From: Andrei Emeltchenko <[email protected]>
There no need to calculate those values
---
profiles/audio/avrcp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index fa5adab..2e1a940 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -3177,7 +3177,7 @@ static void avrcp_register_notification(struct avrcp *session, uint8_t event)
pdu->params[0] = event;
pdu->params_len = htons(AVRCP_REGISTER_NOTIFICATION_PARAM_LENGTH);
- length = AVRCP_HEADER_LENGTH + ntohs(pdu->params_len);
+ length = AVRCP_HEADER_LENGTH + AVRCP_REGISTER_NOTIFICATION_PARAM_LENGTH;
avctp_send_vendordep_req(session->conn, AVC_CTYPE_NOTIFY,
AVC_SUBUNIT_PANEL, buf, length,
@@ -3250,7 +3250,7 @@ static void avrcp_get_capabilities(struct avrcp *session)
pdu->params[0] = CAP_EVENTS_SUPPORTED;
pdu->params_len = htons(AVRCP_GET_CAPABILITIES_PARAM_LENGTH);
- length = AVRCP_HEADER_LENGTH + ntohs(pdu->params_len);
+ length = AVRCP_HEADER_LENGTH + AVRCP_GET_CAPABILITIES_PARAM_LENGTH;
avctp_send_vendordep_req(session->conn, AVC_CTYPE_STATUS,
AVC_SUBUNIT_PANEL, buf, length,
--
1.8.3.2
From: Andrei Emeltchenko <[email protected]>
Wrong length was given and it was also possible to crash.
---
profiles/audio/avrcp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 128f7d3..f9fce5c 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -1899,8 +1899,12 @@ static void avrcp_get_current_player_value(struct avrcp *session,
{
uint8_t buf[AVRCP_HEADER_LENGTH + 5];
struct avrcp_header *pdu = (void *) buf;
+ uint16_t length = AVRCP_HEADER_LENGTH + count + 1;
int i;
+ if (count + 1 > 5)
+ return;
+
memset(buf, 0, sizeof(buf));
set_company_id(pdu->company_id, IEEEID_BTSIG);
@@ -1913,7 +1917,7 @@ static void avrcp_get_current_player_value(struct avrcp *session,
pdu->params[i + 1] = attrs[i];
avctp_send_vendordep_req(session->conn, AVC_CTYPE_STATUS,
- AVC_SUBUNIT_PANEL, buf, sizeof(buf),
+ AVC_SUBUNIT_PANEL, buf, length,
avrcp_player_value_rsp, session);
}
--
1.8.3.2
From: Andrei Emeltchenko <[email protected]>
The command requires one parameter.
---
profiles/audio/avrcp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 2e1a940..128f7d3 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -3706,7 +3706,7 @@ int avrcp_set_volume(struct btd_device *dev, uint8_t volume)
{
struct avrcp_server *server;
struct avrcp *session;
- uint8_t buf[AVRCP_HEADER_LENGTH + 2];
+ uint8_t buf[AVRCP_HEADER_LENGTH + 1];
struct avrcp_header *pdu = (void *) buf;
server = find_server(servers, device_get_adapter(dev));
--
1.8.3.2
Hi Andrei,
On Tue, Feb 11, 2014 at 1:15 PM, Andrei Emeltchenko
<[email protected]> wrote:
> On Tue, Feb 04, 2014 at 04:08:17PM +0200, Andrei Emeltchenko wrote:
>> On Thu, Jan 30, 2014 at 06:12:55PM +0200, Andrei Emeltchenko wrote:
>> > From: Andrei Emeltchenko <[email protected]>
>> >
>> > The command requires one parameter.
>>
>> ping
>
> ping
>
>>
>> > ---
>> > profiles/audio/avrcp.c | 2 +-
>> > 1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> > diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
>> > index 2e1a940..128f7d3 100644
>> > --- a/profiles/audio/avrcp.c
>> > +++ b/profiles/audio/avrcp.c
>> > @@ -3706,7 +3706,7 @@ int avrcp_set_volume(struct btd_device *dev, uint8_t volume)
>> > {
>> > struct avrcp_server *server;
>> > struct avrcp *session;
>> > - uint8_t buf[AVRCP_HEADER_LENGTH + 2];
>> > + uint8_t buf[AVRCP_HEADER_LENGTH + 1];
>> > struct avrcp_header *pdu = (void *) buf;
>> >
>> > server = find_server(servers, device_get_adapter(dev));
>> > --
>> > 1.8.3.2
Ive applied this one, I leave 1/3 for when we have the code properly
decoupled and patch 3/3 I end up redoing most of it to check for
invalid attributes.
