch PASS 325.32 seconds
bluezmakeextell PASS 105.56 seconds
IncrementalBuild PASS 664.10 seconds
ScanBuild WARNING 919.77 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,1/1] avdtp: fix incorrect transaction label in setconf phase
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#68:
AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 6 nosp 0
/github/workspace/src/src/13506075.patch total: 0 errors, 1 warnings, 23 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13506075.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[BlueZ,1/1] avdtp: fix incorrect transaction label in setconf phase
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
23: B1 Line exceeds max length (82>80): "AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 6 nosp 0"
25: B1 Line exceeds max length (82>80): "AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 7 nosp 0"
35: B3 Line contains hard tab characters (\t): " MEDIA_ENDPOINT_INTERFACE,"
36: B3 Line contains hard tab characters (\t): " "SetConfiguration");"
37: B3 Line contains hard tab characters (\t): " media_endpoint_async_call()"
38: B3 Line contains hard tab characters (\t): " //dbus send"
39: B3 Line contains hard tab characters (\t): " g_dbus_send_message_with_reply(btd_get_dbus_connection(),"
40: B3 Line contains hard tab characters (\t): " msg, &request->call,"
41: B3 Line contains hard tab characters (\t): " REQUEST_TIMEOUT(3 seconds))"
42: B3 Line contains hard tab characters (\t): " dbus_pending_call_set_notify(request->call, endpoint_reply, request,NULL);"
43: B3 Line contains hard tab characters (\t): " ..."
51: B1 Line exceeds max length (81>80): "> AVDTP: Set Configuration (0x03) Response Accept (0x02) type 0x00 label 0 nosp 0"
56: B3 Line contains hard tab characters (\t): " //the sender to discard the message. (The correct transaction"
57: B3 Line contains hard tab characters (\t): " //value is 8)"
59: B3 Line contains hard tab characters (\t): " AVDTP_SET_CONFIGURATION, NULL, 0)"
64: B1 Line exceeds max length (82>80): "AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 2 nosp 0"
##############################
Test: ScanBuild - WARNING
Desc: Run Scan Build
Output:
profiles/audio/avdtp.c:896:25: warning: Use of memory after it is freed
session->prio_queue = g_slist_remove(session->prio_queue, req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
profiles/audio/avdtp.c:903:24: warning: Use of memory after it is freed
session->req_queue = g_slist_remove(session->req_queue, req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
---
Regards,
Linux Bluetooth
Hi,
On Thu, Dec 28, 2023 at 9:07 AM Xiao Yao <[email protected]> wrote:
>
> From: Xiao Yao <[email protected]>
>
> BLUETOOTH SPECIFICATION Page 61 of 140
> Audio/Video Distribution Transport Protocol Specification (V13)
> 8.4.6 Message integrity verification at receiver side
>
> - The receiver of an AVDTP signaling message shall not interpret corrupted
> messages. Those messages are discarded and no signaling message is returned
> to the sender if no error code is applicable. Possible corrupted messages
> are:
>
> * Response messages where the transaction label cannot match a previous
> command sent to the remote device
>
> Consider the following scenario:
> btmon log:
> ... ...
> AVDTP: Discover (0x01) Command (0x00) type 0x00 label 5 nosp 0
> AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 5 nosp 0
> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 6 nosp 0
> AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 6 nosp 0
> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 7 nosp 0
> AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 7 nosp 0
>
> < AVDTP: Set Configuration (0x03) Command (0x00) type 0x00 label 8 nosp 0
> //Currently, a 'set configuration' message has been received from the
> //sender, which contains a transaction label valued at 8. This message
> //was then relayed to A2DP backend(PulseAudio/PipeWire) using the dbus
> //interface.
