From patchwork Thu May 30 14:57:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13680509 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3534B16F0DA for ; Thu, 30 May 2024 15:01:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081262; cv=none; b=e+jGp9CYP5vQacmP44ObncQIfRSqbbAglf1EltcHdJ7SiF6JB6XcooyXKBj4LBohDOzExtmdVyeunCAN373LH85mwYQ+fj37agYON6JxJsMG5p5NieRAC0cxdU7t5lK3MfAPRuTbOH2eM/9xytKwAemnvnzCGSy6JnmoBAeQwng= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081262; c=relaxed/simple; bh=gfZu0KVCoQ5wGva5wZeqr64mlcdoNf+tqpQU6FXiceA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CCMtPKDcpfFdpJU1/59feWaAQzOVrTERcpnI76XrcLU/0eGXDGdu29ISgz4dSqzgPAlyQmPSa7OLYSOF3v/oIcLAZbRwNvJLo6t3emyi1FFazWKOOF4Kmr03696sRkVXWrEDFSMubBjRpa5RuYxrX706j27c7Hty1jM2Hhv7eLY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 0CF722000B; Thu, 30 May 2024 15:00:57 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 1/9] rctest: Fix possible overrun Date: Thu, 30 May 2024 16:57:55 +0200 Message-ID: <20240530150057.444585-2-hadess@hadess.net> X-Mailer: git-send-email 2.45.1 In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: OVERRUN (CWE-119): [#def57] [important] bluez-5.76/tools/rctest.c:556:3: return_constant: Function call "read(fd, buf, data_size)" may return -1. [Note: The source code implementation of the function has been overridden by a builtin model.] bluez-5.76/tools/rctest.c:556:3: assignment: Assigning: "len" = "read(fd, buf, data_size)". The value of "len" is now -1. bluez-5.76/tools/rctest.c:557:3: overrun-buffer-arg: Calling "send" with "buf" and "len" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned. 555| } 556| len = read(fd, buf, data_size); 557|-> send(sk, buf, len, 0); 558| close(fd); 559| return; --- tools/rctest.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/rctest.c b/tools/rctest.c index d31180880ef4..ff91eb2f159d 100644 --- a/tools/rctest.c +++ b/tools/rctest.c @@ -554,7 +554,8 @@ static void do_send(int sk) exit(1); } len = read(fd, buf, data_size); - send(sk, buf, len, 0); + if (len > 0) + send(sk, buf, len, 0); close(fd); return; } else { From patchwork Thu May 30 14:57:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13680511 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2DC2D1E532 for ; Thu, 30 May 2024 15:00:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081263; cv=none; b=bUqqR994JOQdPARwsrjiaxfA3MZHkyOaFFHxt26nU8Wg1veV6xxdmKMGHBjby3RE/ajV57wGbal9ShIi3Gtp/JVp9AcEZFC/mVXgsWIWkQA2UwettWG+Eg/xyvLR0Ok9aklXie0uheqQPfVTLiW3OaRSzLF2k2yRA7Q1IDjanoo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081263; c=relaxed/simple; bh=vs7XiLagZa5ntsanP3R0MRDHQ8gAeVOhTp8wK47UJK8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lvy8MegikkYUBC1oXnvsuxer4dzyXQNYNp3PSbr6r0FJjWvlnxnawTf9zKndeEIhFs/AZ2tEU0oh1AVCov36DUv7CaFoFT9dZoyhmyz2rKUqQYh/h51uX0z5cJl297ieuqh6MmQJA7gxjDuji0Rs3qq6wddaKhfR2djaxu50iFo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 50B362000E; Thu, 30 May 2024 15:00:58 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 2/9] mgmt-tester: Fix buffer overrun Date: Thu, 30 May 2024 16:57:56 +0200 Message-ID: <20240530150057.444585-3-hadess@hadess.net> X-Mailer: git-send-email 2.45.1 In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: OVERRUN (CWE-119): [#def56] [important] bluez-5.76/tools/mgmt-tester.c:12667:2: identity_transfer: Passing "512UL" as argument 3 to function "vhci_read_devcd", which returns that argument. bluez-5.76/tools/mgmt-tester.c:12667:2: assignment: Assigning: "read" = "vhci_read_devcd(vhci, buf, 512UL)". The value of "read" is now 512. bluez-5.76/tools/mgmt-tester.c:12674:2: overrun-local: Overrunning array "buf" of 513 bytes at byte offset 513 using index "read + 1" (which evaluates to 513). 