--
Luiz Augusto von Dentz
On Tue, Feb 04, 2014 at 04:08:17PM +0200, Andrei Emeltchenko wrote:
> On Thu, Jan 30, 2014 at 06:12:55PM +0200, Andrei Emeltchenko wrote:
> > From: Andrei Emeltchenko <[email protected]>
> >
> > The command requires one parameter.
>
> ping
ping
>
> > ---
> > profiles/audio/avrcp.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> > index 2e1a940..128f7d3 100644
> > --- a/profiles/audio/avrcp.c
> > +++ b/profiles/audio/avrcp.c
> > @@ -3706,7 +3706,7 @@ int avrcp_set_volume(struct btd_device *dev, uint8_t volume)
> > {
> > struct avrcp_server *server;
> > struct avrcp *session;
> > - uint8_t buf[AVRCP_HEADER_LENGTH + 2];
> > + uint8_t buf[AVRCP_HEADER_LENGTH + 1];
> > struct avrcp_header *pdu = (void *) buf;
> >
> > server = find_server(servers, device_get_adapter(dev));
> > --
> > 1.8.3.2
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> > the body of a message to [email protected]
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Jan 30, 2014 at 06:12:56PM +0200, Andrei Emeltchenko wrote:
> From: Andrei Emeltchenko <[email protected]>
>
> Wrong length was given and it was also possible to crash.
ping
> ---
> profiles/audio/avrcp.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 128f7d3..f9fce5c 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -1899,8 +1899,12 @@ static void avrcp_get_current_player_value(struct avrcp *session,
> {
> uint8_t buf[AVRCP_HEADER_LENGTH + 5];
> struct avrcp_header *pdu = (void *) buf;
> + uint16_t length = AVRCP_HEADER_LENGTH + count + 1;
> int i;
>
> + if (count + 1 > 5)
> + return;
> +
> memset(buf, 0, sizeof(buf));
>
> set_company_id(pdu->company_id, IEEEID_BTSIG);
> @@ -1913,7 +1917,7 @@ static void avrcp_get_current_player_value(struct avrcp *session,
> pdu->params[i + 1] = attrs[i];
>
> avctp_send_vendordep_req(session->conn, AVC_CTYPE_STATUS,
> - AVC_SUBUNIT_PANEL, buf, sizeof(buf),
> + AVC_SUBUNIT_PANEL, buf, length,
> avrcp_player_value_rsp, session);
> }
>
> --
> 1.8.3.2
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Jan 30, 2014 at 06:12:55PM +0200, Andrei Emeltchenko wrote:
> From: Andrei Emeltchenko <[email protected]>
>
> The command requires one parameter.
ping
> ---
> profiles/audio/avrcp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 2e1a940..128f7d3 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -3706,7 +3706,7 @@ int avrcp_set_volume(struct btd_device *dev, uint8_t volume)
> {
> struct avrcp_server *server;
> struct avrcp *session;
> - uint8_t buf[AVRCP_HEADER_LENGTH + 2];
> + uint8_t buf[AVRCP_HEADER_LENGTH + 1];
> struct avrcp_header *pdu = (void *) buf;
>
> server = find_server(servers, device_get_adapter(dev));
> --
> 1.8.3.2
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Luiz,
On Tue, Feb 04, 2014 at 02:49:02PM +0200, Luiz Augusto von Dentz wrote:
> Hi Andrei,
>
> On Tue, Feb 4, 2014 at 1:55 PM, Andrei Emeltchenko
> <[email protected]> wrote:
> > On Thu, Jan 30, 2014 at 06:12:54PM +0200, Andrei Emeltchenko wrote:
> >> From: Andrei Emeltchenko <[email protected]>
> >>
> >> There no need to calculate those values
> >
> > ping
> >
> >> ---
> >> profiles/audio/avrcp.c | 4 ++--
> >> 1 file changed, 2 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> >> index fa5adab..2e1a940 100644
> >> --- a/profiles/audio/avrcp.c
> >> +++ b/profiles/audio/avrcp.c
> >> @@ -3177,7 +3177,7 @@ static void avrcp_register_notification(struct avrcp *session, uint8_t event)
> >> pdu->params[0] = event;
> >> pdu->params_len = htons(AVRCP_REGISTER_NOTIFICATION_PARAM_LENGTH);
> >>
> >> - length = AVRCP_HEADER_LENGTH + ntohs(pdu->params_len);
> >> + length = AVRCP_HEADER_LENGTH + AVRCP_REGISTER_NOTIFICATION_PARAM_LENGTH;
> >>
> >> avctp_send_vendordep_req(session->conn, AVC_CTYPE_NOTIFY,
> >> AVC_SUBUNIT_PANEL, buf, length,
> >> @@ -3250,7 +3250,7 @@ static void avrcp_get_capabilities(struct avrcp *session)
> >> pdu->params[0] = CAP_EVENTS_SUPPORTED;
> >> pdu->params_len = htons(AVRCP_GET_CAPABILITIES_PARAM_LENGTH);
> >>
> >> - length = AVRCP_HEADER_LENGTH + ntohs(pdu->params_len);
> >> + length = AVRCP_HEADER_LENGTH + AVRCP_GET_CAPABILITIES_PARAM_LENGTH;
> >>
> >> avctp_send_vendordep_req(session->conn, AVC_CTYPE_STATUS,
> >> AVC_SUBUNIT_PANEL, buf, length,
> >> --
> >> 1.8.3.2
>
> I will leave this as it for now, we will probably create a avrcp_send
> helper to have this in common place.