> ---
> set_configuration()(media.c)
> msg = dbus_message_new_method_call(endpoint->sender, endpoint->path,
> MEDIA_ENDPOINT_INTERFACE,
> "SetConfiguration");
> media_endpoint_async_call()
> //dbus send
> g_dbus_send_message_with_reply(btd_get_dbus_connection(),
> msg, &request->call,
> REQUEST_TIMEOUT(3 seconds))
> dbus_pending_call_set_notify(request->call, endpoint_reply, request,NULL);
> ...
>
> > AVDTP: Discover (0x01) Command (0x00) type 0x00 label 0 nosp 0
> //At this time, the A2DP reverse discovery issued an A2DP discover command.
> < AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 0 nosp 0
> //After receiving the discover reply, the session->in.transaction is
> //changed to 0
>
> > AVDTP: Set Configuration (0x03) Response Accept (0x02) type 0x00 label 0 nosp 0
> //The audio backend reply the dbus message
> endpoint_reply (media.c)
> setconf_cb (avdtp.c)
> //Here avdtp_send sends an incorrect transaction value, causing
> //the sender to discard the message. (The correct transaction
> //value is 8)
> avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
> AVDTP_SET_CONFIGURATION, NULL, 0)
>
> AVDTP: Delay Report (0x0d) Command (0x00) type 0x00 label 1 nosp 0
> AVDTP: Delay Report (0x0d) Response Accept (0x02) type 0x00 label 1 nosp 0
> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 2 nosp 0
> AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 2 nosp 0
> ... ...
>
> Therefore, a async_transaction that requires asynchronous return is
> recorded to prevent it from being incorrectly modified.
>
> Signed-off-by: Xiao Yao <[email protected]>
> ---
> profiles/audio/avdtp.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
> index 10ef380d4..2171e7723 100644
> --- a/profiles/audio/avdtp.c
> +++ b/profiles/audio/avdtp.c
> @@ -286,6 +286,7 @@ struct in_buf {
> gboolean active;
> int no_of_packets;
> uint8_t transaction;
> + uint8_t async_transaction;
You can only have one transaction in each direction, so this doesn't
look right at all. What perhaps is the problem is that we are changing
the transaction ID also in case of responses in which case we need to
fix that.
> uint8_t message_type;
> uint8_t signal_id;
> uint8_t buf[1024];
> @@ -1459,6 +1460,9 @@ static void setconf_cb(struct avdtp *session, struct avdtp_stream *stream,
> struct conf_rej rej;
> struct avdtp_local_sep *sep;
>
> + if (session->in.transaction != session->in.async_transaction)
> + session->in.transaction = session->in.async_transaction;
> +
> if (err != NULL) {
> rej.error = AVDTP_UNSUPPORTED_CONFIGURATION;
> rej.category = err->err.error_code;
> @@ -1569,6 +1573,7 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
> session->version = 0x0103;
>
> if (sep->ind && sep->ind->set_configuration) {
> + session->in.async_transaction = transaction;
> if (!sep->ind->set_configuration(session, sep, stream,
> stream->caps,
> setconf_cb,
> --
> 2.34.1
>
>
--
Luiz Augusto von Dentz
Hi,
On 2023/12/29 0:05, Luiz Augusto von Dentz wrote:
> Hi,
>
> On Thu, Dec 28, 2023 at 9:07 AM Xiao Yao <[email protected]> wrote:
>> From: Xiao Yao <[email protected]>
>>
>> BLUETOOTH SPECIFICATION Page 61 of 140
>> Audio/Video Distribution Transport Protocol Specification (V13)
>> 8.4.6 Message integrity verification at receiver side
>>
>> - The receiver of an AVDTP signaling message shall not interpret corrupted
>> messages. Those messages are discarded and no signaling message is returned
>> to the sender if no error code is applicable. Possible corrupted messages
>> are:
>>
>> * Response messages where the transaction label cannot match a previous
>> command sent to the remote device
>>
>> Consider the following scenario:
>> btmon log:
>> ... ...