12672| } 12673| /* Make sure buf is nul-terminated */ 12674|-> buf[read + 1] = '\0'; 12675| 12676| /* Verify if all devcoredump header fields are present */ Fixes: 49d06560692f ("mgmt-tester: Fix non-nul-terminated string") --- tools/mgmt-tester.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c index 8076ec105ebb..1d5c82ae0745 100644 --- a/tools/mgmt-tester.c +++ b/tools/mgmt-tester.c @@ -12671,7 +12671,7 @@ static void verify_devcd(void *user_data) return; } /* Make sure buf is nul-terminated */ - buf[read + 1] = '\0'; + buf[read] = '\0'; /* Verify if all devcoredump header fields are present */ line = strtok_r(buf, delim, &saveptr); From patchwork Thu May 30 14:57:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13680508 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6AE5C1E89A for ; Thu, 30 May 2024 15:01:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081262; cv=none; b=RTwcmjmfKXculQj5qrYzu0cAzIuvXAysIeIiiRTu4k05uiiDcHRF+sz+SDL/zQWE9d4HBvwyAOHwlDOWM2eZ7xEa0fnlCft8KSMYUkVj6MAuYEMhxKqapMZpM7OKjkWAZQSeZ5/zfmSivIeyqyi1J3cW1XSho1Ey9248xEPxsBo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081262; c=relaxed/simple; bh=YdhSO3QIYKxHiPHW4z302UhfJABUeFRJ4d58sXWWM6k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ncaMSI0s4eawBXnUFiNJYCSBcEIN4gge8FHvNNZcDHCswc0tTWIKA/oUdwQDGPKK4b6FPA6WYcu2TzZRFfg0QXGah9cV8d26ZOPoJrkvG776bm1zVuXzGhGUQ8SYIkjiGpDGFROGOBkbuWcOTasJhZ6vK/unYNExtyr3J6TFbf8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 938CA20012; Thu, 30 May 2024 15:00:58 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 3/9] l2test: Add missing error checking Date: Thu, 30 May 2024 16:57:57 +0200 Message-ID: <20240530150057.444585-4-hadess@hadess.net> X-Mailer: git-send-email 2.45.1 In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net send() might fail and return a negative len, catch that to avoid advancing the send buffer in the wrong direction and causing all sorts of problems. 977|-> len = send(sk, buf + sent, buflen, 0); 978| 979| sent += len; --- tools/l2test.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/l2test.c b/tools/l2test.c index 011a68c3781e..7b6c36e165da 100644 --- a/tools/l2test.c +++ b/tools/l2test.c @@ -975,6 +975,11 @@ static void do_send(int sk) buflen = (size > omtu) ? omtu : size; len = send(sk, buf + sent, buflen, 0); + if (len < 0) { + syslog(LOG_ERR, "Send failed: %s (%d)", + strerror(errno), errno); + exit(1); + } sent += len; size -= len; From patchwork Thu May 30 14:57:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13680513 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4AE5839E3 for ; Thu, 30 May 2024 15:01:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081263; cv=none; b=FqFwtDXbrm8uuGFNMaWbfgYFF4DOgaEq5iNtiTDBPX9l9CDj1eMCCuSYxsV9QA+JRL6QuaHXmLWFA59hMgP6nX1JDCEFRQFPiBgj6V3Ran1HjMnr5JaFEs8SaGYwN/Hus70doopBjYgEJmDUB+5bei3PBhLe5A/yByb06/RRxm0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081263; c=relaxed/simple; bh=ee2MtFQfQtU/kqb6rS+D2WqPs7QmF9VRRDIgJT6sSE0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pokO8uSHx89xVeAwIeDl6wbyrJWmXyeSEVqIT1oBQGY8+jJZ+SIUm6VntfR8OJSLD4cH8Vl4KondpIlmlh3chqw+lObrZdx4+y4hre3bBEz62UOI+XjLt8X0EzU1yXZS6GgkUSWiJ3ep5iyTDKxGzBEtsbgzlJTpWKKAMYROE40= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id