diff mbox series

[BlueZ] profiles/avdtp: Fix reply for bad media transport format

Message ID 20250325162548.149495-1-frederic.danis@collabora.com (mailing list archive)
State New
Headers show
Series [BlueZ] profiles/avdtp: Fix reply for bad media transport format | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/BuildEll success Build ELL PASS
tedd_an/BluezMake success Bluez Make PASS
tedd_an/MakeCheck success Bluez Make Check PASS
tedd_an/MakeDistcheck success Make Distcheck PASS
tedd_an/CheckValgrind success Check Valgrind PASS
tedd_an/CheckSmatch success CheckSparse PASS
tedd_an/bluezmakeextell success Make External ELL PASS
tedd_an/ScanBuild success Scan Build PASS

Commit Message

Frédéric Danis March 25, 2025, 4:25 p.m. UTC 
Currently the avdtp_setconf_cmd() fails to check the capability length
of the Media Transport Service Category, which should be 0, because
caps_to_list() doesn't add it to the list of services as it should
be bigger than packet boundary.

This commit add a fake Media Transport capability with invalid length
of 1, so avdtp_setconf_cmd() can check it and send reject error
AVDTP_BAD_MEDIA_TRANSPORT_FORMAT.

This is required for passing AVDTP/SNK/ACP/TRA/BTR/BI-01-C PTS test
case:
To verify that the IUT (ACP) is able to issue a set configuration
reject response to the INT if the format of the media transport is
incorrect.
---
 profiles/audio/avdtp.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

Comments

bluez.test.bot@gmail.com March 25, 2025, 5:39 p.m. UTC | #1 
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=947225

---Test result---

Test Summary:
CheckPatch                    PENDING   0.21 seconds
GitLint                       PENDING   0.20 seconds
BuildEll                      PASS      20.51 seconds
BluezMake                     PASS      1506.42 seconds
MakeCheck                     PASS      13.68 seconds
MakeDistcheck                 PASS      159.55 seconds
CheckValgrind                 PASS      216.15 seconds
CheckSmatch                   PASS      289.42 seconds
bluezmakeextell               PASS      99.94 seconds
IncrementalBuild              PENDING   0.89 seconds
ScanBuild                     PASS      866.94 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth
Luiz Augusto von Dentz March 25, 2025, 7:43 p.m. UTC | #2 
Hi Frédéric,

On Tue, Mar 25, 2025 at 12:29 PM Frédéric Danis
<frederic.danis@collabora.com> wrote:
>
> Currently the avdtp_setconf_cmd() fails to check the capability length
> of the Media Transport Service Category, which should be 0, because
> caps_to_list() doesn't add it to the list of services as it should
> be bigger than packet boundary.
>
> This commit add a fake Media Transport capability with invalid length
> of 1, so avdtp_setconf_cmd() can check it and send reject error
> AVDTP_BAD_MEDIA_TRANSPORT_FORMAT.
>
> This is required for passing AVDTP/SNK/ACP/TRA/BTR/BI-01-C PTS test
> case:
> To verify that the IUT (ACP) is able to issue a set configuration
> reject response to the INT if the format of the media transport is
> incorrect.
> ---
>  profiles/audio/avdtp.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
>
> diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
> index 80fbe847e..67d32278f 100644
> --- a/profiles/audio/avdtp.c
> +++ b/profiles/audio/avdtp.c
> @@ -1328,6 +1328,17 @@ static GSList *caps_to_list(uint8_t *data, size_t size,
>
>                 cap = (struct avdtp_service_capability *)data;
>
> +               if (cap->category == AVDTP_MEDIA_TRANSPORT &&
> +                                       cap->length != 0) {
> +                       error("Invalid media transport in getcap resp");
> +                       cpy = util_malloc(sizeof(*cpy) + 1);
> +                       memcpy(cpy, cap, sizeof(*cap));
> +                       cpy->length = 1;
> +                       cpy->data[0] = 0;
> +                       caps = g_slist_append(caps, cpy);
> +                       break;
> +               }

Hmm, instead of fabricating the capability, how about we pass the &err
as parameter to caps_to_list so it can be set directly?

> +
>                 if (sizeof(*cap) + cap->length > size) {
>                         error("Invalid capability data in getcap resp");
>                         break;
> --
> 2.43.0
>
>
diff mbox series

Patch

diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 80fbe847e..67d32278f 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -1328,6 +1328,17 @@  static GSList *caps_to_list(uint8_t *data, size_t size,
 
 		cap = (struct avdtp_service_capability *)data;
 
+		if (cap->category == AVDTP_MEDIA_TRANSPORT &&
+					cap->length != 0) {
+			error("Invalid media transport in getcap resp");
+			cpy = util_malloc(sizeof(*cpy) + 1);
+			memcpy(cpy, cap, sizeof(*cap));
+			cpy->length = 1;
+			cpy->data[0] = 0;
+			caps = g_slist_append(caps, cpy);
+			break;
+		}
+
 		if (sizeof(*cap) + cap->length > size) {
 			error("Invalid capability data in getcap resp");
 			break;