>> AVDTP: Discover (0x01) Command (0x00) type 0x00 label 5 nosp 0
>> AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 5 nosp 0
>> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 6 nosp 0
>> AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 6 nosp 0
>> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 7 nosp 0
>> AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 7 nosp 0
>>
>> < AVDTP: Set Configuration (0x03) Command (0x00) type 0x00 label 8 nosp 0
>> //Currently, a 'set configuration' message has been received from the
>> //sender, which contains a transaction label valued at 8. This message
>> //was then relayed to A2DP backend(PulseAudio/PipeWire) using the dbus
>> //interface.
>> ---
>> set_configuration()(media.c)
>> msg = dbus_message_new_method_call(endpoint->sender, endpoint->path,
>> MEDIA_ENDPOINT_INTERFACE,
>> "SetConfiguration");
>> media_endpoint_async_call()
>> //dbus send
>> g_dbus_send_message_with_reply(btd_get_dbus_connection(),
>> msg, &request->call,
>> REQUEST_TIMEOUT(3 seconds))
>> dbus_pending_call_set_notify(request->call, endpoint_reply, request,NULL);
>> ...
>>
>>> AVDTP: Discover (0x01) Command (0x00) type 0x00 label 0 nosp 0
>> //At this time, the A2DP reverse discovery issued an A2DP discover command.
>> < AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 0 nosp 0
>> //After receiving the discover reply, the session->in.transaction is
>> //changed to 0
>>
>>> AVDTP: Set Configuration (0x03) Response Accept (0x02) type 0x00 label 0 nosp 0
>> //The audio backend reply the dbus message
>> endpoint_reply (media.c)
>> setconf_cb (avdtp.c)
>> //Here avdtp_send sends an incorrect transaction value, causing
>> //the sender to discard the message. (The correct transaction
>> //value is 8)
>> avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
>> AVDTP_SET_CONFIGURATION, NULL, 0)
>>
>> AVDTP: Delay Report (0x0d) Command (0x00) type 0x00 label 1 nosp 0
>> AVDTP: Delay Report (0x0d) Response Accept (0x02) type 0x00 label 1 nosp 0
>> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 2 nosp 0
>> AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 2 nosp 0
>> ... ...
>>
>> Therefore, a async_transaction that requires asynchronous return is
>> recorded to prevent it from being incorrectly modified.
>>
>> Signed-off-by: Xiao Yao <[email protected]>
>> ---
>> profiles/audio/avdtp.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
>> index 10ef380d4..2171e7723 100644
>> --- a/profiles/audio/avdtp.c
>> +++ b/profiles/audio/avdtp.c
>> @@ -286,6 +286,7 @@ struct in_buf {
>> gboolean active;
>> int no_of_packets;
>> uint8_t transaction;
>> + uint8_t async_transaction;
> You can only have one transaction in each direction, so this doesn't
> look right at all. What perhaps is the problem is that we are changing
> the transaction ID also in case of responses in which case we need to
> fix that.
I committed an error during the patch optimization process by altering
the original label, which was incorrect.I will be sending a v2 patch.
>
>> uint8_t message_type;
>> uint8_t signal_id;
>> uint8_t buf[1024];
>> @@ -1459,6 +1460,9 @@ static void setconf_cb(struct avdtp *session, struct avdtp_stream *stream,
>> struct conf_rej rej;
>> struct avdtp_local_sep *sep;
>>
>> + if (session->in.transaction != session->in.async_transaction)
>> + session->in.transaction = session->in.async_transaction;
>> +
>> if (err != NULL) {
>> rej.error = AVDTP_UNSUPPORTED_CONFIGURATION;
>> rej.category = err->err.error_code;
>> @@ -1569,6 +1573,7 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
>> session->version = 0x0103;
>>
>> if (sep->ind && sep->ind->set_configuration) {
>> + session->in.async_transaction = transaction;
>> if (!sep->ind->set_configuration(session, sep, stream,
>> stream->caps,
>> setconf_cb,
>> --
>> 2.34.1
>>
>>
>