D1DAC2000A; Thu, 30 May 2024 15:00:58 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 4/9] rfkill: Avoid using a signed int for an unsigned variable Date: Thu, 30 May 2024 16:57:58 +0200 Message-ID: <20240530150057.444585-5-hadess@hadess.net> X-Mailer: git-send-email 2.45.1 In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def37] [important] bluez-5.76/src/rfkill.c:101:3: tainted_data_argument: The value "event" is considered tainted. bluez-5.76/src/rfkill.c:105:3: tainted_data_argument: "event.idx" is considered tainted. bluez-5.76/src/rfkill.c:105:3: underflow: The cast of "event.idx" to a signed type could result in a negative number. 103| break; 104| 105|-> id = get_adapter_id_for_rfkill(event.idx); 106| 107| if (index == id) { Error: INTEGER_OVERFLOW (CWE-190): [#def38] [important] bluez-5.76/src/rfkill.c:133:2: tainted_data_argument: The value "event" is considered tainted. bluez-5.76/src/rfkill.c:143:2: tainted_data_argument: "event.idx" is considered tainted. bluez-5.76/src/rfkill.c:157:2: underflow: The cast of "event.idx" to a signed type could result in a negative number. 155| return TRUE; 156| 157|-> id = get_adapter_id_for_rfkill(event.idx); 158| if (id < 0) 159| return TRUE; --- src/rfkill.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rfkill.c b/src/rfkill.c index a0a50d9e45d9..8a0e48f01c4f 100644 --- a/src/rfkill.c +++ b/src/rfkill.c @@ -55,7 +55,7 @@ struct rfkill_event { }; #define RFKILL_EVENT_SIZE_V1 8 -static int get_adapter_id_for_rfkill(int rfkill_id) +static int get_adapter_id_for_rfkill(uint32_t rfkill_id) { char sysname[PATH_MAX]; int namefd; From patchwork Thu May 30 14:57:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13680510 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3BF0145A01 for ; Thu, 30 May 2024 15:01:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081263; cv=none; b=tE6bqGfsqFufnGdGi5I8puc0cx5L9Fax8M6omxHnNWvx2eg9bzbK8Gl9TA45ZtJg2Xz30Iw1VZ1bOX0Cc22QUgcN5DA3Fz5W4kbbg9JYXd6NsS4MXWHjUXv8seLK+G8YUXgCJm7zvCZAeWSC+bKFVHF+9mI/OZ2QzkxhDFTZd0w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081263; c=relaxed/simple; bh=zTCzTXSatAKZBJ5sPdSyoJ6iX/dT7b91Sw2MA+Zf84E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=awN6c04v7ai8bbI43vOPfA+bRfxgPAtUSnqrEPqUW08OpxtliZ7CDoxeq/0LFYKseA9IK6vLH8cLzlAaB79s+vhMf50227i824qvTiFDDlOWcZqP0U6od60erEvfjoNMvneM7HpBHsbdj4IXhiDckOceNa4/qp/hgabv4HurKU4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 1F8522000F; Thu, 30 May 2024 15:00:59 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 5/9] shared/mainloop: Fix integer overflow Date: Thu, 30 May 2024 16:57:59 +0200 Message-ID: <20240530150057.444585-6-hadess@hadess.net> X-Mailer: git-send-email 2.45.1 In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net signalfd_siginfo uses a u32 for the signal number, but siginfo_t uses a signed integer for it, so an (unlikely) big value for the signal number could result in a negative value being passed to the callbacks. Catch that and bail early. Error: INTEGER_OVERFLOW (CWE-190): [#def44] [important] bluez-5.76/src/shared/mainloop-notify.c:132:2: tainted_data_argument: The value "si" is considered tainted. bluez-5.76/src/shared/mainloop-notify.c:137:3: tainted_data_argument: "si.ssi_signo" is considered tainted. bluez-5.76/src/shared/mainloop-notify.c:137:3: underflow: The cast of "si.ssi_signo" to a signed type could result in a negative number. 