OK, though those
a = ntohs(b);
c = htons(a);
looks IMO really ugly
Best regards
Andrei Emeltchenko
Hi Andrei,
On Tue, Feb 4, 2014 at 1:55 PM, Andrei Emeltchenko
<[email protected]> wrote:
> On Thu, Jan 30, 2014 at 06:12:54PM +0200, Andrei Emeltchenko wrote:
>> From: Andrei Emeltchenko <[email protected]>
>>
>> There no need to calculate those values
>
> ping
>
>> ---
>> profiles/audio/avrcp.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
>> index fa5adab..2e1a940 100644
>> --- a/profiles/audio/avrcp.c
>> +++ b/profiles/audio/avrcp.c
>> @@ -3177,7 +3177,7 @@ static void avrcp_register_notification(struct avrcp *session, uint8_t event)
>> pdu->params[0] = event;
>> pdu->params_len = htons(AVRCP_REGISTER_NOTIFICATION_PARAM_LENGTH);
>>
>> - length = AVRCP_HEADER_LENGTH + ntohs(pdu->params_len);
>> + length = AVRCP_HEADER_LENGTH + AVRCP_REGISTER_NOTIFICATION_PARAM_LENGTH;
>>
>> avctp_send_vendordep_req(session->conn, AVC_CTYPE_NOTIFY,
>> AVC_SUBUNIT_PANEL, buf, length,
>> @@ -3250,7 +3250,7 @@ static void avrcp_get_capabilities(struct avrcp *session)
>> pdu->params[0] = CAP_EVENTS_SUPPORTED;
>> pdu->params_len = htons(AVRCP_GET_CAPABILITIES_PARAM_LENGTH);
>>
>> - length = AVRCP_HEADER_LENGTH + ntohs(pdu->params_len);
>> + length = AVRCP_HEADER_LENGTH + AVRCP_GET_CAPABILITIES_PARAM_LENGTH;
>>
>> avctp_send_vendordep_req(session->conn, AVC_CTYPE_STATUS,
>> AVC_SUBUNIT_PANEL, buf, length,
>> --
>> 1.8.3.2
I will leave this as it for now, we will probably create a avrcp_send
helper to have this in common place.
--
Luiz Augusto von Dentz
On Thu, Jan 30, 2014 at 06:12:54PM +0200, Andrei Emeltchenko wrote:
> From: Andrei Emeltchenko <[email protected]>
>
> There no need to calculate those values
ping
> ---
> profiles/audio/avrcp.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index fa5adab..2e1a940 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -3177,7 +3177,7 @@ static void avrcp_register_notification(struct avrcp *session, uint8_t event)
> pdu->params[0] = event;
> pdu->params_len = htons(AVRCP_REGISTER_NOTIFICATION_PARAM_LENGTH);
>
> - length = AVRCP_HEADER_LENGTH + ntohs(pdu->params_len);
> + length = AVRCP_HEADER_LENGTH + AVRCP_REGISTER_NOTIFICATION_PARAM_LENGTH;
>
> avctp_send_vendordep_req(session->conn, AVC_CTYPE_NOTIFY,
> AVC_SUBUNIT_PANEL, buf, length,
> @@ -3250,7 +3250,7 @@ static void avrcp_get_capabilities(struct avrcp *session)
> pdu->params[0] = CAP_EVENTS_SUPPORTED;
> pdu->params_len = htons(AVRCP_GET_CAPABILITIES_PARAM_LENGTH);
>
> - length = AVRCP_HEADER_LENGTH + ntohs(pdu->params_len);
> + length = AVRCP_HEADER_LENGTH + AVRCP_GET_CAPABILITIES_PARAM_LENGTH;
>
> avctp_send_vendordep_req(session->conn, AVC_CTYPE_STATUS,
> AVC_SUBUNIT_PANEL, buf, length,
> --
> 1.8.3.2
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html