135| 136| if (data && data->func) 137|-> data->func(si.ssi_signo, data->user_data); 138| 139| return true; --- src/shared/mainloop-notify.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/shared/mainloop-notify.c b/src/shared/mainloop-notify.c index 33be3cf8d78e..11989512e013 100644 --- a/src/shared/mainloop-notify.c +++ b/src/shared/mainloop-notify.c @@ -15,6 +15,7 @@ #define _GNU_SOURCE #include #include +#include #include #include #include @@ -130,7 +131,7 @@ static bool signal_read(struct io *io, void *user_data) fd = io_get_fd(io); result = read(fd, &si, sizeof(si)); - if (result != sizeof(si)) + if (result != sizeof(si) || si.ssi_signo > INT_MAX) return false; if (data && data->func) From patchwork Thu May 30 14:58:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13680516 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3539D17C200 for ; Thu, 30 May 2024 15:01:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081264; cv=none; b=ay4IC00q7HGeMK1SShx7tTmaRKU159hbQcaONKZs/JG6opxMoadwHswOHO+S4QLxH5SIRdo6S+zR99gX/YYhLFBhtdrtfZssRLOJkrU2sTsQQ5o4vFuITdrB2pSlf5jftL9+p33kUPq16NHE8QQjS7mRknbAz3LgdoFopKZvgPw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081264; c=relaxed/simple; bh=3Z9StN4Y3GsmIVNcVnqzHhyrNqb0jq50SknvFIp5NRw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rW4NZwGVpNDFVZjYOa4NtfxLionYZTcd5jvwCmrPb70QYihFPj4rOPAcBKzaHwr2g4/yzpKsRyrq6/o8Saa0/AvA3iZmzR4R0VkNNe2WNfzdLqtBfNFaUW4F6XGfEV8KZmY8czcbmKKSaj4Z43e0ftSgu1qtpndG3kG3UL/gKLM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 63A4120013; Thu, 30 May 2024 15:00:59 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 6/9] sdp: Fix ineffective error guard Date: Thu, 30 May 2024 16:58:00 +0200 Message-ID: <20240530150057.444585-7-hadess@hadess.net> X-Mailer: git-send-email 2.45.1 In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net The return value from gen_attridseq_pdu() can be -ENOMEM or the always positive return value from sdp_gen_pdu(), but we only guard against a single negative return value "-1" (-EPERM). Check for all negative values to avoid manipulating a negative length as a valid one. Error: INTEGER_OVERFLOW (CWE-190): [#def10] [important] bluez-5.76/lib/sdp.c:4082:2: tainted_data_return: Called function "gen_attridseq_pdu(pdata, attrid_list, ((reqtype == SDP_ATTR_REQ_INDIVIDUAL) ? 9 : 10))", and a possible return value is known to be less than zero. bluez-5.76/lib/sdp.c:4082:2: assign: Assigning: "seqlen" = "gen_attridseq_pdu(pdata, attrid_list, ((reqtype == SDP_ATTR_REQ_INDIVIDUAL) ? 9 : 10))". bluez-5.76/lib/sdp.c:4091:2: overflow: The expression "t->reqsize" is considered to have possibly overflowed. bluez-5.76/lib/sdp.c:4097:2: overflow: The expression "t->reqsize + cstate_len" is deemed overflowed because at least one of its arguments has overflowed. bluez-5.76/lib/sdp.c:4097:2: overflow_sink: "t->reqsize + cstate_len", which might have underflowed, is passed to "sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len)". 4095| reqhdr->plen = htons((t->reqsize + cstate_len) - sizeof(sdp_pdu_hdr_t)); 4096| 4097|-> if (sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len) < 0) { 4098| SDPERR("Error sending data:%m"); 4099| t->err = errno; Error: INTEGER_OVERFLOW (CWE-190): [#def11] [important] bluez-5.76/lib/sdp.c:4466:2: tainted_data_return: Called function "gen_attridseq_pdu(pdata, attrids, ((reqtype == SDP_ATTR_REQ_INDIVIDUAL) ? 9 : 10))", and a possible return value is known to be less than zero. bluez-5.76/lib/sdp.c:4466:2: assign: Assigning: "seqlen" = "gen_attridseq_pdu(pdata, attrids, ((reqtype == SDP_ATTR_REQ_INDIVIDUAL) ? 9 : 10))". bluez-5.76/lib/sdp.c:4475:2: overflow: The expression "reqsize" is considered to have possibly overflowed. bluez-5.76/lib/sdp.c:4480:2: assign: Assigning: "_reqsize" = "reqsize". bluez-5.76/lib/sdp.c:4486:3: overflow: The expression "_reqsize + copy_cstate(_pdata, 2048U - _reqsize, cstate)" is deemed overflowed because at least one of its arguments has overflowed. bluez-5.76/lib/sdp.c:4486:3: assign: Assigning: "reqsize" = "_reqsize + copy_cstate(_pdata, 2048U - _reqsize, cstate)". bluez-5.76/lib/sdp.c:4492:3: overflow_sink: "reqsize", which might have underflowed, is passed to "sdp_send_req_w4_rsp(session, reqbuf, rspbuf, reqsize, &rspsize)". 4490| reqhdr->plen = htons(reqsize - sizeof(sdp_pdu_hdr_t)); 4491| rsphdr = (sdp_pdu_hdr_t *) rspbuf; 4492|-> status = sdp_send_req_w4_rsp(session, reqbuf, rspbuf, reqsize, &rspsize); 4493| if (rspsize < sizeof(sdp_pdu_hdr_t)) { 4494| SDPERR("Unexpected end of packet"); --- lib/sdp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/sdp.c b/lib/sdp.c index d43bbbd2de05..2e66505b21b8 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -3604,7 +3604,7 @@ sdp_record_t *sdp_service_attr_req(sdp_session_t *session, uint32_t handle, /* get attr seq PDU form */ seqlen = gen_attridseq_pdu(pdata, attrids, reqtype == SDP_ATTR_REQ_INDIVIDUAL? SDP_UINT16 : SDP_UINT32); - if (seqlen == -1) { + if (seqlen < 0) { errno = EINVAL; goto end; } @@ -3959,7 +3959,7 @@ int sdp_service_attr_async(sdp_session_t *session, uint32_t handle, sdp_attrreq_ /* get attr seq PDU form */ seqlen = gen_attridseq_pdu(pdata, attrid_list, reqtype == SDP_ATTR_REQ_INDIVIDUAL? SDP_UINT16 : SDP_UINT32); - if (seqlen == -1) { + if (seqlen < 0) { t->err = EINVAL; goto end; } @@ -4081,7 +4081,7 @@ int sdp_service_search_attr_async(sdp_session_t *session, const sdp_list_t *sear /* get attr seq PDU form */ seqlen = gen_attridseq_pdu(pdata, attrid_list, reqtype == SDP_ATTR_REQ_INDIVIDUAL ? SDP_UINT16 : SDP_UINT32); - if (seqlen == -1) { + if (seqlen < 0) { t->err = EINVAL; goto end; } @@ -4465,7 +4465,7 @@ int sdp_service_search_attr_req(sdp_session_t *session, const sdp_list_t *search /* get attr seq PDU form */ seqlen = gen_attridseq_pdu(pdata, attrids, reqtype == SDP_ATTR_REQ_INDIVIDUAL ? SDP_UINT16 : SDP_UINT32); - if (seqlen == -1) { + if (seqlen < 0) { errno = EINVAL; status = -1; goto end; From patchwork Thu May 30 14:58:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13680515 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54D7F17C214 for ; Thu, 30 May 2024 15:01:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081264; cv=none; b=P6M6Ogfc2+uz6CPjWKVF3UHxqxU6RfZzQ7fdbB6MwFxs0XU81FwKv2x2ru+IcaxdyPi1OQDw0SEmFu58CB/uGJ4pUuzUOoqgtsO+LffOkfANhiH0vQEBZBAmDBD3iPuz/NC7QS/JM7bpcxHq2jl4dSksQ7p8Lm44+ya2r9KqG7A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081264; c=relaxed/simple; bh=nRdVYVVSmZ2ZAu8GRAxcCR1c4rYFBz0G2V4WoL8zsrc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ep0Fag/wnuF9pisSD1WrVa06mTembMhUNUToywdXvYDV0hERSQ2Davrd7arm5ve39BZ7zjzMLRbFTk2mU8TJ0Ep3k+Xtn7j/xqqEtFzpMYUxkwegmZxBHMlRudcFu0UijWjN4xQtehBTRwmH34A4Z1QnltUbkL9xUZpmasiqEGY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id A81A520011; Thu, 30 May 2024 15:00:59 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 7/9] obexd: Fix buffer overrun Date: Thu, 30 May 2024 16:58:01 +0200 Message-ID: <20240530150057.444585-8-hadess@hadess.net> X-Mailer: git-send-email 2.45.1 In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Don't access path at byte 2 when it might only contain a single byte. Error: OVERRUN (CWE-119): [#def27] [important] bluez-5.76/obexd/client/session.c:1135:2: alias: Assigning: "first" = """". "first" now points to byte 0 of """" (which consists of 1 bytes). bluez-5.76/obexd/client/session.c:1142:2: overrun-buffer-val: Overrunning buffer pointed to by "first" of 1 bytes by passing it to a function which accesses it at byte offset 2. 1140| req->index++; 1141| 1142|-> p->req_id = g_obex_setpath(p->session->obex, first, setpath_cb, p, err); 1143| if (*err != NULL) 1144| return (*err)->code; --- gobex/gobex.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gobex/gobex.c b/gobex/gobex.c index fdeb11c65130..40d6b8129b00 100644 --- a/gobex/gobex.c +++ b/gobex/gobex.c @@ -1611,7 +1611,7 @@ guint g_obex_setpath(GObex *obex, const char *path, GObexResponseFunc func, memset(&data, 0, sizeof(data)); - if (path != NULL && strncmp("..", path, 2) == 0) { + if (path != NULL && strlen(path) >= 2 && strncmp("..", path, 2) == 0) { data.flags = 0x03; folder = (path[2] == '/') ? &path[3] : NULL; } else { From patchwork Thu May 30 14:58:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13680512 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BF00017C216 for ; Thu, 30 May 2024 15:01:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081263; cv=none; b=ChTPISny4YR1wpKG5GroQsPRhJmi1hOX+BU1AWQ4srnd3eLvf4cRrtJJHAr0aF5hcPCtrWCxlK6pSbDXSoqJ8FhQwMPAcBxzRkuP6HbKAd438bSByF1ot+Pop9tFUXyl9FaTiv0F+bKGqd+FhMxL3OdbS97xovUj9AwFPtiaN6I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081263; c=relaxed/simple; bh=mqvn619TSm5ld0odQr215jbTYvsACUe3F6Wkz9yu7qU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=g0Af6bf/59Bnof5b7tsfJEj8nn6du4WLU56O2r3ZCPzRGaABmtHhe2+91EQHUuEiMi1jufLpgbo2J2QiTC0ntHH2ntgEcQyK1FQRolKZ02suIRfXQaTVHLH/59RimxfOjAtK9BMgrdVRoVvO/7yrpl8TRiMP1lhKxud7CwFaxrc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id EAAA220017; Thu, 30 May 2024 15:00:59 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 8/9] bap: Fix more memory leaks on error Date: Thu, 30 May 2024 16:58:02 +0200 Message-ID: <20240530150057.444585-9-hadess@hadess.net> X-Mailer: git-send-email 2.45.1 In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def32] [important] bluez-5.76/profiles/audio/bap.c:1166:4: alloc_arg: "asprintf" allocates memory that is stored into "path". [Note: The source code implementation of the function has been overridden by a builtin model.] bluez-5.76/profiles/audio/bap.c:1178:5: leaked_storage: Variable "path" going out of scope leaks the storage it points to. 1176| free(l3_caps); 1177| ret = false; 1178|-> goto group_fail; 1179| } 1180| Error: RESOURCE_LEAK (CWE-772): [#def33] [important] bluez-5.76/profiles/audio/bap.c:1166:4: alloc_arg: "asprintf" allocates memory that is stored into "path". [Note: The source code implementation of the function has been overridden by a builtin model.] bluez-5.76/profiles/audio/bap.c:1199:5: leaked_storage: Variable "path" going out of scope leaks the storage it points to. 1197| 1198| if (matched_lpac == NULL || merged_caps == NULL) 1199|-> continue; 1200| 1201| create_stream_for_bis(bap_data, matched_lpac, qos, --- profiles/audio/bap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index 3fcf21df58aa..53e7b3e34378 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -1174,6 +1174,7 @@ static bool parse_base(struct bap_data *bap_data, struct bt_iso_base *base, if (!util_iov_pull_u8(&iov, (void *)&l3_caps->iov_len)) { free(l3_caps); + free(path); ret = false; goto group_fail; } @@ -1195,8 +1196,10 @@ static bool parse_base(struct bap_data *bap_data, struct bt_iso_base *base, l2_caps, l3_caps, &matched_lpac, &merged_caps); - if (matched_lpac == NULL || merged_caps == NULL) + if (matched_lpac == NULL || merged_caps == NULL) { + free(path); continue; + } create_stream_for_bis(bap_data, matched_lpac, qos, merged_caps, meta, path); From patchwork Thu May 30 14:58:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13680514 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB84517D881 for ; Thu, 30 May 2024 15:01:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081263; cv=none; b=VeydX1Aa24adh+iZvRp3H4/MuclRuzWhF2JgqAQPmYrPviEdeLZhqlCZDwP72F8YLIS08Ot76/8WArcQFTJ45Gdgqu3H7CnXkEYary29ZVB2QaF0P+adsimC/2hq6nQtkRSsWUFYqo8PCnGZxGYHQ4u/61/IsYa5sFK3WXZ+/Yo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717081263; c=relaxed/simple; bh=0Ir4+Cm2Qgu/7c90GLMzOafurRrJ9DGDxA3byKKmbN8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=s2VJhzDO5zJ2FYZPglpvFprcK3bjNSuXLg2SLsvFNoVDxAY2xKmAbSyzCYcPulAVLDM0ycSyT6hxyBhqCwKv8dYTjwJ5fJvlN+yxNAQ2e/PFTUBDI5cxN72U81/EAuR6DFdl9EJF6X2vnGN+EGzwqUEaiLkL7cEPOWUTF1kDCuY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 44C0320018; Thu, 30 May 2024 15:01:00 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 9/9] avdtp: Fix manipulating struct as an array Date: Thu, 30 May 2024 16:58:03 +0200 Message-ID: <20240530150057.444585-10-hadess@hadess.net> X-Mailer: git-send-email 2.45.1 In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Don't manipulate the "req" structs as if they were flat arrays, static analysis and humans are both equally confused by this kind of usage. Error: ARRAY_VS_SINGLETON (CWE-119): [#def26] [important] bluez-5.76/profiles/audio/avdtp.c:1675:2: address_of: Taking address with "&start->first_seid" yields a singleton pointer. bluez-5.76/profiles/audio/avdtp.c:1675:2: assign: Assigning: "seid" = "&start->first_seid". bluez-5.76/profiles/audio/avdtp.c:1679:25: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations. 1677| int i; 1678| 1679|-> for (i = 0; i < count; i++, seid++) { 1680| if (seid->seid == id) { 1681| req->collided = TRUE; Error: ARRAY_VS_SINGLETON (CWE-119): [#def27] [important] bluez-5.76/profiles/audio/avdtp.c:1690:2: address_of: Taking address with "&suspend->first_seid" yields a singleton pointer. bluez-5.76/profiles/audio/avdtp.c:1690:2: assign: Assigning: "seid" = "&suspend->first_seid". bluez-5.76/profiles/audio/avdtp.c:1694:25: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations. 1692| int i; 1693| 1694|-> for (i = 0; i < count; i++, seid++) { 1695| if (seid->seid == id) { 1696| req->collided = TRUE; Error: ARRAY_VS_SINGLETON (CWE-119): [#def28] [important] bluez-5.76/profiles/audio/avdtp.c:1799:2: address_of: Taking address with "&req->first_seid" yields a singleton pointer. bluez-5.76/profiles/audio/avdtp.c:1799:2: assign: Assigning: "seid" = "&req->first_seid". bluez-5.76/profiles/audio/avdtp.c:1801:30: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations. 1799| seid = &req->first_seid; 1800| 1801|-> for (i = 0; i < seid_count; i++, seid++) { 1802| failed_seid = seid->seid; 1803| Error: ARRAY_VS_SINGLETON (CWE-119): [#def29] [important] bluez-5.76/profiles/audio/avdtp.c:1912:2: address_of: Taking address with "&req->first_seid" yields a singleton pointer. bluez-5.76/profiles/audio/avdtp.c:1912:2: assign: Assigning: "seid" = "&req->first_seid". bluez-5.76/profiles/audio/avdtp.c:1914:30: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations. 1912| seid = &req->first_seid; 1913| 1914|-> for (i = 0; i < seid_count; i++, seid++) { 1915| failed_seid = seid->seid; 1916| --- profiles/audio/avdtp.c | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c index 3667e08400dd..38c1870e619d 100644 --- a/profiles/audio/avdtp.c +++ b/profiles/audio/avdtp.c @@ -429,6 +429,20 @@ static void avdtp_sep_set_state(struct avdtp *session, struct avdtp_local_sep *sep, avdtp_state_t state); +#define REQ_GET_NTH_SEID(x) \ + static struct seid * \ + x##_req_get_nth_seid(struct x##_req *req, int count, int i) \ + { \ + if (count == 0 || i >= count) \ + return NULL; \ + if (i == 1) \ + return &req->first_seid; \ + return &req->other_seids[i]; \ + } + +REQ_GET_NTH_SEID(start) +REQ_GET_NTH_SEID(suspend) + static const char *avdtp_statestr(avdtp_state_t state) { switch (state) { @@ -1672,11 +1686,11 @@ static void check_seid_collision(struct pending_req *req, uint8_t id) static void check_start_collision(struct pending_req *req, uint8_t id) { struct start_req *start = req->data; - struct seid *seid = &start->first_seid; int count = 1 + req->data_size - sizeof(struct start_req); int i; - for (i = 0; i < count; i++, seid++) { + for (i = 0; i < count; i++) { + struct seid *seid = start_req_get_nth_seid(start, count, i); if (seid->seid == id) { req->collided = TRUE; return; @@ -1687,11 +1701,11 @@ static void check_start_collision(struct pending_req *req, uint8_t id) static void check_suspend_collision(struct pending_req *req, uint8_t id) { struct suspend_req *suspend = req->data; - struct seid *seid = &suspend->first_seid; int count = 1 + req->data_size - sizeof(struct suspend_req); int i; - for (i = 0; i < count; i++, seid++) { + for (i = 0; i < count; i++) { + struct seid *seid = suspend_req_get_nth_seid(suspend, count, i); if (seid->seid == id) { req->collided = TRUE; return; @@ -1785,7 +1799,6 @@ static gboolean avdtp_start_cmd(struct avdtp *session, uint8_t transaction, struct avdtp_local_sep *sep; struct avdtp_stream *stream; struct stream_rej rej; - struct seid *seid; uint8_t err, failed_seid; int seid_count, i; @@ -1796,9 +1809,9 @@ static gboolean avdtp_start_cmd(struct avdtp *session, uint8_t transaction, seid_count = 1 + size - sizeof(struct start_req); - seid = &req->first_seid; + for (i = 0; i < seid_count; i++) { + struct seid *seid = start_req_get_nth_seid(req, seid_count, i); - for (i = 0; i < seid_count; i++, seid++) { failed_seid = seid->seid; sep = find_local_sep_by_seid(session, seid->seid); @@ -1898,7 +1911,6 @@ static gboolean avdtp_suspend_cmd(struct avdtp *session, uint8_t transaction, struct avdtp_local_sep *sep; struct avdtp_stream *stream; struct stream_rej rej; - struct seid *seid; uint8_t err, failed_seid; int seid_count, i; @@ -1909,9 +1921,8 @@ static gboolean avdtp_suspend_cmd(struct avdtp *session, uint8_t transaction, seid_count = 1 + size - sizeof(struct suspend_req); - seid = &req->first_seid; - - for (i = 0; i < seid_count; i++, seid++) { + for (i = 0; i < seid_count; i++) { + struct seid *seid = suspend_req_get_nth_seid(req, seid_count, i); failed_seid = seid->seid; sep = find_local_sep_by_seid(session, seid->seid);